On August 27, 2025, the Office of the Information and Privacy Commissioner of Ontario (IPC) released PHIPA Decision 298 (the Decision), in which the IPC issued an administrative monetary penalty (AMP) against a doctor and private clinic under the Personal Health Information Protection Act (PHIPA). This is the first AMP issued by a privacy commissioner in Canada.

The Decision relates to a breach report filed in May 2024 by Windsor Regional Hospital (WRH), Chatham-Kent Health Alliance and Erie Shores Healthcare (collectively, the Hospitals). The report stated that a physician at WRH accessed the Hospitals’ shared electronic health record system to identify parents of newborn males and contact them to offer circumcision services through his private pediatric clinic, WE Kidz Pediatrics (WE Kidz).

The Decision focused on four key issues:

  1. whether WHR and WE Kidz took reasonable steps to protect against the unauthorized collection, use and disclosure of the personal health information (PHI) under their custody or control;
  2. did WRH and WE Kidz have information practices in place and whether they complied with those information practices;
  3. whether WRH and WE Kidz responded adequately to the privacy breach; and
  4. if AMPs should be imposed against the physician and WE Kidz.

For the first three issues, the IPC concluded that WRH had reasonable privacy measures in place to protect PHI and responded adequately to the breach. Still, the IPC made several recommendations to WRH to improve its privacy practices, including that it update its by-laws to more clearly outline staff privacy and confidentiality obligations. In contrast, the IPC found that WE Kidz failed to take reasonable steps to safeguard PHI; did not have any documented privacy policies or privacy management program; and had no protocol in place to respond to the privacy breach. 

Regarding the final issue, the Commissioner ordered an AMP of (i) $5,000 against the physician for accessing and using patients’ hospital records without authorization and for an economic benefit; and (ii) $7,500 against WE Kidz for failing to meet its basic obligations under PHIPA. No penalties were imposed on the Hospitals.

For more information on AMPs, see the  IPC’s “Administrative Monetary Penalties: Guidance for the Health Care Sector”, which was previously reported by the E-TIPS® Newsletter here.

Summary By: Victoria Di Felice

 

E-TIPS® ISSUE

25 09 17

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

Victoria Di Felice
By Victoria Di Felice
September 17, 2025
Privacy