Fines of up to $500,000 in Ontario for privacy violations

TORONTO – Ontario’s hospitals, clinics and other healthcare providers will need to be extra careful about computer security and patient privacy starting this year. That’s because the Office of the Information and Privacy Commissioner of Ontario (IPC) announced penalties of up to $50,000 for individuals and $500,000 for organizations for violations of the Personal Health Information Protection Act (PHIPA).

According to a news release from the Information and Privacy Commissioner, administrative monetary penalties (AMPs) may be issued for the purposes of encouraging compliance with PHIPA or preventing a person from deriving – directly or indirectly – any economic benefit from contravening the law.

AMPs are just one of the options in the IPC’s regulatory toolkit for ensuring compliance with PHIPA. Breaches of PHIPA can be addressed in proportion to their severity, enhancing public trust in the healthcare system.

The IPC said it will not use AMPs as the default response to breaches. They will generally only be used as an enforcement option for more severe violations of PHIPA, not in cases involving unintentional errors or one-off mistakes.

“Our office recognizes that the majority of Ontarians working in the healthcare system are deeply committed to the protection of personal health information. When mistakes occur, there is almost always a genuine willingness to take responsibility and remedy errors.”

The IPC will take a measured approach in response to PHIPA violations, providing education, guidance, informal resolution, and recommendations when less severe violations occur.

In cases where AMPs are determined to be an appropriate measure, the IPC will use the criteria set out in regulation under PHIPA to determine the amount. To learn more about the criteria for AMPs and how the IPC will determine penalty amounts, please see the organization’s guidance.