Privacy accountability program to build patient trust

Throughout 2024, the IPC worked to develop privacy guidance specifically customized for small health information custodians (HICs) under the Personal Health Information Protection Act (PHIPA). The Privacy Management Handbook for Small Health Care Organizations provides the basic elements they need to build an effective privacy management and accountability program their patients can trust.  

Health care providers, both large and small, must comply with their legal responsibilities to protect patients’ personal health information. However, we recognize that one size does not fit all. Small providers are often strapped for time, capacity and resources, and this guidance is intended to help make it easier and more straightforward for them to understand and comply with their basic privacy obligations under the law. 

The guidance outlines best practices for developing a privacy management program tailored to the needs of small health information custodians, considering their size and specific circumstances. A well-implemented privacy management program helps HICs uphold good practices and identify areas in need of strengthening, so they can continually strive to improve by developing greater privacy maturity and sophistication over time.  

AI in health

AI has the potential to vastly improve medical diagnostics, accelerating access to early interventions and treatments that could save lives. AI can also reduce administrative burdens on health providers by automating many of their routine tasks. Some say this could free up their time so they could take on more patients, helping to resolve the shortage of health providers in Ontario, or at least, enhance the quality of their interactions with existing patients. Introducing AI in health, however, also ushers in new privacy, safety, and ethical considerations that must be factored in and addressed as part of responsible innovation.     

Throughout 2024, the IPC has conducted extensive research on the use of AI in Ontario’s health care sector, with a particular focus on AI scribe technology. The IPC's guidance, set for release 2025, will provide health care providers with key considerations for using AI in a way that ensures compliance with PHIPA, particularly around patient consent, transparency, security, and data protection.  

IPC FYI: The Trust in Digital Health series

To demystify what are often complex concepts in PHIPA both for individuals and providers, the IPC released a special IPC FYI Health Privacy series. These short, animated and easy-to-access videos highlight some of the obligations of health information custodians under PHIPA, and let individuals know about their correlative rights in simple, plain language. 

The three short videos we released as part of the IPC FYI Health Privacy series include:

• IPC FYI: A Guide to AMPs. This short video aimed at health providers describes the purpose of AMPs, the circumstances under which AMPs might be issued, and the factors influencing the penalty amounts on a case-by-case basis. 
• IPC FYI: Sharing Health Data describes the situations in which health information custodians can engage in responsible sharing of personal health information under PHIPA, including for research, health system planning and public health.  
• IPC FYI: Understanding PHIPA raises awareness among Ontarians about their right to access their health record. This video also describes basic rules health providers must follow when collecting, using, and disclosing personal health information, as well as their obligations to keep it safe and secure, particularly in the digital health context. 

In addition to the IPC FYI Health Privacy video series, we launched a patient privacy hub on our website to help Ontarians better understand and exercise their rights under PHIPA. Many patients are unaware of what they can expect from their health provider in terms of privacy protection. They may not know about their right to access their own health records or how to navigate the process effectively. 

In response, the IPC developed a user-friendly portal that brings together essential guidance, resources, and other key tools specially tailored for patients. By consolidating high-value resources in a one-stop shop, the IPC is helping individuals take control of their personal health information and make more informed decisions about how it is managed.

Advocacy for protecting health privacy and access rights

In 2024, the IPC continued its advocacy to protect Ontarians' privacy and access rights in the evolving digital health landscape. Central to these efforts was our critique of Schedule 6 in the More Convenient Care Act, which proposed significant changes to PHIPA. The IPC raised concerns about the diminished rights to access personal health records, the risks posed by an overly complex and inconsistent privacy framework, and the extensive reliance on vague rulemaking for implementing Digital Health IDs. These amendments, designed to enable patient access to their electronic health records (EHRs), lack sufficient safeguards, clarity on their use, and transparency about the roles of Ontario Health and third parties involved in the system.

The IPC emphasized the need for a simpler, more streamlined and coherent legislative approach. We called for stronger privacy protections, clear limits on data use, and stronger oversight mechanisms. Recommendations included retaining individuals' full access rights to their health records, embedding privacy-enhancing principles such as data minimization, and ensuring transparency in the governance of digital health tools.

Data Integration under FIPPA Part III.1: IPC orders

Under Part III.1 of FIPPA, interministerial data integration units (IMDIUs) are government teams that are conferred special authority to link together different sets of personal information to be used and analyzed for purposes of planning, managing and evaluating government programs and services. Given this unique authority, IMDIUs are held to defined transparency, privacy, and security standards, and are subject to review of their practices and procedures by the IPC, both initially, before linking any personal information, and then at least every three years thereafter.

At the end of 2024, the IPC launched the first three-year review of the Ministry of Health’s IMDIU, following its initial review in 2022. The initial review found areas of significant risk. As a result, the IPC issued several orders to bring the ministry into compliance with the required data integration standards established by the Minister of Public and Business Service Delivery and Procurement and approved by my office. In particular, the IPC ordered the ministry to update its privacy impact assessments and threat/risk assessments to identify and address privacy and security risks arising from using legacy and shared technical infrastructure in the new data integration context. Also, we ordered the ministry to implement a business continuity and disaster recovery plan in accordance with the required standards. The deadline to comply with these orders was September 30, 2022.

The IPC is highly concerned that these and other orders remain outstanding to this day, despite having given several extensions and made numerous attempts to support the ministry in their efforts. The failure of the ministry to comply with IPC’s orders seriously undermines the very purpose and integrity of the data integration regime established by government itself.

The IPC strongly recommends that government allocate the necessary funding and expertise in privacy and data governance to bring the ministry into compliance with the required data integration standards as soon as possible. The IPC will take into account this state of continuing non-compliance as we conduct our three-year review of the Ministry of Health's IMDIU and will expect a swift resolution to these outstanding issues and any new issues that are identified.