Trust in Digital Health

Privacy Day spotlight: Fostering trust in digital health care

The IPC’s 2023 Privacy Day event, Building Trust in Digital Health Care, explored pressing concerns and opportunities within the health care sector and how to earn the public’s confidence in new digital health tools and innovations. A dialogue with a panel of experts fueled spirited discussions on a range of topics, including transitioning from faxes to secure digital communication channels, ushering in administrative monetary penalties under Ontario's health privacy law, building resiliency against breaches and cyberattacks, and fostering a culture that prioritizes privacy and security across the entirety of the organization.  

Shortly after IPC’s 2023 Privacy Day event, we were pleased to read the government’s announcement that it would finally axe the fax. In a statement by the Minister of Health, the Ontario government committed to “replacing antiquated fax machines with digital communication alternatives at all Ontario health care providers within the next five years.” We were also pleased to see regulations for administrative penalties finally get introduced and adopted a few months later. 

Navigating administrative monetary penalties with IPC guidance

On January 1, 2024, a new regulation under Ontario’s Personal Health Information Protection Act (PHIPA) came into force, enabling the IPC to impose administrative monetary penalties (AMPs) directly against individuals and organizations who contravene Ontario’s health privacy law. The new regulation is intended to give Ontarians confidence that there are effective mechanisms to encourage compliance with PHIPA and deter against threats to their personal health information.

To prepare for the coming into force of the regulation, the IPC released guidance setting out a comprehensive roadmap for how the IPC intends to exercise these new powers. The guidance explains when we might consider when issuing AMPs, and the factors that would inform the amount imposed on a case-by-case basis. We aim to take an approach similar to a just culture approach (commonly used in the health sector to deal with medical errors) by emphasizing the value of reporting and learning from mistakes that occur in complex systems, and reserving more severe consequences for cases where stronger responses are necessary. 

The IPC’s fair, measured, and proportionate approach is intended to meaningfully address privacy violations while promoting and encouraging accountability and continuous improvement. 

AMPs are but one option among a number of escalating actions and interventions available to the IPC, ranging progressively from providing educational guidance and advice, recommending corrective measures, issuing orders, imposing administrative penalties, and referring matters to the Attorney General of Ontario for prosecution in the most egregious cases. 

Three-year reviews of prescribed persons and entities:  The PHIPA manual

Every three years, the IPC thoroughly reviews the practices and procedures of prescribed entities and persons who handle vast amounts of personal health information. These reviews are a cornerstone of PHIPA, ensuring that those specific organizations entrusted with greater legal flexibility to process this sensitive information for the public good without individual consent, are held to the highest standards of privacy and confidentiality. 

The IPC conducts these reviews against the standards set out in the Manual for the Review and Approval of Prescribed Persons and Prescribed Entities. The IPC spent much of 2023 reviewing the manual to take a modern, risk-based approach and updated the standards in accordance with evolving best practices, especially in respect of cybersecurity. In fall 2023, the IPC held a first-ever face to face meeting of all the prescribed entities and persons under PHIPA to discuss and finalize the changes that were eventually released in November. The meeting was the culmination of a two-year consultation process focused on soliciting their views and comments to ensure that the IPC’s updates to the manual are feasible to apply in practice and can stand the test of time. This modern and effective regulatory approach allows us to consider the perspectives of the regulated entities, establish a relationship of trust, and ultimately achieve a more cooperative form of compliance.