ARTICLE
22 October 2025

First Monetary Penalties Issued Under Ontario's Health Privacy Law: Practical Lessons For The Health Sector

F
Fasken

Contributor

Fasken logo
Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
Explore Firm Details
Lexpert Firm Profile
The Information and Privacy Commissioner of Ontario recently issued its first administrative monetary penalty against a doctor and a private health clinic for contravening Ontario's Personal Health Information Protection Act (PHIPA).
Canada Food, Drugs, Healthcare, Life Sciences
Daniel Fabiano and Heather Whiteside
Your Author LinkedIn Connections
Fasken are most popular:
  • within Law Department Performance and Transport topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Banking & Credit, Business & Consumer Services and Insurance industries

The Information and Privacy Commissioner of Ontario recently issued its first administrative monetary penalty against a doctor and a private health clinic for contravening Ontario's Personal Health Information Protection Act (PHIPA).

PHIPA Decision 298 serves as a crucial reminder for healthcare providers, and their service providers, about their privacy responsibilities under PHIPA, and demonstrates the consequences that may arise for failing to meet those obligations. As a precedent, it also draws several bright lines that, if crossed, would likely lead to financial penalties for healthcare providers, their agents and service providers, and potentially their respective personnel.

Background

In March 2020, the Ontario government made various amendments to PHIPA, one of which was to provide the Privacy Commissioner with the authority to impose administrative monetary penalties. The Privacy Commissioner can impose these penalties on any person who contravenes PHIPA or its regulations. Regulations under PHIPA set maximum amounts for administrative monetary penalties and outline the criteria that the Privacy Commissioner must consider when determining the amount of the penalty. PHIPA Decision 298 is the first time that the Privacy Commissioner has exercised this new enforcement power.

The decision arose out of an investigation into a privacy breach reported by three hospitals. A physician with privileges at one of the hospitals accessed the hospitals' shared electronic health record (EHR) system to search for newborn males. He then contacted the parents to offer circumcision services at his private clinic. In response to patient complaints, and following an internal investigation, the hospital withdrew the physician's privileges and notified affected individuals and the Privacy Commissioner of the unauthorized use of personal health information.

Privacy Commissioner Decision

The Privacy Commissioner examined whether the hospitals and the clinic had adequate measures in place to protect personal health information. The Privacy Commissioner's decision focused on several key issues:

  • Reasonable Steps to Protect Personal Health Information: The Privacy Commissioner first evaluated whether the hospitals and the clinic took reasonable steps to protect against unauthorized collection, use, and disclosure of personal health information, as is required by PHIPA. This includes administrative, technical and physical measures or safeguards, including: privacy policies, procedures and practices, audit functionality, privacy training and awareness programs and initiatives, and annual confidentiality attestations or agreements. While the hospitals were found to have reasonable safeguards in place, the clinic was severely lacking in its privacy governance. When the clinic was opened, it had a complete lack of documented measures to protect personal information.
  • Compliance with Information Practices Aligned to PHIPA Requirements: The Privacy Commissioner assessed whether the hospitals and the clinic had implemented and followed information practices consistent with PHIPA's requirements. Again, the hospitals were largely compliant, but the clinic had no structured privacy practices at the time of the breach, in stark non-compliance with PHIPA.
  • Response to the Privacy Breach: The Privacy Commissioner reviewed the parties' response to the privacy breach, and determined that the lead hospital responded in a timely, methodical and responsible manner. In contrast, the Privacy Commissioner found that the clinic was completely unprepared to deal with a privacy breach of this nature, largely because it had no privacy breach response protocol in place.

Imposition of Administrative Monetary Penalties

After determining that the physician, acting as an agent of the hospital, and the clinic were in violation of PHIPA, the Privacy Commissioner assessed whether administrative monetary penalties were warranted. The Privacy Commissioner emphasized that the purpose of these penalties is to encourage compliance with PHIPA and prevent economic benefits derived from the contraventions – they are not intended to be punitive. Ultimately, the Privacy Commissioner imposed a penalty of $5,000 on the physician (personally) and $7,500 on the clinic.

While the amounts were relatively low in this case, it is important to note the potential for much higher financial penalties. The maximum administrative monetary penalty that can be imposed is $50,000 for an individual and $500,000 for an organization – but these maximum amounts are subject to an override. Either limit can be exceeded by the value of the economic benefit acquired by, or that accrued to, the person as a result of their contravention.

Administrative monetary penalties are not the only financial consequences that may arise for breaching PHIPA. After the Privacy Commissioner issues an order, individuals who are adversely affected may commence their own lawsuit in the Superior Court of Justice for damages for actual harm suffered as a result of a contravention of PHIPA, plus up to $10,000 for mental anguish. Also, in cases where an individual or corporation is prosecuted and found guilty of committing an offence under PHIPA, they can be liable for a fine of up to $200,000 (in the case of an individual) or $1 million (in the case of a corporation). Finally, the Privacy Commissioner's enforcement measures do not preclude other actions against a healthcare provider, whether by individuals initiating other lawsuits or by health profession regulators launching disciplinary or other proceedings.

Key Takeaways

The decision establishes a bright line for when the Privacy Commissioner will impose administrative monetary penalties. Healthcare providers and their service providers need to ensure that they meet basic PHIPA obligations by:

  • Establishing comprehensive privacy governance frameworks. This includes clear policies addressing topics like restrictions on access, use and disclosure, regular audits, and appropriate training programs to ensure all staff understand their obligations under PHIPA. Training programs should be tailored to different roles within the organization to ensure all staff are aware of their specific responsibilities regarding personal health information.
  • Conducting ongoing logging, and regular monitoring and auditing, of EHR systems.This is necessary to detect unauthorized access to, or use or disclosure of, personal health information. Healthcare providers, particularly those that rely on shared EHR systems, should implement sophisticated monitoring and auditing functionality.
  • Implementing a well-defined breach response plan that reflects PHIPA's breach response requirements. This should include processes to promptly contain a breach, thoroughly investigate a breach, and provide timely notification to affected individuals and the Privacy Commissioner. Failure to properly respond to a privacy breach can be a further source of liability (beyond any liability arising out of the breach itself).
  • Ensuring there is demonstrable accountability. The Privacy Commissioner emphasized in the decision and in accompanying statements that, not only must organizations have privacy programs in place, they must also be able to show that those programs are being followed. The way in which organizations can demonstrate compliance varies based on the PHIPA obligation at issue, but organizations must consider how they are documenting the execution of their governance framework – in short, what evidence they can present to show they met their legal obligations and followed their documented policies and procedures.

Conclusion

PHIPA Decision 298 serves as reminder for healthcare providers, and their service providers, of the importance of having privacy and information management policies, procedures and practices in place – and ensuring that privacy compliance is taken seriously. By taking proactive steps to understand and comply with PHIPA's requirements, including seeking legal advice on privacy compliance programs (such as the elements discussed above), healthcare providers can protect patient information, maintain patient trust, and avoid the financial repercussions of non-compliance.

In the written decision, the Privacy Commissioner plainly stated the impact of this decision: "This case should serve as a cautionary tale for any startup in Ontario's health sector that decides to put the cart before the horse, and begin operating without the necessary privacy policies, procedures and practices in place."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Daniel Fabiano
Daniel Fabiano
Photo of Heather Whiteside
Heather Whiteside
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More