Administrative Monetary Penalties for Administrative Breaches of the Personal Health Information Protection Act: Proposed Amendments to Ontario Regulation 329/04

July 25, 2023

Download Submission

Submitted to: Ministry of Health and Long-Term Care
Date: July 25, 2023

Summary

The Ontario Bar Association (OBA) appreciates the opportunity to provide comments in response to the proposed amendments to Ontario Regulation 329/04 (the Regulation) under the Personal Health Information Protection Act, 2004 (the Act) which provides the Information and Privacy Commissioner of Ontario (IPC) the authority to impose administrative monetary penalties on contraveners of PHIPA. The proposed amendment seeks to specify how the IPC will determine appropriate penalty amounts.

While we support the objective of enhancing and encouraging compliance with PHIPA, for the reasons set out more fully below, the penalties proposed in the Regulation are excessive to the point of being punitive. The high amounts could serve as an additional burden on regulated health practitioners and their staff, and result in unintended negative consequences for patients impeding timely patient care. Procedural fairness protections are needed for those facing penalties.

The Ontario Bar Association

Established in 1907, the OBA is the largest and most diverse volunteer lawyer association in Ontario, with close to 16,000 members, practicing in every area of law in every region of the province. Each year, through the work of our 40 practice sections, the OBA provides advice to assist legislators and other key decision-makers in the interests of both the profession and the public and we deliver over 325 in-person and online professional development programs to an audience of over 20,000 lawyers, judges, students, and professors.

This submission was led by members of both the OBA’s Health Law Section and the Privacy Law Section. Members of these sections include barristers and solicitors in public and private practice in large, medium, and small firm/ solo practitioners who are experts in health and privacy law. These lawyers offer a range of perspectives as they represent institutions, medical (and other) professionals, patients, and individuals on a range of health and privacy issues in every judicial region of the province.

Comments

The proposed amendments to the Regulation are excessive and lack sufficient procedural safeguards for those who are said to be in contravention of the administrative procedures under PHIPA.

QUANTUM OF PENALTIES

The maximum administrative monetary penalties of $50,000 for a natural person and $500,000 for corporations are excessive, particularly considering the wide discretion bestowed on the Commissioner to set the penalty in accordance with any criteria they consider to be relevant.

Individuals (natural persons) with access to personal health information are most often regulated healthcare professionals and/or their support staff, who are already overburdened and under resourced. Ontario’s healthcare institutions and medical practices are struggling to provide timely integrated high-quality care to the people of Ontario.

For individuals, the risk of facing a $50,000 penalty could inadvertently send a chill in the medical community materializing as a slowdown and reduction in the sharing of important personal health information across institutions, with a potential negative impact on patient care arising from information not being shared. It amounts to additional red-tape, and individuals may think twice and err on the side of caution, rather than share timely patient information when faced with a potential penalty that could have a detrimental effect on their own ability to meet other financial obligations such as cost of living. These penalties are so significant that they also could be seen as one more disincentive for individuals to serve in or for one of the regulated medical professions.

For persons who are not natural persons (e.g., corporations or other business entities which operate primary care clinics, dentistry clinics, allied health clinics, privately owned long-term care facilities, etc.), an Administrative Monetary Penalty (AMP) penalty of $500,000 could have the effect of bankrupting the applicable business. These entities provide essential services to the people of Ontario and are valued members of their communities. It is concerning that a privacy breach could have such a significant impact on these individuals, and their clients.

While we appreciate the need to encourage compliance with PHIPA, a more modest maximum penalty would achieve this purpose. Maximum penalties, including those under PHIPA, should be set in line with similar penalties in other legislation aimed at encouraging compliance. For example:

  • The Retirement Homes Act, 2010, S.O. 2010, c. 11 (RHA) provides for administrative penalties which may be ordered against a person who has contravened a requirement under that Act. The purpose of the administrative penalty is expressly stated at section 93(2) of the RHA as encouraging compliance. The maximum penalty under the RHA is $10,000.
  • The Strengthening Quality and Accountability for Patients Act, 2017, S.O. 2017 c. 25 has administrative penalties to a maximum of $100,000 for failure to comply with the requirements of the Long-Term Care Homes Act, 2007, S.O. 2007, c.8. While the amendments regarding administrative penalties have yet to come into effect, the purpose of the penalties are to encourage compliance with the Act, and to prevent the person/licensee from deriving an economic benefit as a result of not complying with the Act. Section 61.2, states that the purpose of AMPs is consistent with the aims of both the Retirement Homes Act and the Long Term Care Homes Act: to encourage compliance.

In addition to reconsidering the penalty amounts, consideration could be given to including factors that ensure penalties do not inadvertently have a detrimental effect for patience care and outcomes. This could be accomplished by including specific wording such as, “the extent to which the penalty amount could have a detrimental effect on the delivery of healthcare in Ontario should be part of the review included prior to the imposition of any penalty”. Such language can add protection from inadvertent consequences.

PROCEDURAL FAIRNESS

Right to Respond

We recognize that the proposed amendments to the Regulation deal only with determining the amount of an administrative monetary penalty (AMP) for a contravention of the Act. However, we wish to raise a concern regarding procedural fairness at this early stage so that thought may be given to whether procedural protections should be outlined in the Regulation or by the IPC in the Code of Procedure for Matters under the Personal Health Information Protection Act, 2004 (“the Code”).

Given the potential quantum of the penalties and as a matter of procedural fairness, respondents ought to be given the opportunity to make submissions with respect to the quantum of any potential AMP after the issuance of the Adjudicator’s decision to impose an AMP. Sections 9 and 15 of the Code provide the right to make representations to the Adjudicator regarding the issues in the file. However, the Code does not provide any specific right to make representations regarding the quantum of an AMP, after the Adjudicator has completed their Review and decided to impose an AMP.

Procedural protections should be put into place such that an order requiring a person or institution to pay an AMP, under section 61.1 of the Act, may only be issued after there is an opportunity to make representations with respect to the quantum of the penalty. This would tie in with the timing of when an AMP is ordered.

Clarity

It is unclear whether the AMPs may be imposed immediately, or whether penalties are only to be used as a remedy of last resort. The ambiguity arises in determining whether the timing relates to when a person has failed to follow the IPC’s advice, comply with an interim order, remedy their non-compliance with the Act, or when exercise of the relevant powers granted to the IPC in section 61(1) have proven ineffective). This should be clarified to make it clear that administrative penalties ought to be reserved as a last resort to encourage compliance, or at a minimum, clarity should be brought to the circumstances in which an administrative penalty may be ordered.

Conclusion

The AMP amounts are excessive. Lesser amounts that are more in line with other healthcarerelated legislation would serve the goal of encouraging compliance with PHIPA. The potential for causing unintended negative consequences for patient outcomes and the provision of timely healthcare outweighs the punitive nature of the AMPs.

Appropriate procedural safeguards are needed including the right to make a submission as to the amount of the AMP, and clarity brought to whether AMPs may be imposed in the first instance of contravention of the Act, or after a failure to comply with an Order of the IPC.

The OBA appreciates the opportunity to comment on the important issues presented in the draft regulatory amendments and welcomes any opportunity for further engagement on this topic.