Ontario healthcare providers now face possible fines for ‘severe’ data privacy violations

Share post:

Healthcare providers covered by Ontario’s privacy law have an extra incentive to follow provincial data protection regulations: They now face administrative fines for serious violations of the provincial law.

As of Jan. 1, the Information and Privacy Commissioner of Ontario can issue penalties of up to a maximum of $50,000 for individuals and $500,000 for organizations that violate the Personal Health Information Protection Act (PHIPA).

Fines — officially called administrative monetary penalties (AMPs) — can be issued to encourage compliance with PHIPA, a statement from the commissioner’s office says. Or, it adds, penalties can be applied to prevent a person from deriving — directly or indirectly — any economic benefit from contravening the law.

“The IPC will not use AMPs as the default response to breaches,” the statement says. “They will generally only be used as an enforcement option for more severe violations of PHIPA, not in cases involving unintentional errors or one-off mistakes.”

“The IPC will take a measured approach in response to PHIPA violations, providing
education, guidance, informal resolution, and recommendations when less severe
violations occur.”

Organizations have known this was coming since 2020, when the Ontario legislature amended PHIPA to give the IPC additional enforcement powers. The new powers didn’t come into effect until Jan. 1, 2024.

Quebec is the only other province that has authorized the levying of administrative monetary penalties as part of its privacy law that covers the private sector. The federal government is currently considering Bill C-27, which would also authorize administrative penalties.

The IPC has issued guidance to organizations on how administrative penalties for healthcare providers will be applied. The commissioner also can issue binding orders requiring individuals or organizations to take specific actions to address data protection shortcomings.

In the vast majority of healthcare data breaches investigated, individuals show a genuine willingness to report, take responsibility for, and remedy errors when they occur, the guidance notes. Incidents often involve inadvertent errors, one-off contraventions with relatively minor impact, or some at-risk behaviours in need of coaching and course correction, the paper says. “In most cases, the individual or organization is highly responsive and co-operative in rectifying the situation. Education, guidance, early resolution, and recommendations for corrective measures are often the only tools the IPC needs to use in such cases.”

Under PHIPA, a health information custodian is prohibited from collecting, using, or disclosing personal health information without a patient’s consent, although under some circumstances, data can be collected indirectly.

The new powers come just as the IPC starts an investigation into the recent ransomware attack that hit five hospitals linked to a common shared IT provider. The commissioner’s office says it plans to make its findings public.

Around the world, hospitals are targets for cybercrooks looking for credit/debit card data to steal, and personal information as leverage for extortion or blackmail from hospital administrators.

For-profit hospitals are better able to fund cybersecurity than those — such as Canadian institutions — that rely on government support. Earlier this year, the Canadian Internet Registry Authority (CIRA), which oversees the .ca domain, said  “lack of focus” of management and lack of money are the biggest factors blocking the improvement of the cybersecurity of Canadian hospitals.

It’s not only hospitals that are targets. Data on 3.4 million Ontario mothers, newborns, and children collected over the past 10 years was stolen earlier this year from the MOVEit file transfer server of the provincially-funded Better Outcomes Registry & Network Ontario, also known as BORN. It was one of more than 2,000 organizations around the world victimized through a zero-day vulnerability in MOVEit Transfer.

Last year, the IPC issued 35 decisions involving complaints of alleged PHIPA violations involving physicians and hospitals. Many involved demands for access or corrections to records.

The post Ontario healthcare providers now face possible fines for ‘severe’ data privacy violations first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Russian threat actor expanding its target list, warns Five Eyes report

APT29 is increasingly going after cloud services in mo

Canada’s privacy watchdog investigating hack at Global Affairs

Inquiry will look into adequacy of data safeguards at the federal

Sidebar: The powerful Digital Safety Commission

A look at the powers of the proposed five-person body charged with overseeing the Online

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways