On January 1, 2024, the amendments to section 61.1 of the Personal Health Information Protection Act (PHIPA) and its accompanying regulation (the Regulation) took effect, providing the Information and Privacy Commissioner of Ontario (IPC) with additional enforcement power to impose administrative monetary penalties (AMPs) on those that contravene the legislation.
In its guidance document on the matter (the Guidance), the IPC describes AMPs as one of its last options for regulatory intervention before referring an offence to the Attorney General of Ontario. The IPC states that it will consider a number of factors when deciding whether to issue an AMP, including the risks, impacts, and behaviours that are associated with the contravention. The Guidance sets out a non-exhaustive list of examples that may result in the IPC issuing an AMP, which include serious snooping into patient records, contraventions for economic gain, and disregard for an individual’s rights of access.
In accordance with the Regulation, the amount of an AMP may be a maximum of $50,000 for an individual or $500,000 for an organization. However, the IPC has the flexibility to go beyond these limits to prevent the person from economically benefitting from their contravention. In determining the appropriate amount of the AMP, the IPC must consider the following (in addition to any other relevant criteria):
Summary By: Claire Bettio
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.