PHIPA administrative monetary penalties: what Decision 298 means for your practice
For twenty years, PHIPA had penalty provisions on the books and the Information and Privacy Commissioner of Ontario (IPC) never used them. Orders, recommendations, public naming. No fines. Custodians who violated the Act faced reputational consequences, not financial ones.
Then in August 2025, the IPC issued Decision 298. Two administrative monetary penalties (AMPs) against a physician and his clinic. The first AMPs ever imposed under the Personal Health Information Protection Act, 2004 (PHIPA), and the first imposed by any privacy commissioner in Canada.
If you’re a therapist in Ontario who emails clients, you’ll want to understand what this ruling changes and why it matters even if you’re nowhere near the situation Decision 298 described.
What is Decision 298?
A physician with privileges at an Ontario hospital used the hospital’s shared electronic health record system to search for newborn males. He contacted the parents directly to offer circumcision services at his private clinic.
Two violations, not one.
-
The physician accessed patient records without authorization and used that information to solicit business. He searched the hospital’s EHR for a specific patient demographic, then contacted parents directly to market his private practice. Both the access and the use violated PHIPA.
-
The clinic didn’t have policies or safeguards governing how its physician accessed health records at other institutions. Under PHIPA, a health information custodian is responsible for the conduct of its agents. The clinic was the custodian. The physician was its agent. The IPC found the clinic failed that obligation.
The penalties: $5,000 against the physician personally, $7,500 against the clinic. The hospital? Nothing. The IPC found the hospital had reasonable safeguards in place.
These amounts are modest. The precedent is not.
After two decades of softer enforcement (orders, recommendations, public reports), the Commissioner reached for financial penalties for the first time. This was also the first administrative monetary penalty imposed by any privacy commissioner in Canada. (BLG analysis of Decision 298; Fasken analysis)
Notice the asymmetry. The hospital had safeguards, so no penalty. The physician and clinic didn’t, so they paid. The IPC didn’t look at intent alone. It looked at preparation. If you’re thinking about your own practice, that’s the distinction that matters: what you had in place before something went wrong.
What are PHIPA administrative monetary penalties?
PHIPA Part V.1 (ss. 61.1 through 61.14) gives the IPC the power to impose AMPs for violations of the Act. These provisions came into force on January 1, 2024.
The maximums:
| Respondent type | Maximum AMP |
|---|---|
| Individual | $50,000 |
| Organization (health information custodian) | $500,000 |
If a contravention results in economic benefit, the IPC can go above these caps, proportional to the benefit gained. In Decision 298, the physician’s penalties were well below the maximum, but the amounts reflected the specific facts of the case, not a general ceiling.
So how are AMPs different from prosecution under PHIPA s.72? Prosecution has existed since 2004. It’s a criminal law process: you need charges, a trial, proof beyond a reasonable doubt. In over twenty years, s.72 prosecutions were rare, partly because the bar was so high. AMPs skip all of that. The IPC can impose them directly after an investigation, with a lower burden of proof. Faster. More practical. And Decision 298 proves the IPC is willing to use them.
Here’s the timeline worth paying attention to. PHIPA became law in 2004. AMP provisions were added in 2020 but didn’t come into force until January 1, 2024. Eighteen months later, the IPC issued its first one. That’s not slow by regulatory standards. The IPC isn’t holding this tool in reserve.
What the IPC considers when setting penalty amounts
Under PHIPA s.61.4, the Commissioner weighs several factors:
- How far the conduct deviated from PHIPA requirements, and whether the person could have prevented it
- The extent of harm (or potential harm) to affected individuals
- Whether the person tried to mitigate harm or took remedial action
- How many people were affected
- Whether the person notified the IPC and affected individuals
- Whether the person expected to gain economically from the contravention
- Any prior PHIPA contraventions
The IPC has stated it will reserve AMPs for more serious cases. Unintentional or isolated mistakes, a custodian with a good track record who gets hit by a cyberattack: those aren’t typical AMP targets. (IPC news release on AMPs)
A measured approach. But “more serious” now has a concrete floor: unauthorized access to records and failure to maintain basic safeguards. That’s what Decision 298 penalized.
Why this matters for therapists
You’re a health information custodian (HIC) under PHIPA, or an agent of one. Every email containing personal health information is a compliance surface. You probably send several a week.
