Healthcare providers covered by Ontario’s privacy law have an extra incentive to follow provincial data protection regulations: They now face administrative fines for serious violations of the provincial law.
As of Jan. 1, the Information and Privacy Commissioner of Ontario can issue penalties of up to a maximum of $50,000 for individuals and $500,000 for organizations that violate the Personal Health Information Protection Act (PHIPA).
Fines — officially called administrative monetary penalties (AMPs) — can be issued to encourage compliance with PHIPA, a statement from the commissioner’s office says. Or, it adds, penalties can be applied to prevent a person from deriving — directly or indirectly — any economic benefit from contravening the law.
“The IPC will not use AMPs as the default response to breaches,” the statement says. “They will generally only be used as an enforcement option for more severe violations of PHIPA, not in cases involving unintentional errors or one-off mistakes.”
“The IPC will take a measured approach in response to PHIPA violations, providing
education, guidance, informal resolution, and recommendations when less severe
violations occur.”
Organizations have known this was coming since 2020, when the Ontario legislature amended PHIPA to give the IPC additional enforcement powers. The new powers didn’t come into effect until Jan. 1, 2024.
Quebec is the only other province that has authorized the levying of administrative monetary penalties as part of its privacy law that covers the private sector. The federal government is currently considering Bill C-27, which would also authorize administrative penalties.
The IPC has issued guidance to organizations on how administrative penalties for healthcare providers will be applied. The commissioner also can issue binding orders requiring individuals or organizations to take specific actions to address data protection shortcomings.
In the vast majority of healthcare data breaches investigated, individuals show a genuine willingness to report, take responsibility for, and remedy errors when they occur, the guidance notes. Incidents often involve inadvertent errors, one-off contraventions with relatively minor impact, or some at-risk behaviours in need of coaching and course correction, the paper says. “In most cases, the individual or organization is highly responsive and co-operative in rectifying the situation. Education, guidance, early resolution, and recommendations for corrective measures are often the only tools the IPC needs to use in such cases.”
Under PHIPA, a health information custodian is prohibited from collecting, using, or disclosing personal health information without a patient’s consent, although under some circumstances, data can be collected indirectly.
The new powers come just as the IPC starts an investigation into the recent ransomware attack that hit five hospitals linked to a common shared IT provider. The commissioner’s office says it plans to make its findings public.
Around the world, hospitals are targets for cybercrooks looking for credit/debit card data to steal, and personal information as leverage for extortion or blackmail from hospital administrators.
For-profit hospitals are better able to fund cybersecurity than those — such as Canadian institutions — that rely on government support. Earlier this year, the Canadian Internet Registry Authority (CIRA), which oversees the .ca domain, said “lack of focus” of management and lack of money are the biggest factors blocking the improvement of the cybersecurity of Canadian hospitals.
It’s not only hospitals that are targets. Data on 3.4 million Ontario mothers, newborns, and children collected over the past 10 years was stolen earlier this year from the MOVEit file transfer server of the provincially-funded Better Outcomes Registry & Network Ontario, also known as BORN. It was one of more than 2,000 organizations around the world victimized through a zero-day vulnerability in MOVEit Transfer.
Last year, the IPC issued 35 decisions involving complaints of alleged PHIPA violations involving physicians and hospitals. Many involved demands for access or corrections to records.