On January 1, 2024, the Information and Privacy Commissioner of Ontario (IPC) announced its additional enforcement powers following the entry into force of the amendments to Section 61.1 of the Personal Health Information Protection Act (PHIPA) and the accompanying Regulation O. Reg. 329/04, on the same date.

In particular, the IPC noted that as part of its enforcement powers, it could discretionally issue administrative monetary penalties (AMP) for violations of the PHIPA, with penalties up to a maximum of $50,000 for individuals and $500,000 for organizations.

In addition, the IPC emphasized that the AMPs may be issued for the purposes of encouraging compliance with PHIPA or preventing a person from deriving any economic benefit from contravening the law.

What guidance was provided by the IPC?

Furthermore, the IPC has issued guidance on the criteria for AMPs and how it will determine penalty amounts. Specifically, the IPC provided examples of cases where the issuance of an AMP may be appropriate, including, but not limited to:

• serious snooping into patient records without authorization by an individual working in the health care system;
• contraventions of the PHIPA for direct or indirect economic gain; and
• disregard for individuals' right of access.

However, the IPC mentioned that it would typically not consider using AMPS in cases involving unintentional errors or one-off mistakes or where an organization, having reasonable safeguards, was a victim of a cyberattack.

What factors will determine the amount of an AMP to impose?

Moreover, the IPC highlighted that it would assess the following factors while determining the AMP amount to issue, as required by the regulation:

• the extent to which the contraventions deviate from the requirements of PHIPA or its regulation(s);
• the extent to which the person or organization could have taken steps to prevent the contraventions;
• the extent of the harm or potential harm to others resulting from the contraventions;
• the extent to which the person or organization tried to mitigate any harm or potential harm or took any other remedial action;
• the number of individuals, health information custodians, and other persons affected by the contraventions;
• whether the person or organization notified the IPC and any individuals whose personal health information was affected by the contraventions;
• the extent to which the person or organization derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contraventions; and
• whether the person or organization has previously contravened PHIPA or its regulation(s).

You can read the press release here, the regulation here, and the guidance here.