Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
The Office of the Information and Privacy Commissioner of Ontario (IPC) is committed to protecting personal health information using a flexible and balanced approach that addresses privacy violations while encouraging accountability, learning, and continuous improvement.
As of January 1, 2024, the IPC has the discretion to issue administrative monetary penalties (AMPs) as part of its enforcement powers for violations of the Personal HealthInformation Protection Act (PHIPA).
Penalties are up to a maximum of $50,000 for individuals and $500,000 for organizations. AMPs may be issued for the purposes of encouraging compliance with PHIPA or preventing a person from deriving — directly or indirectly — any economic benefit from contravening the law.
Learn more about the criteria for AMPs and how the IPC will determine penalty amounts in our guidance.
If you have additional questions about AMPs, email us at @email.
As of January 1, 2024, the IPC has the discretion to issue administrative monetary penalties as part of its enforcement powers for violations of the Personal Health Information Protection Act (PHIPA). Download the guidance document to learn more.
In this letter to Brian Riddell, Chair of the Standing Committee on Social Policy, the IPC makes recommendations in relation to proposed amendments to the Connecting Care Act, 2019.
Letter to Ministry of Health on support for and approach to proposed administrative penalties under PHIPA, highlighting their importance in enforcing healthcare privacy and access rights.
Document Updated: A change to PHIPA Practice Direction #3 took effect on October 10, 2023. Learn more
As of October 10, 2023, the IPC may publish PHIPA decisions at any stage of dispute resolution, including early resolution, investigation, and adjudication. This includes publishing the name of the respondent and affected person(s), unless doing so would identify the complainant or any person whose personal health information is at issue.
This letter to Goldie Ghamari, Chair of the Standing Committee on Social Policy, was intended to present the IPC’s views on how amendments to Bill 60 can better enhance transparency and privacy protections of Ontarians’ information with respect to the Integrated Community Health Services Centres Act, 2023 proposed in Schedule 1, and on “As of Right” health care practitioners who may be permitted to practice in Ontario without first having to register with a provincial regulatory health colleges, addressed in Schedule 2.
Join Ontario’s Information and Privacy Commissioner, Patricia Kosseim, in person, or via webcast, for a panel discussion on Friday, January 27 to mark Data Privacy Day. The theme of this year’s event is Building Trust in Digital Health Care, and is based on one of four strategic priority areas that are guiding the work of the IPC.
Digital tools open up great new opportunities for more efficient and effective health care. They also introduce new privacy and security risks to sensitive personal health information. How can health care organizations become more resilient against privacy breaches and cyberattacks? How can they successfully build and sustain a privacy-respectful culture? And what will it take for the health care sector to finally rid itself of faxes and unprotected emails — the top causes of health privacy breaches in Ontario?
Key issues to be discussed include:
replacing faxes with more secure forms of digital communication
ushering in administrative monetary penalties under Ontario’s health privacy law
building privacy and security resiliency against breaches and cyberattacks
fostering a privacy-respectful culture across an organization
Panelists:
Sylvie Gaskin, Chief Privacy Officer, Ontario Health
Michael Hillmer, ADM, Digital and Analytics Strategy Division, Ministry of Health
Wendy Lawrence, Chief Risk, Legal and Privacy Officer, St. Joseph's Healthcare Hamilton
Nyranne Martin, CPO and General Counsel, Ottawa Hospital
9:30 a.m. – Welcome and keynote by Commissioner, Patricia Kosseim
9:50 a.m. – Panel discussion moderated by Assistant Commissioner, Eric Ward
10:35 a.m. – Break
10:50 a.m. – Panel discussion continues
11:35 a.m. – Audience Q&A
11:55 a.m. – Closing remarks by Assistant Commissioner, Warren Mar
12:00 p.m. – Event ends
Registration
This is a free event, but registration is required, and space is limited.
Webcast: To watch the webcast, please register here. Please submit your questions in advance of the event at @email. Simultaneous French translation will be provided for the webcast.
In-Person: To attend the event in-person at the Central YMCA in downtown Toronto, RSVP by emailing [email protected].
As Schedule 4 of Bill 106, the Pandemic and Emergency Preparedness Act, 2022 (Schedule 4) would amend the Personal Health Information Protection Act, 2004 (PHIPA) by introducing new regulation-making powers, the IPC submitted recommendations to Ernie Hardeman Chair of the Committee Standing Committee on Finance and Economic Affairs to address each of these proposed regulatory powers.
This letter to Dr. Catherine Zahn, Deputy Minister of Health and Ms. Hillary Hartley, Chief Digital and Data Officer offered the IPC’s recommendations to help ensure ongoing protection of the privacy rights of Ontarians as the proof of vaccination certificate initiative continued in the province.
Our frequently asked questions on health cards and health numbers clarify who may collect, use or disclose health numbers for health care purposes, as well as the use of health cards as a proof of identity. Originally published November 2004.