New Administrative Monetary Penalties available to the Regulator under the Personal Health Information Protection Act, 2004

written by

Mary Jane Dykeman, Managing Partner, INQ Law

Basia Walczak, Counsel, INQ Law

The Personal Health Information Protection Act, 2004 (“PHIPA”)¹ plays a crucial role in safeguarding the privacy and security of individuals' personal health information (“PHI”) in Ontario. PHIPA has been amended to create a new framework for the regulator, the Information and Privacy Commissioner of Ontario (“IPC”) to impose administrative monetary penalties (“AMPs”) for contraventions of PHIPA. These changes came into force January 1, 2024.

Ontario Regulation 343/23 adds a new section 35 to the primary regulation under PHIPA (O.Reg. 329/04), that set out the following new sections:

1. Criteria for Determining Administrative Penalty Amount

The new section outlines the criteria IPC considers when determining the amount of administrative penalty for contraventions of PHIPA:²

• The extent to which the contraventions deviate from the requirements of PHIPA or its regulations

• The extent to which the person could have taken steps to prevent the contraventions

• The extent of the harm or potential harm to others resulting from the contraventions

• The extent to which the person tried to mitigate any harm or potential harm or took any other remedial action

• The number of individuals, health information custodians (“HICs”) and other persons affected by the contraventions

• Whether the person notified the IPC and any individuals whose PHI was affected by the contraventions

• The extent to which the person derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contraventions

• Whether the person has previously contravened the Act or its regulations

2. Maximum Penalty Limits

The amended regulation also specifies the maximum penalty that can be imposed, namely, up to $50,000 for individuals and $500,000 for organizations. Hopefully, this will serve as a deterrent for non-compliance, but it is important to keep in mind higher monetary fines have been available under PHIPA via Attorney General prosecutions for many years (up to $200,000 for individuals and up to $1,000,000 for an institution or organization).³ What changes with the new AMP framework is that for serious contraventions of PHIPA, the IPC may (but no longer needs to) take the formal administrative steps to request Attorney General involvement. Essentially, this makes it easier for AMPs to be levied, although IPC has been clear that AMPs are just one tool in its enforcement toolkit.⁴

What HICs should do now

As the regulatory landscape evolves, maintaining a commitment to PHIPA compliance becomes increasingly crucial for HICs (and the companies that serve them, including their third party vendors). With the introduction of the AMPs framework, the stakes have increased for the protection of individual privacy, as well as the duty to maintain confidentiality and security of PHI.

INQ suggests a few key steps in response to this development, given IPC’s emphasis on training and awareness of their PHIPA agents; as a reminder, an agent is anyone who collects, uses, or discloses PHI on behalf of a HIC, including employees, staff, and some vendors:

1. Highlight now (for example, through a routine privacy communique or update to staff) that the ability to pursue financial penalties under PHIPA has been broadened, and is now easier for IPC as regulator to initiate this process. IPC may still request that the Attorney General initiate prosecution against a person who has contravened PHIPA, but has its own enforcement powers under the AMPs framework.

2. Incorporate the concept of AMPs into privacy training, privacy practices, and policies; a HIC’s materials likely already refers to the role of IPC as regulator and the possibility of fines, so this is where the AMP update could be made. In addition to monetary fines of up to $200,000 (individuals) and $1,000,000 (institutions and organizations) through Attorney General Prosecutions, penalties of up to $50,000 (individuals) and up to $500,000 (institutions and organizations) can now be pursued through these broader enforcement powers of IPC.

3. Review the eight criteria for AMPs set out above, both through a pre-emptive lens, as well as in the context of privacy breaches as they arise, as part of mitigation.

4. Let your vendors know of this development. If you are a vendor serving HICs (whether as an agent or service provider), be familiar with AMPs and the criteria set out above; consider proactively how your products and services can be provided to HICs so as to avoid being subject to an AMP.

INQ is available to assist with practical strategies to embed this new development, and to use the introduction of AMPs in PHIPA as an opportunity to improve your organization’s privacy and security practices.

¹ https://www.canlii.org/en/on/laws/stat/so-2004-c-3-sch-a/latest/so-2004-c-3-sch-a.html

² https://www.ontario.ca/laws/regulation/r23343

³ See IPC overview of its powers versus the Attorney General’s: https://www.ipc.on.ca/health-organizations/responding-to-a-privacy-breach/potential-consequences-of-a-breach-under-phipa/

⁴ See IPC notice here: https://www.ipc.on.ca/wp-content/uploads/2023/12/2024-01-02-amp-phipa-notice-en.pdf.