Ontario healthcare providers now face possible fines for ‘severe’ data privacy violations

Healthcare providers covered by Ontario’s privacy law have an extra incentive to follow provincial data protection regulations: They now face administrative fines for serious violations of the provincial law.

As of Jan. 1, the Information and Privacy Commissioner of Ontario can issue penalties of up to a maximum of $50,000 for individuals and $500,000 for organizations that violate the Personal Health Information Protection Act (PHIPA).

Fines — officially called administrative monetary penalties (AMPs) — can be issued to encourage compliance with PHIPA, a statement from the commissioner’s office says. Or, it adds, penalties can be applied to prevent a person from deriving — directly or indirectly — any economic benefit from contravening the law.

“The IPC will not use AMPs as the default response to breaches,” the statement says. “They will generally only be used as an enforcement option for more severe violations of PHIPA, not in cases involving unintentional errors or one-off mistakes.”

“The IPC will take a measured approach in response to PHIPA violations, providing
education, guidance, informal resolution, and recommendations when less severe
violations occur.”

Organizations have known this was coming since 2020, when the Ontario legislature amended PHIPA to give the IPC additional enforcement powers. The new powers didn’t come into effect until Jan. 1, 2024.

Quebec is the only other province that has authorized the levying of administrative monetary penalties as part of its privacy law that covers the private sector. The federal government is currently considering Bill C-27, which would also authorize administrative penalties.

The IPC has issued guidance to organizations on how administrative penalties for healthcare providers will be applied. The commissioner also can issue binding orders requiring individuals or organizations to take specific actions to address data protection shortcomings.

In the vast majority of healthcare data breaches investigated, individuals show a genuine willingness to report, take responsibility for, and remedy errors when they occur, the guidance notes. Incidents often involve inadvertent errors, one-off contraventions with relatively minor impact, or some at-risk behaviours in need of coaching and course correction, the paper says. “In most cases, the individual or organization is highly responsive and co-operative in rectifying the situation. Education, guidance, early resolution, and recommendations for corrective measures are often the only tools the IPC needs to use in such cases.”

Under PHIPA, a health information custodian is prohibited from collecting, using, or disclosing personal health information without a patient’s consent, although under some circumstances, data can be collected indirectly.

The new powers come just as the IPC starts an investigation into the recent ransomware attack that hit five hospitals linked to a common shared IT provider. The commissioner’s office says it plans to make its findings public.

Around the world, hospitals are targets for cybercrooks looking for credit/debit card data to steal, and personal information as leverage for extortion or blackmail from hospital administrators.

For-profit hospitals are better able to fund cybersecurity than those — such as Canadian institutions — that rely on government support. Earlier this year, the Canadian Internet Registry Authority (CIRA), which oversees the .ca domain, said  “lack of focus” of management and lack of money are the biggest factors blocking the improvement of the cybersecurity of Canadian hospitals.

It’s not only hospitals that are targets. Data on 3.4 million Ontario mothers, newborns, and children collected over the past 10 years was stolen earlier this year from the MOVEit file transfer server of the provincially-funded Better Outcomes Registry & Network Ontario, also known as BORN. It was one of more than 2,000 organizations around the world victimized through a zero-day vulnerability in MOVEit Transfer.

Last year, the IPC issued 35 decisions involving complaints of alleged PHIPA violations involving physicians and hospitals. Many involved demands for access or corrections to records.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.