The Commissioner's new enforcement powers took effect January 1
As of January 1, the Information and Privacy Commissioner of Ontario (IPC) has the discretion to issue administrative monetary penalties (AMP) as part of its enforcement powers for violations of the Personal Health Information Protection Act (PHIPA).
The IPC said it is committed to protecting personal health information using a flexible and balanced approach that addresses privacy violations while encouraging accountability, learning, and continuous improvement.
The IPC, entrusted with safeguarding personal health information, now holds the discretion to issue AMPs as part of its enforcement powers. These penalties range to a maximum of $50,000 for individuals and $500,000 for organizations. The penalties are designed to encourage compliance with PHIPA and prevent a person from directly or indirectly deriving any economic benefit from violating the law.
AMPs are one of the options in the IPC’s regulatory toolkit for ensuring compliance with PHIPA. Breaches of PHIPA could be addressed in proportion to their severity, enhancing public trust in the health care system.
The move aims to balance addressing privacy violations and promoting accountability, learning, and continuous improvement. While AMPs are a powerful enforcement option, the IPC assured that they will not be the default response to breaches. Instead, they will be reserved for more severe violations, with a commitment to avoiding their application in cases of unintentional errors or one-off mistakes.
The IPC recognized that most Ontarians working in the health care system are deeply committed to protecting personal health information. When mistakes occur, there is almost always a genuine willingness to take responsibility and remedy errors. In cases of less severe violations, the IPC will employ a measured approach, providing education, guidance, informal resolution, and recommendations to ensure a proportional response.
In cases where AMPs are determined to be an appropriate measure, the IPC will use the criteria set out in regulation under PHIPA to determine the amount. Details about the criteria for AMPs and how the IPC will decide penalty amounts are posted on the IPC website.
