Administrative monetary penalties under PHIPA
As of January 1, 2024, the IPC has the discretion to issue administrative monetary penalties (AMPs) as part of its enforcement powers for violations of the Personal Health Information Protection Act (PHIPA).
Penalties are up to a maximum of $50,000 for individuals and $500,000 for organizations. AMPs may be issued for the purposes of encouraging compliance with PHIPA or preventing a person from deriving — directly or indirectly — any economic benefit from contravening the law.
AMPs are just one of the options in the IPC’s regulatory toolkit for ensuring compliance with PHIPA in a manner that is flexible, balanced, and meaningful. Breaches of PHIPA can be addressed in proportion to their severity, enhancing public trust in the health care system.
The IPC will not use AMPs as the default response to violations of PHIPA. They will generally only be used as an enforcement option for more severe violations of PHIPA, not in cases involving unintentional errors or one-off mistakes.
Our office recognizes that the majority of Ontarians working in the health care system are deeply committed to the protection of personal health information. When mistakes occur, there is almost always a genuine willingness to take responsibility and remedy errors.
The IPC will continue to take a measured approach in response to PHIPA violations, providing education, guidance, informal resolution, and recommendations when less severe violations occur.
In cases where AMPs are determined to be an appropriate measure, the IPC will use the criteria set out in regulation under PHIPA to determine the amount.
Learn more about the criteria for AMPs and how the IPC will determine penalty amounts in our guidance.