skip to main content

Privacy & Security Tips

September, 2025

PHIPA breaches have a new price tag: first monetary penalty lands in health care

This past month, Ontario's Information and Privacy Commissioner (IPC) issued PHIPA Decision 298, its first administrative monetary penalty under the Personal Health Information Protection Act (PHIPA) against a physician who accessed patient records from a hospital without authorization to solicit his clinic's private services. The IPC imposed financial penalties on both the physician and the clinic involved. The doctor has been ordered to pay a $5,000 penalty for accessing and using patients' hospital records without authorization for personal financial gain. For its part, the clinic has been ordered to pay a penalty of $7,500 for failing to meet its most basic obligations under PHIPA. The clinic could not demonstrate any evidence of privacy policies or data governance, which formed the basis of why fines were imposed. The decision underscores that custodians must be able to demonstrate that they have reasonable safeguards and governance systems in place, and are applied in practice, not just on paper.

Some critical obligations include:

  • Protecting personal health information (PHI) from unauthorized use or disclosure, through:

    • administrative, technical and physical measures or safeguards

    • privacy policies, procedures and practices, with auditing functionality

    • privacy training, awareness programs, and initiatives

    • confidentiality agreements

  • Reviewing measures or safeguards from time-to-time to ensure continued protection of PHI

  • Ensuring no agent of the custodian collects, uses, discloses, retains or disposes of PHI contrary to PHIPA

  • Ensuring that PHI is not collected without authority

For physicians, this decision is a stark reminder about evolving expectations around privacy, digital tools, and accountability. As indicated above, the IPC emphasized the importance of regular and appropriate privacy training for which an individual can demonstrate records of completion. OMD provides physicians and support staff with free training and certificates upon completion.

Read additional guidance from the College of Physicians and Surgeons of Ontario on the use of AI scribes in clinical practice.