ARTICLE
6 January 2026

The $7,500 Privacy Lesson

ML
McMillan LLP

Contributor

McMillan LLP logo
McMillan is a leading business law firm serving public, private and not-for-profit clients across key industries in Canada, the United States and internationally. With recognized expertise and acknowledged leadership in major business sectors, we provide solutions-oriented legal advice through our offices in Vancouver, Calgary, Toronto, Ottawa and Montréal. Our firm values – respect, teamwork, commitment, client service and professional excellence – are at the heart of McMillan’s commitment to serve our clients, our local communities and the legal profession.
Explore Firm Details
In 2025, the Information and Privacy Commissioner of Ontario (the "IPC") imposed its first-ever administrative monetary penalties ("AMPs") under Ontario's Personal Health Information Protection Act[1] ("PHIPA").
Canada Privacy
Yue Fei
Your Author LinkedIn Connections
McMillan LLP are most popular:
  • within Transport and Tax topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Accounting & Consultancy, Banking & Credit and Insurance industries

In 2025, the Information and Privacy Commissioner of Ontario (the "IPC") imposed its first-ever administrative monetary penalties ("AMPs") under Ontario's Personal Health Information Protection Act1 ("PHIPA"). A private pediatric clinic (the "Clinic") received a $7,500 AMP – one of two penalties imposed in the case – for operating without any privacy management program – a violation the IPC found to be "plainly not reasonable in the circumstances."2 This decision ("Decision 298") establishes clear regulatory expectations and quantifiable enforcement consequences for health information custodians ("HICs").3

Background

While PHIPA imposes obligations on HICs, it also includes provisions applicable to individuals and organizations that receive personal health information4 ("PHI") from HICs, who may likewise be subject to AMPs and other enforcement actions for non-compliance. This article focuses primarily on the obligations of and consequences for HICs.

Since January 1, 2024, the IPC has had authority to impose AMPs under PHIPA, with maximum penalties reaching $50,000 for individuals and $500,000 for organizations.5 The purposes of this power are to encourage compliance with PHIPA and its regulations and prevent a person from deriving economic benefit from violations.6

The Decision

Decision 298 arose from a privacy breach at Windsor Regional Hospital ("WRH"). A physician with privileges at WRH used his authorized access to the hospitals' shared electronic health records system to conduct targeted searches, through which he accessed PHI of patients. The physician, acting as an agent7 of both WRH and the Clinic he partly owned, used this information for an unauthorized purpose: identifying recently-born males and contacting their parents to solicit circumcision services at the Clinic. As a result of such unauthorized use, the physician performed at least one procedure that generated $350, of which $35 was paid to the Clinic as overhead. Following investigation, the IPC imposed AMPs against both the physician ($5,000) and the Clinic ($7,500).8

The IPC held the Clinic accountable for failing to meet its obligations as an HIC under PHIPA. When the Clinic opened for business, it had no information practices9 in place,10 had imposed no conditions or restrictions on the physician's handling of PHI,11 and had taken no steps to ensure compliance with PHIPA.12 The IPC found the Clinic's "complete lack of documented privacy policies, practices and procedures was plainly not reasonable in the circumstances."13

As an HIC under PHIPA, the Clinic was required to, among other obligations: (1) establish and comply with information practices that meet PHIPA requirements;14 (2) take reasonable steps to ensure PHI is not collected without authority;15 (3) take reasonable steps to protect PHI against theft, loss, and unauthorized use or disclosure;16 and (4) remain responsible for PHI collected, used, disclosed, retained, or disposed of by its agents.17 The IPC found the Clinic breached all these obligations.

