On January 1, 2024, the amendments to section 61.1 of the Personal Health Information Protection Act (PHIPA) and its accompanying regulation (the Regulation) took effect, providing the Information and Privacy Commissioner of Ontario (IPC) with additional enforcement power to impose administrative monetary penalties (AMPs) on those that contravene the legislation.

In its guidance document on the matter (the Guidance), the IPC describes AMPs as one of its last options for regulatory intervention before referring an offence to the Attorney General of Ontario. The IPC states that it will consider a number of factors when deciding whether to issue an AMP, including the risks, impacts, and behaviours that are associated with the contravention. The Guidance sets out a non-exhaustive list of examples that may result in the IPC issuing an AMP, which include serious snooping into patient records, contraventions for economic gain, and disregard for an individual’s rights of access.

In accordance with the Regulation, the amount of an AMP may be a maximum of $50,000 for an individual or $500,000 for an organization. However, the IPC has the flexibility to go beyond these limits to prevent the person from economically benefitting from their contravention. In determining the appropriate amount of the AMP, the IPC must consider the following (in addition to any other relevant criteria):

  1. The extent in which the contravention deviates from the requirements of PHIPA and the Regulation.
  2. The extent to which the person could have prevented the contravention.
  3. The extent of the harm or potential harm resulting from the contravention.
  4. The extent to which the person tried to mitigate any of the harm or implemented other remedial actions.
  5. The number of individuals, health information custodians and other persons affected by the contravention.
  6. Whether the person notified the IPC and individuals whose personal health information was affected by the contravention.
  7. The extent to which the person derived or reasonably might have expected to derive any economic benefit from the contravention.
  8. The person’s history with contravening PHIPA or its regulations.

Summary By: Claire Bettio

E-TIPS® ISSUE

24 02 07

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

DWW
By Claire Bettio
February 7, 2024
Privacy