Ontario Regulation 343/23, established under the Personal Health Information Protection Act (PHIPA) of 2004, introduces amendments to existing regulations concerning the handling of personal health information. This regulation specifically amends Ontario Regulation 329/04, with a primary focus on clarifying the framework for imposing administrative penalties for violations of the Act and its regulations.

The regulation introduces a new section outlining how administrative penalties will be determined. It establishes maximum penalties for contraventions of the Act, capping them at $50,000 for individuals (natural persons) and $500,000 for organizations (non-natural persons). This differentiation acknowledges the varying capacities of individuals and organizations to absorb financial penalties. Furthermore, the Commissioner has the authority to increase the penalty amount based on any economic benefit the offending party may have gained or accrued from their contraventions, aiming to deter potential violations by ensuring that financial gains from misconduct are accounted for in the penalty assessment.

To evaluate the severity of contraventions, the regulation provides a framework of criteria. These include the extent of deviation from regulatory requirements, the preventive measures that could have been implemented, the level of harm or potential harm caused to others, efforts made to mitigate harm or take remedial action, the number of individuals and health information custodians affected, whether the Commissioner and affected individuals were notified of the contraventions, the economic benefits derived from the contraventions, and the individual’s or organization’s history of prior violations. These criteria allow for a comprehensive evaluation of each contravention, enabling penalties to be tailored to specific circumstances.

Stakeholders, particularly health information custodians, are advised to review their current practices and ensure alignment with the regulatory requirements to avoid potential penalties. The regulation is intended to serve as a reminder of the importance of safeguarding personal health information and the consequences of failing to adhere to established protocols.

By defining limits on administrative penalties and establishing criteria for their determination, the regulation aims to strengthen accountability in the healthcare sector.

Ontario (343/23) December 3, 2023