In imposing the $7,500 AMP against the Clinic, the IPC emphasized that the Clinic's deviation from its legal obligations was significant. While acknowledging that "a robust privacy management program matures and becomes more sophisticated over time," the IPC made clear that organizations should have "at least the foundational building blocks of a privacy management program" operational before opening their doors.18 The IPC stated this case "should serve as a cautionary tale for any start up in Ontario's health sector that decides to put the cart before the horse, and begin operating without the necessary privacy policies, procedures and practices in place."19

Key Takeaways

Decision 298 establishes clear regulatory expectations for HICs operating in Ontario. Key lessons include:

  • the IPC will impose AMPs to encourage compliance with PHIPA and prevent persons from deriving economic benefit from violations;
  • start-up status is not a defense – foundational privacy management programs should be operational before commencing operations; and
  • HICs remain responsible for their agents' handling of PHI and must take reasonable steps to ensure agents comply with PHIPA requirements.

To implement these lessons, HICs should note that the IPC has adopted a "demonstrable accountability" approach, requiring HICs to prove through evidence that their privacy policies actually work as intended.20 The IPC's Privacy Management Handbook for Small Health Care Organizations and Administrative Monetary Penalties: Guidance for the Health Care Sector provide practical compliance resources. To meet these expectations and avoid the consequences illustrated in Decision 298, HICs should ensure foundational privacy protections are operational before commencing operations.

These foundational protections include: (1) documented privacy policies and procedures compliant with PHIPA; (2) written confidentiality agreements for all personnel with access to PHI; (3) role-based access controls limiting PHI access to what is necessary; (4) privacy training programs for personnel; (5) audit mechanisms to monitor and verify compliance; and (6) record-keeping systems to evidence that privacy obligations are being met in practice.

McMillan's Privacy and Data Protection Group has experience advising organizations across sectors on privacy compliance matters. For questions about your organization's privacy obligations under PHIPA or other privacy legislation, please contact us for assistance navigating these complex privacy and data protection issues in Canada.

Footnotes

1 Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A ("PHIPA").

2 Decision 298 (August 27, 2025), Information and Privacy Commissioner of Ontario ("Decision 298"), at para 53.

3 The term "health information custodians" is defined in s 3(1) of PHIPA and means a prescribed person or organization who has custody or control of PHI as a result of or in connection with performing their powers or duties and include a health care practitioner, a person who operates a group practice of health care practitioners, and a person who operates a hospital, long-term care home, retirement home, pharmacy, laboratory, or ambulance service.

4 The term "personal health information" is defined in s 4 of PHIPA and means certain identifying information about an individual including information relating to the physical or mental state of, or the providing of health care to, the individual.

5 PHIPA, ss 61(1)(h.1) and 61.1; General, O Reg 329/04 (the "Regulations"), s 35(1).

6 PHIPA, s 61.1.

7 The term "agent" is defined in s 2 of PHIPA and means, in relation to an HIC, a person that, with the authorization of the HIC, acts for or on behalf of the custodian in respect of PHI for the purposes of the HIC, and not the agent's own purposes.

8 In determining AMP amounts, the IPC considers the criteria set out in the Regulations, s 35(3), including the extent of deviation from PHIPA requirements, whether contraventions could have been prevented, extent of harm, remedial actions taken, number of individuals affected, whether proper notifications were made, economic benefit derived or expected, and prior contraventions.

9 The term "information practices" is defined in s 2 of PHIPA and means an HIC's policy for actions in relation to PHI including: (a) when, how and the purposes for which the HIC routinely collects, uses, modifies, discloses, retains or disposes of PHI, and (b) the administrative, technical and physical safeguards and practices that the HIC maintains with respect to the information.

10 Decision 298 at para 58.

11 Decision 298 at para 81.

12 Decision 298 at para 53.

13 Decision 298 at para 53.

14 PHIPA ss 10(1) and (2).

15 PHIPA s 11.1.

16 PHIPA s 12(1).

17 PHIPA s 17.

18 Decision 298 at para 118.

19 Decision 298 at para 71.

20 Decision 298 at para 61.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2025

[View Source]
Authors
Photo of Yue Fei
Yue Fei
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More