- Guidance for Organizations
-
Access to information
- Open government
- Responding to access requests
- Appeals
- Annual Statistical Reporting FAQ
- Interpretation bulletins
- Tribunal and Dispute Resolution Division policies
- Code of Procedure
- Part X of the Child, Youth and Family Services Act: A Guide to Access and Privacy for Service Providers
- CYFSA FAQ: Information for service providers
- Protection of privacy
- Health privacy
- Policy Consultations
Potential consequences of a breach under PHIPA
Administrative monetary penalties under PHIPA
As of January 1, 2024, the IPC has the discretion to issue administrative monetary penalties (AMPs) as part of its enforcement powers for violations of the Personal Health Information Protection Act (PHIPA).
Penalties are up to a maximum of $50,000 for individuals and $500,000 for organizations. AMPs may be issued for the purposes of encouraging compliance with PHIPA or preventing a person from deriving — directly or indirectly — any economic benefit from contravening the law.
AMPs are just one of the options in the IPC’s regulatory toolkit for ensuring compliance with PHIPA in a manner that is flexible, balanced, and meaningful. Breaches of PHIPA can be addressed in proportion to their severity, enhancing public trust in the health care system.
The IPC will not use AMPs as the default response to violations of PHIPA. They will generally only be used as an enforcement option for more severe violations of PHIPA, not in cases involving unintentional errors or one-off mistakes.
Our office recognizes that the majority of Ontarians working in the health care system are deeply committed to the protection of personal health information. When mistakes occur, there is almost always a genuine willingness to take responsibility and remedy errors.
The IPC will continue to take a measured approach in response to PHIPA violations, providing education, guidance, informal resolution, and recommendations when less severe violations occur.
In cases where AMPs are determined to be an appropriate measure, the IPC will use the criteria set out in regulation under PHIPA to determine the amount.
Learn more about the criteria for AMPs and how the IPC will determine penalty amounts in our guidance.
What are the consequences for committing an offence under PHIPA?
An individual found guilty of committing an offence under PHIPA can be liable for a fine of up to $200,000 or up to one year in prison, or both. An organization or institution can be liable for a fine of up to $1,000,000.
If a corporation commits an offence under PHIPA, every officer, member, employee or agent of that corporation found to have authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, can also be held personally liable.
Can an individual seek compensation for damages?
An individual affected by an order of the IPC, or an individual affected by conduct leading to a conviction for an offence under PHIPA, may seek damages for actual harm suffered. If a court determines that the harm suffered was caused by wilful or reckless misconduct, PHIPA permits the court to award up to $10,000 in damages for mental anguish.
Must consent be obtained from the attorney general or their agent before commencing a prosecution under PHIPA?
Yes. A prosecution cannot be commenced without the consent of the Attorney General of Ontario or their agent.
What is the time limitation for prosecutions under PHIPA?
There is no time limitation period for commencing a prosecution for an offence under PHIPA.