Decision 298 involved a physician and a hospital’s EHR system. Different context from a solo therapist emailing session summaries from Gmail. But PHIPA s.12(1) doesn’t care about practice size. A 500-bed hospital and a sole practitioner working from a home office have the same obligation: take reasonable steps to protect PHI.
The two things Decision 298 penalized: unauthorized access to PHI, and inadequate organizational safeguards. For therapists, the second one hits closer to home. You’re probably not searching hospital records for patient demographics. But your email setup? That’s your safeguard infrastructure for electronic communication. And the IPC has now shown that “we didn’t have a policy for that” is not a defense.
What puts practices at the highest risk?
Unencrypted email. Standard Gmail encrypts messages in transit using TLS, but only when the receiving server also supports TLS. It’s not end to end encryption, and it’s not something you control. When a client replies from a personal Hotmail or Yahoo account, you have no guarantee that message traveled encrypted. If you’re sending emails containing PHI without encryption, you’re falling short of the “reasonable steps” requirement under PHIPA s.12(1). Decision 298 makes the enforcement consequences of that gap concrete.
Missing consent documentation. PHIPA s.18 requires knowledgeable consent for the collection, use, and disclosure of personal health information. “Knowledgeable” is the key word here. The person understands what they’re agreeing to, not just that they signed something. Think about your own intake process. If clients sign a generic form during their first session without a specific conversation about email communication, that may not meet the standard.
No audit trail. If the IPC investigates, they’ll ask what safeguards you had in place and when you implemented them. A log of email activity involving PHI is your evidence. Without one, you’re relying on memory. The clinic in Decision 298 couldn’t demonstrate adequate safeguards. That’s a large part of why it paid $7,500.
No privacy impact assessment. A PIA documents your information flows and identifies risks before they become problems. Not required by statute in every case. But completing one shows the IPC that you’re thinking about compliance proactively, not just reacting after a complaint. That matters when the Commissioner is deciding whether you met the “reasonable steps” threshold.
There are other PHIPA obligations you may not think about daily that could become AMP territory. Record access requests are one. If a client asks to see their file under PHIPA, your response process is governed by the Act. Timelines, format, redaction rules: all of it. Serious enough failures in handling those requests could draw enforcement attention.
Decision 298 enforces what we covered in our PHIPA email requirements for therapists guide. The difference: enforcement now has financial consequences.
What Decision 298 does not mean
This isn’t a reason to panic.
The IPC has stated it will not typically issue AMPs for unintentional or isolated mistakes. Accidentally sending one email to the wrong address is not the same as systematically searching hospital records for commercial gain. There’s a real difference there. The IPC distinguishes between genuine errors with good faith remediation and deliberate or negligent conduct.
Decision 298 also doesn’t change what PHIPA requires of you. The safeguard obligations under s.12(1) have been the same since 2004. What changed is the consequence of not meeting them. If you were already compliant before this ruling, nothing about your day to day operations needs to change. If you weren’t, the urgency to fix that just increased.
What to do now
Six steps to bring your practice in line with what Decision 298 makes clear.
1. Review your email encryption status
Start with the basics: is your Gmail PHIPA compliant? If you’re using standard Gmail or Google Workspace without an encryption layer, your outbound email containing PHI is not encrypted end to end. PHIPA s.12(1) requires you to take “reasonable steps” to protect personal health information. For email, encryption is the standard safeguard.
Check whether your current setup encrypts messages in transit (TLS) and whether you have a fallback for recipients whose servers don’t support TLS. If a client replies from a personal Gmail or Yahoo account, does that message travel encrypted? If you don’t know the answer, that’s the gap to close first.
2. Verify your consent documentation
Your consent process needs to satisfy PHIPA s.18. That means your clients understand what information you’re collecting, why, who might access it, and how they can withdraw consent. Review your forms against the PHIPA consent requirements for email guide and our consent form template.
3. Implement an audit trail
Create a log that records when you send email containing PHI, to whom, and what safeguards were in place. A manual audit log works if you don’t have an automated system. A spreadsheet with date, recipient, subject line (no PHI in the log itself), and encryption status is a reasonable starting point.
The point is documentation. If the IPC ever investigates your practice, you can show what you did and when. The clinic in Decision 298 couldn’t demonstrate that it had adequate safeguards governing its physician’s conduct. Don’t put yourself in the same position.
