Regulation - LGIC
Administrative monetary penalties regulation under the Personal Health Information Protection Act, 2004
Regulation Number(s):
329/04
Instrument Type:
Regulation - LGIC
Bill or Act:
Personal Health Information Protection Act
Summary of Decision:
Administrative penalties offer an efficient, direct way to enforce compliance, without involving expensive and time-consuming court proceedings. Increasingly a useful regulatory tool, administrative penalties widen the range of enforcement options available, allowing the flexibility to fine-tune response to specific compliance issues. Imposing an administrative penalty may reinforce compliance and motivate behavioural change.
In March 2020, the government introduced - for the first time in Canadian health privacy legislation - administrative penalties into Ontario's health privacy law, PHIPA. This change provided the Information and Privacy Commissioner of Ontario (IPC) with the authority to impose administrative monetary penalties on contraveners of the Act. Now, the approved regulation specifies how the IPC will determine appropriate penalty amounts.
The approved regulation amends the General Regulation under PHIPA to:
• Set the maximum for an administrative penalty at $50,000 for individuals and $500,000 for organizations.
• Enable the IPC to increase a penalty by an amount equal to the economic benefit derived from a contravention.
• Outline the criteria the IPC must consider in determining a penalty amount, as well as enable the IPC to consider any other relevant criteria.
In March 2020, the government introduced - for the first time in Canadian health privacy legislation - administrative penalties into Ontario's health privacy law, PHIPA. This change provided the Information and Privacy Commissioner of Ontario (IPC) with the authority to impose administrative monetary penalties on contraveners of the Act. Now, the approved regulation specifies how the IPC will determine appropriate penalty amounts.
The approved regulation amends the General Regulation under PHIPA to:
• Set the maximum for an administrative penalty at $50,000 for individuals and $500,000 for organizations.
• Enable the IPC to increase a penalty by an amount equal to the economic benefit derived from a contravention.
• Outline the criteria the IPC must consider in determining a penalty amount, as well as enable the IPC to consider any other relevant criteria.
Analysis of Regulatory Impact:
There are no compliance costs for this proposal, and as the proposed changes aim to further protect the privacy of personal health information, all Ontarians stand to benefit. The anticipated benefit is strengthened protection of the privacy of Ontarians and increased trust in the province's health system.
Further Information:
Personal Health Information Protection Act
Proposal Number:
23-HLTC043
Posting Date:
November 27, 2023
Summary of Proposal:
Administrative penalties offer an efficient, direct way to enforce compliance, without involving expensive and time-consuming court proceedings. Increasingly a useful regulatory tool, administrative penalties widen the range of enforcement options available, allowing the flexibility to fine-tune response to specific compliance issues. Imposing an administrative penalty may reinforce compliance and motivate behavioural change.
In March 2020, the government introduced - for the first time in Canadian health privacy legislation - administrative penalties into Ontario's health privacy law, Personal Health Information Protection Act (PHIPA). This change provided the Information and Privacy Commissioner of Ontario (IPC) with the authority to impose administrative monetary penalties on contraveners of the Act. Now, a regulation is needed to specify how the IPC will determine appropriate penalty amounts.
The proposed regulation would amend the General Regulation under PHIPA to:
• Set the maximum for an administrative penalty at $50,000 for individuals and $500,000 for organizations.
• Enable the IPC to increase a penalty by an amount equal to the economic benefit derived from a contravention.
• Outline the criteria the IPC must consider in determining a penalty amount, as well as enable the IPC to consider any other relevant criteria.
In March 2020, the government introduced - for the first time in Canadian health privacy legislation - administrative penalties into Ontario's health privacy law, Personal Health Information Protection Act (PHIPA). This change provided the Information and Privacy Commissioner of Ontario (IPC) with the authority to impose administrative monetary penalties on contraveners of the Act. Now, a regulation is needed to specify how the IPC will determine appropriate penalty amounts.
The proposed regulation would amend the General Regulation under PHIPA to:
• Set the maximum for an administrative penalty at $50,000 for individuals and $500,000 for organizations.
• Enable the IPC to increase a penalty by an amount equal to the economic benefit derived from a contravention.
• Outline the criteria the IPC must consider in determining a penalty amount, as well as enable the IPC to consider any other relevant criteria.
Contact Address:
Christine Sham, Director
Information Management Strategy and Policy Branch
Digital and Analytics Strategy Division
Ministry of Health
222 Jarvis Street, 7th Floor
Toronto ON M7A 0B6
Email: healthprivacy.moh@ontario.ca
Information Management Strategy and Policy Branch
Digital and Analytics Strategy Division
Ministry of Health
222 Jarvis Street, 7th Floor
Toronto ON M7A 0B6
Email: healthprivacy.moh@ontario.ca
Effective Date:
January 1, 2024
Decision:
Approved