In August 2025, the Office of the Information and Privacy Commissioner of Ontario (IPC) issued its first-ever administrative monetary penalties (AMP) under the Personal Health Information Protection Act, 2004 (PHIPA). This recent decision, PHIPA Decision 298 (the decision), signals a new era in which health information custodians (HIC) and their agents may face financial repercussions for contravening health privacy obligations, and underscores the importance of implementing robust privacy practices.
Background
AMPs – a new enforcement tool under PHIPA
PHIPA imposes obligations on HICs, and individuals who receive personal health information (PHI) from HICs, to protect PHI against unauthorized collection, use or disclosure. It also grants the IPC the power to use various enforcement tools to support compliance with those obligations. As of January 2024, one of those tools is the use of AMPs (PHIPA, section 61.1). In particular, the IPC has the discretion to issue AMPs of up to $50,000 for individuals and $500,000 for organizations that contravene PHIPA.
Given the discretionary nature of AMPs, the IPC issued a guidance document, Administrative Monetary Penalties: Guidance for the Health Care Sector (Guidance), to inform how AMPs would be implemented. The Guidance describes AMPs as part of a progressive enforcement model – the IPC will only resort to AMPs in more serious cases; they would not typically be issued in cases of unintentional or isolated mistakes, or where a HIC which has otherwise complied with its PHIPA obligations has been the victim of a cyberattack. Further, in determining the quantum of an AMP, the IPC will consider any relevant mitigating and aggravating factors, such as the offending person’s history of PHIPA violations, the number of affected individuals, and whether the offender obtained an economic benefit from their actions.
PHIPA Decision 298
PHIPA Decision 298 involved a physician with privileges at Windsor Regional Hospital (the hospital) and a private clinic that he owned in part. The physician used the hospital’s shared electronic health record (EHR) system to conduct targeted searches for newborn males in order to obtain their parents’ contact information. He then contacted parents by text message or phone call to offer circumcision services at his private clinic, for which he charged $350 per procedure (of which $35 was paid to the clinic as overhead, and the remainder was paid to the physician). When two mothers complained to the hospital, it launched a privacy breach investigation, and subsequently reported the incident to the IPC.
The IPC then commenced a review under PHIPA, in which it considered whether the hospital and the clinic took reasonable steps to protect against unauthorized collection, use, and disclosure of PHI within their custody or control; whether they had information practices in place and whether they complied with those information practices; whether they responded adequately to the breach; and, whether administrative monetary penalties should be imposed against the physician and/or the clinic.
Through the hospital’s investigation and the IPC’s review, it was determined that the physician conducted 146 searches during a three-week period in 2024, potentially accessing the PHI of 831 patients. Text and call records suggested that the parents of 91 patients, who were not in the physician’s circle of care, were contacted to offer circumcision services. The IPC concluded that these actions constituted an unauthorized collection, use and disclosure of the patients’ PHI in contravention of PHIPA, and that the physician derived an economic benefit as a result. The IPC also found that the clinic contravened its obligations under numerous provisions in PHIPA as it “sorely lacked any of the essential elements of a data privacy and security governance program,” and that its “complete lack of any documented privacy policies, practices and procedures was plainly not reasonable in the circumstances.”
The IPC considered its Guidance and, in particular, the dual purpose of AMPs to encourage compliance with PHIPA and to prevent a person from deriving an economic benefit from PHIPA contraventions. In addition to the above-noted contraventions, the IPC considered mitigating factors such as the fact that the physician ceased his conduct upon request and had no prior history of PHIPA violations. Based on the totality of the facts and findings, the IPC ultimately imposed AMPs of $5,000 against the physician and $7,500 against clinic.
While the IPC didn’t impose any AMPs or make any orders against the hospital, it did make recommendations aimed at improving the hospital’s record-keeping and information practices. These recommendations included revising its by-laws to more explicitly address professional staff’s privacy obligations, and to require that the hospital’s privacy policies be provided to professional staff prior to their appointment and before any reappointments.
Key takeaways
The IPC will issue AMPs, where appropriate
As of January 1, 2024, the IPC has the authority to issue AMPs for PHIPA violations. While PHIPA Decision 298 is the first instance of the IPC exercising this power, the decision demonstrates that this new enforcement tool is not merely theoretical, and will be used where warranted to encourage PHIPA compliance and to prevent individuals or organizations from deriving an economic benefit from PHIPA contraventions. This represents a material change in enforcement risk for those subject to PHIPA.
The IPC considers various aggravating and mitigating factors when determining the quantum of an AMP, including the extent of the contravention, the harm caused, efforts to mitigate harm, the number of affected individuals, whether the person derived an economic benefit, and the person or HIC’s compliance history. The IPC has indicated that AMPs will generally be reserved for more severe violations, not unintentional errors or one-off mistakes. PHIPA Decision 298 is an example of AMPs being issued following PHIPA violations resulting in economic gain; however, they may also be appropriate in cases of “snooping” or where a HIC has persistently failed to comply with its obligation to respond to patient access requests.
Accountability in practice
The failure to establish a privacy management program before it began operating was a significant factor in the IPC’s decision to impose an AMP against the clinic. The IPC’s comments on the clinic’s failings in this regard underscore the importance of HICs, regardless of size, implementing comprehensive privacy policies, procedures, and training to ensure compliance with their various privacy obligations, including those set out in sections 10(1) and (2), 12(1), 17, and 11.1 of PHIPA.
The decision also highlights that HICs are accountable for the actions of their agents, and demonstrates why it is important for HICs to implement clear guidelines outlining how their agents may appropriately access and use PHI in the course of their duties.
Broader implications for institutions and private sector organizations
While Canadian privacy regulators have historically been limited to making recommendations or (in some cases) issuing binding orders to ensure privacy compliance, PHIPA Decision 298 represents the first time that a Canadian privacy commissioner has relied on AMPs as an enforcement tool. While PHIPA specifically governs the protection of personal health information in Ontario, the principles underlying this decision may have broader relevance. The introduction of AMPs in PHIPA could set a precedent for other privacy legislation in Ontario, or Canada more broadly. Public institutions and private sector organizations, particularly those handling sensitive personal information, should take note of the IPC’s proactive enforcement stance and review their data governance frameworks, access controls, and privacy training programs to ensure they meet regulatory expectations and protect personal information.
