Administrative Monetary Penalties Now in Effect as Part of the Personal Health Information Protection Act
February 2024
As of January 1, 2024, the Office of the Information and Privacy Commissioner of Ontario (IPC) can issue administrative monetary penalties (AMPs) for violations of the Personal Health Information Protection Act, 2004 (PHIPA).
Penalties are up to a maximum of $50,000 for individuals, and $500,000 for organizations. The new measures will only be used in cases of severe violations of PHIPA, not in cases of unintentional oversights (e.g., errors or one-off mistakes).
Examples of contraventions when the IPC may impose an AMP might include:
- Serious ‘snooping’ into patient records: Healthcare workers may face penalties for accessing patients’ records without authorization.
- Contraventions for economic gain: AMPs may be issued to those found guilty of accessing patient records without authority, for the purpose of selling products or services related to the information.
- Disregard for individual’s right of access: Individuals have the right to access their personal health information record from their health information custodian. An AMP may be issued when that custodian fails to comply with access requests, or has unlawfully destroyed health records.
IPC will also address privacy breaches in proportion to their severity, with the goal of enhancing trust in the healthcare system.
PHIPA considers certain criteria in determining the amount of the AMP including the extent of the harm, if it was preventable, a health custodian’s compliance history, and more.
For more information about the criteria for AMPs and how the IPC will determine penalty amounts, please consult the IPC’s Guidance for the Health Care Sector.