4. Complete a privacy impact assessment
A privacy impact assessment walks you through your email workflows and identifies gaps. Where is PHI collected? How is it stored? Who can access it? Where does it travel during transmission? This is the kind of proactive compliance work the IPC looks for when evaluating whether a custodian took reasonable steps.
5. Review CRPO Standard 3.4
PHIPA is the law. But your college has its own layer. CRPO electronic practice standards add requirements for informed consent specific to electronic communication, documentation of electronic interactions, and policies around technology use. CRPO Standard 3.4 and PHIPA overlap, but the college standard reaches into areas PHIPA leaves to professional judgment.
6. Consider cross provincial implications
If you see clients in other provinces, you’re subject to those provinces’ health privacy laws too. Alberta’s Health Information Act (HIA) and BC’s Personal Information Protection Act (PIPA) have their own enforcement mechanisms. The email privacy laws across Canada guide covers the differences.
The full breakdown is in our provincial privacy law comparison.
This is especially relevant if you provide virtual therapy to clients in Alberta or BC. You may be subject to multiple provincial privacy regimes simultaneously. Each has its own safeguard requirements, and each has its own enforcement body watching.
Pan-Canadian note
PHIPA AMPs are Ontario specific. The $50,000/$500,000 maximums, the IPC’s authority under Part V.1, Decision 298 itself: all Ontario jurisdiction.
The enforcement trend? Not Ontario specific.
Alberta’s HIA gives the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) authority to issue orders and recommend prosecutions. BC’s PIPA gives the Office of the Information and Privacy Commissioner for BC (OIPC BC) similar powers. Both have been increasing enforcement activity over the past several years, independent of what Ontario is doing.
The mechanisms differ by province:
| Province | Privacy law | Enforcement body | AMP authority | Other enforcement tools |
|---|---|---|---|---|
| Ontario | PHIPA | IPC | Yes, since Jan 2024 ($50K/$500K) | Orders, reviews, public reports |
| Alberta | HIA | OIPC Alberta | No AMPs under HIA | Orders, prosecution recommendations |
| BC | PIPA | OIPC BC | Prosecution-based penalties under PIPA | Orders, reviews, investigation reports |
Ontario has the most explicit AMP framework for health privacy. But all three provinces can pursue enforcement action against custodians who fail to protect personal health information. Different tools, same direction.
Ontario moved first with AMPs. But the pressure on health information custodians to demonstrate active compliance is growing across the country, and it’s not waiting for Ontario to set every precedent. For a broader look at how the three provinces compare on privacy enforcement, see our email privacy laws across Canada guide.
Frequently asked questions
Can the IPC fine therapists under PHIPA?
Yes. PHIPA Part V.1 (ss. 61.1 through 61.14) covers any person who contravenes the Act, and that includes therapists who are health information custodians or agents of custodians. Decision 298 is proof the IPC will use these powers. They’ve said AMPs are reserved for more serious cases, not isolated mistakes. But the bar for “more serious” is lower than you might expect: failing to maintain adequate safeguards qualifies.
How much are PHIPA fines?
Up to $50,000 for individuals and $500,000 for organizations. In Decision 298, the actual penalties were much lower ($5,000 and $7,500), but those amounts reflected the specific circumstances under s.61.4: nature of the violation, harm caused, remediation efforts. Worth noting: where economic benefit was gained, the penalty can exceed the statutory maximums.
Does PHIPA require email encryption?
Not by name. PHIPA s.12(1) requires “reasonable steps” to protect personal health information against theft, loss, and unauthorized use or disclosure. The Act doesn’t specify technologies. But the IPC’s guidance and Decision 298 both point to encryption as a baseline expectation for email containing PHI. Sending unencrypted email with client names, session details, or treatment information? You’re falling short of that standard. See our is Gmail PHIPA compliant guide for what Gmail does and doesn’t encrypt.
What if I practice in Alberta or BC?
You’re subject to those provinces’ privacy laws too, not just PHIPA. Alberta’s OIPC can issue orders and recommend prosecutions under the HIA. BC’s OIPC can issue orders and impose penalties under PIPA. The trend across all three provinces is the same: regulators are moving from guidance toward active enforcement. Practice across provincial lines, and you need to comply with each province’s requirements separately. There’s no single compliance checklist that covers all three.
Next steps
Curio handles email encryption and maintains a Canadian audit trail. Two of the safeguards Decision 298 makes non-negotiable. Join the waitlist.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
