The Information and Privacy Commissioner of Ontario is beginning to make active use of its authority to impose administrative monetary penalties (AMPs) under Ontario’s Personal Health Information Protection Act. With a second decision now released, we can start drawing practical guidance from how the IPC is approaching this new enforcement mechanism.
(1) Windsor Regional Hospital (Re): PHIPA Decision 298
A physician used his access to the hospital’s electronic health record system to identify newborn male patients and contact their parents to offer circumcision services at his private clinic. When a parent questioned how the private clinic gained access to their contact information, the parent was advised that the physician had access to the hospital’s records and could look up the relevant contact information. The purpose of physician’s conduct was to generate business for his clinic, even though the money generated was minimal.
In imposing an AMP, the IPC focused on the nature of the conduct (i.e. accessing personal health information to support a private commercial activity) and less on the amount earned from this behaviour. The IPC held that this use of personal health information in this manner was sufficient to warrant the imposition of an AMP.
With respect to the clinic, it operated without any meaningful privacy structure in place. There were no policies, no clear limits on how personal health information could be used, and no evidence of a privacy management program. The clinic’s lack of oversight allowed the physician’s conduct to take place without any internal checks.
The IPC imposed a $5,000 penalty on the physician and $7,500 on the clinic. The decision makes clear that AMPs can extend beyond the individual actor where an organization’s failures contribute to the breach. Overall, the IPC found that it was “a reasonable amount to encourage Dr. Afandi and others to respect their obligations under PHIPA and to discourage him and others from attempting to unlawfully gain access to patients’ PHI for direct or indirect economic gain in the future.”
Notably, when assessing economic benefit under the statute, the IPC did not limit the analysis to what the physician actually earned. Instead, the decision considered what he might reasonably have gained had the conduct continued.
(2) Children’s Hospital of Eastern Ontario (CHEO) (Re): PHIPA Decision 334
A patient services clerk at the hospital accessed the records of 436 patients without authorization. The affected records included those of family members, as well as individuals with no connection to the clerk’s work. Some accesses were limited to demographic information, while others involved more detailed clinical content. The clerk’s conduct lasted several months.
There was no evidence that the clerk used the information for financial gain, nor that the information was shared further. The hospital itself had a functioning privacy framework,
including training, policies, access controls, and ongoing auditing. These measures allowed the hospital to detect and investigate the issue.
The IPC imposed a $2,000 AMP on the employee only. In doing so, the IPC reasoned that the number of unauthorized accesses and the pattern over time were central to the decision. The clerk had also received training and had agreed to confidentiality obligations, which made the conduct harder to excuse.
The IPC also reinforced expectations around “snooping.” Even in the absence of financial gain or measurable harm, unauthorized access to personal health information remains a serious breach of PHIPA.
Notably, the hospital was not subject to a penalty. The IPC accepted that it had taken reasonable steps to protect personal health information and had responded appropriately once the issue came to light. The result draws a clear line between individual wrongdoing and organizational responsibility.
What These Decisions Tell Us
Taken together, these decisions show how the IPC will likely use AMPs going forward. Some key takeaways are as follows:
· AMPs are tied to the goal of encouraging compliance: the IPC is treating AMPs as a strong way to reinforce obligations under PHIPA and to discourage similar conduct by others.
· Economic gained or motive is not necessary: the physician’s conduct involved a clear commercial purpose, while the clerk’s actions did not, yet both still led to AMPs. The focus remains on the seriousness of the conduct and the extent of the departure from the statute.
· The quality of an organization’s privacy practices matters: where a custodian can show that it has appropriate safeguards, training, and monitoring in place, and that it responded properly to a breach, it is less likely to face a penalty. Where those elements are missing, the organization itself may be exposed.
· Actual compliance must be demonstrated: written policies and procedures alone are not enough. Organizations need to be able to show that training is completed, agreements are signed, and controls are working in practice.
Looking Ahead
These early cases suggest that AMPs will likely become a regular part of the IPC’s enforcement approach. For organizations, privacy programs need to be in place before issues arise, and there must be clear evidence that they are being followed. For individuals, accessing personal health information without a valid reason, whether out of curiosity or convenience, can now lead to direct financial penalties.
If you have any questions about AMPs or other recent developments relating to privacy law in Canada that may affect your organization, DWF’s Cyber, Privacy and Data Protection Group is available to assist.