Skip Navigation

New Guidance From Ontario’s Information and Privacy Commissioner on Privacy Management for Small Healthcare Organizations

By Mallory Gallant, Ellie Marshall and Wendy Mee
June 26, 2025
Overview
More information

Ontario’s Information and Privacy Commissioner (IPC) has released a new Privacy Management Handbook (Handbook) aimed at assisting small healthcare organizations to meet their privacy obligations under Ontario’s health information privacy law. The Handbook outlines core privacy principles, such as governance and accountability, privacy policies, privacy procedures and controls, as well as ongoing monitoring and review.

The Handbook is intended to be used by individual health practitioners or other small healthcare organizations to assist them in identifying gaps or weaknesses in their current privacy and information practices, help them better protect their patients’ personal health information, and comply with Ontario’s health information legislation.

PHIPA Overview 

In Ontario, the Personal Health Information Protection Act, 2004 (PHIPA)governs the collection, use and disclosure of personal health information within the healthcare sector. Personal health information means identifying information about an individual if the information relates to certain specified health-related subjects, such as the provision of healthcare to the individual, payments or eligibility of healthcare or coverage, organ or bodily substance donation, the individual’s health number, the individual’s substitute decisionmaker, and information relating to the physical or mental health of the individual, including their family history.

PHIPA applies to health information custodians (HICs), who are persons or organizations with custody or control of personal information as a result of or in connection with providing healthcare. HICs include individual healthcare practitioners, for example, physicians, nurses or pharmacists, as well as operators of healthcare facilities, programs or services, for example, hospitals, physician clinics, community health services, pharmacies or laboratories. HICs are accountable for ensuring compliance with PHIPA.

The Privacy Management Handbook 

PHIPA establishes several compliance obligations for HICs, and the Handbook breaks these compliance obligations down into a plain language and more readily understandable form to assist healthcare professionals, who are not — and are not expected to be — privacy experts. The Handbook provides detailed and practical tips regarding the following topics:

  • Application of PHIPA and why privacy matters
  • What a privacy management program is and how to implement one
  • Explanation of governance and accountability, including the role of the Privacy Officer
  • The importance of having an accurate data inventory
  • How to identify and mitigate privacy risks
  • How to work with service providers and what safeguards must be in place when working with service providers
  • Tips for implementing employee privacy training and employee confidentiality agreements
  • Developing and documenting privacy policies and procedures, including general privacy policies, record retention and destruction policies, breach response policies, and responding to patient inquiries or access to information requests
  • Safeguarding personal health information, specifically as it relates to technical, physical and administrative safeguards, as well as the use of email, secure messaging, encryption tools and video conference applications
  • The use of artificial intelligence (AI) tools, specifically, AI scribes and the steps an organization must take prior to using an AI scribe
  • The importance of monitoring, auditing and logging
  • How to operationalize a privacy management program

The Handbook also contains helpful appendices, including a sample privacy policy template that HICs may use to help build out their own privacy policy, a summary of the information that should be included in a privacy breach notification, as well as a list of hyperlinked resources from the IPC that organizations may find useful.

Consequences of Non-Compliance 

The Handbook reiterates that the IPC’s approach to compliance is to take a proportionate response to privacy violations. However, depending on the frequency and severity of incidents of PHIPA non-compliance, HICs are reminded that the IPC may levy administrative monetary penalties of up to C$50,000 for individuals and C$500,000 for corporations and that the Ministry of Health may prosecute offences under PHIPA.

For more information on the Handbook or any compliance obligations under PHIPA, please contact the authors or any member of our Privacy & Data Protection group.

Related Insights

Alberta Court Expands Scope of the “Publicly Available” Exception to Consent Requirement Under Province’s PIPA
Bulletins
OSC Proposes New Rules to Restrict Short Selling Ahead of Offerings of Public Securities
Bulletins

The Ontario Securities Commission proposed amendments to OSC Rule 48-501 to restrict short selling ahead of offerings of...
Blakes Data Governor: Summer 2025
Newsletters
More insights

Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.

For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2025 Blake, Cassels & Graydon LLP

Ask Our Lawyers

Practices

Save as PDF