Health Privacy Law in Canada: Key Developments from 2025

Canada's health privacy landscape saw significant developments in 2025, with landmark court decisions, new enforcement actions, and emerging guidance on artificial intelligence in healthcare. Here's what health information custodians need to know about recent changes affecting hospitals, clinics, and healthcare providers across the country.

Cybersecurity: The Ransomware Notification Debate

The SickKids v. IPC case has set an important precedent for how healthcare organizations must respond to ransomware attacks. After SickKids hospital suffered a ransomware attack that temporarily locked patient data, the hospital argued it didn't need to notify affected individuals since threat actors never actually viewed, accessed, or downloaded the information.

The Ontario Information and Privacy Commissioner disagreed, ruling that the encryption itself constituted unauthorized use, triggering notification duties under PHIPA. The Divisional Court upheld this decision, leaving healthcare organizations with practical questions: What do you tell patients when their data was locked but not accessed? What protective steps can patients realistically take?

This decision comes alongside new cybersecurity requirements under Ontario's Enhancing Digital Security and Trust Act, which now imposes duties on hospitals and public health boards to implement cyber programs and report incidents, though specific regulations are still pending.

Administrative Monetary Penalties: IPC Shows Its Teeth

Ontario's privacy regulator imposed its first administrative monetary penalties in 2025, signaling a shift toward stronger enforcement. In PHIPA Decision 298, a doctor with hospital privileges used electronic health record systems to search for newborn males, then contacted their parents to offer circumcision services through his private clinic.

The IPC fined the doctor $5000 and his clinic $7,500. While modest compared to maximum limits of $50,000 for individuals and $500,000 for organizations, these penalties demonstrate the IPC's willingness to use enforcement powers granted in 2020.

Snooping Cases Across Canada

Multiple jurisdictions addressed unauthorized access to patient records in 2025. Saskatchewan's Investigation Report 103-2025 involved a hospital employee who intentionally viewed records of over 300 patients. The IPC found the hospital failed to adequately contain the breach by not revoking access privileges when the employee changed roles.

In the Northwest Territories, an audit revealed a nurse accessed their own electronic medical record, violating territorial health information legislation. The Commissioner found the health agency lacked reasonable access controls and had failed to provide privacy training to the nurse for years.

Access Requests and Fee Disputes

Several decisions clarified when healthcare providers can refuse access to minor children's records. Ontario cases upheld exemptions for nurse's notes provided in confidence, legal advice recorded by a physician, and communications with children's aid societies where disclosure could cause serious harm.

Fee disputes also featured prominently. In one case, a hospital justified a fee estimate of twenty- $700 for 15 hours of video surveillance footage due to high redaction costs. Conversely, a pharmacy's fee of $150 for a three-page prescription printout was reduced to thirty dollars based on reasonable cost recovery principles.

Artificial Intelligence: New Frontiers in Privacy

Alberta's IPC issued guidance on AI scribe tools, which assist healthcare providers by listening to and recording patient conversations. The guidance emphasizes that patient consent is required before using these tools, a position supported by the Canadian Medical Protective Association. However, this raises questions about whether notice alone should suffice for such standard documentation practices.

Ontario's Enhancing Digital Security and Trust Act, in force since July 2025, imposes new duties on hospitals and health entities using AI systems. Organizations must publish information about AI use, implement accountability frameworks, manage risks, and ensure human oversight.

Practical Takeaways

Healthcare organizations should review their cybersecurity incident response plans in light of the SickKids decision, ensure robust access controls to prevent snooping, develop clear policies for record disposal and retention, and assess AI tools through privacy impact assessments before implementation. The regulatory landscape continues to evolve, making ongoing compliance monitoring essential for all health information custodians.