Information and Privacy Commissioner can now order financial penalties for violations
As of January 1, 2024, the Ontario Information and Privacy Commissioner (IPC) has the discretion to issue administrative monetary penalties (AMPs) as part of their enforcement powers for violations of the Personal Health Information Protection Act (PHIPA).
Penalties are up to a maximum of $50,000 for individuals and $500,000 for organizations.
CPSO’s Protecting Personal Health Information policy sets out expectations for physicians in protecting their patients’ health information and describes the necessary steps in ensuring that personal health information (PHI) in their custody or control is protected against theft, loss and unauthorized use and disclosure.
Which orders warrant AMPs will be considered on a case-by-case basis. The Commissioner, Patricia Kosseim, stated her office would not typically consider the use of AMPs in cases involving unintentional errors or one-off mistakes, such as misdirected faxes or emails, provided there is evidence of prompt and reasonable corrective action being taken upon discovery of the error to contain its impact. Physicians would also be expected to take steps to prevent the violation from recurring or becoming a more systemic issue. Similarly, the IPC says AMPs may not be an appropriate enforcement tool against a practice or organization that, despite having reasonable safeguards consistent with leading best practice, has been the victim of a cyberattack that could not have been reasonably foreseen or avoided. The practice or organization would need to demonstrate it has fully cooperated in containing the harm, notified affected individuals where required, and taken the additional security measures needed to mitigate the risks of a similar attack happening again.
Physicians would also be expected to take steps to prevent the violation from recurring or becoming a more systemic issue.
AMPs are but one option among the range of escalating actions and interventions available to the IPC, short of referring offences to the Attorney General of Ontario for prosecution. The IPC has provided tips on how to minimize the risk of a privacy breach in a medical practice. These include:
- Educating staff about the privacy rules in PHIPA governing the collection, use, disclosure, retention, transfer and disposal of PHI.
- Making sure policies and procedures are in place that comply with the privacy protection provisions of PHIPA and that staff are properly trained.
- Safeguarding PHI when it is physically removed from the office or facility. Ensuring that all laptops and personal devices are password protected and that data is encrypted.
- Ensuring that no more PHI is collected, used or disclosed than is reasonably necessary to proactively lessen the impact of any privacy breaches.
- Ensuring PHI is not collected, used or disclosed if there is other information that will serve the intended purpose.
- Ensuring that logging and auditing is in place on electronic systems containing health records. Make staff aware that the systems will be regularly audited.
- Conducting a privacy impact assessment (PIA), where appropriate. The PIA helps determine whether new technologies, information systems and proposed programs or policies meet basic privacy requirements.
