Human Resources Legislative Update

IPC Power to Determine Administrative Monetary Penalties Takes Effect

Human Resources Legislative Update

IPC Power to Determine Administrative Monetary Penalties Takes Effect

Date: January 15, 2024

On January 1, 2024, changes to the General Regulation made under the Personal Health Information Protection Act (PHIPA) took effect (see O. Reg. 343/23). The changes stipulate how the Information and Privacy Commissioner of Ontario (IPC) determines the amount of administrative monetary penalties (AMPs) issued as part of its enforcement powers for violations of PHIPA.

AMPs may be issued for the purposes of encouraging compliance with PHIPA or preventing a person from deriving—directly or indirectly—any economic benefit from contravening the law.

Administrative penalties are capped to a maximum of $50,000 for individuals and $500,000 for organizations. However, the IPC may choose to increase the amount of an administrative penalty a person is required to pay by an amount equal to the economic benefit acquired by, or that accrued to, the person as a result of the contraventions.

Further to the regulatory changes in effect January 1, 2024, the IPC is required to consider the following factors when determining the amount of an AMP:

  1. The extent to which the contraventions deviate from the requirements of PHIPA or its regulations.
  2. The extent to which the person could have taken steps to prevent the contraventions.
  3. The extent of the harm or potential harm to others resulting from the contraventions.
  4. The extent to which the person tried to mitigate any harm or potential harm or took any other remedial action.
  5. The number of individuals, health information custodians and other persons affected by the contraventions.
  6. Whether the person notified the Commissioner and any individuals whose personal health information was affected by the contraventions.
  7. The extent to which the person derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contraventions.
  8. Whether the person has previously contravened PHIPA or its regulations.

Organizations in the healthcare sector in addition to other organizations who are subject to PHIPA (i.e., health information custodians) should be aware of the possibility for the IPC to implement fines following a contravention of the PHIPA.

In particular, inappropriate access to health information and/or breaches of health information could result in a fine under PHIPA. Should an organization subject to PHIPA become aware of a potential breach of PHIPA, steps should be taken to mitigate liability as soon as possible.

Hicks Morley is available to assist with privacy breach issues and regulatory requirements under PHIPA. Should you have any questions, please contact your regular Hicks Morley lawyer.

The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©