Privacy & Security Tips

May, 2026

Privacy compliance: more than just managing breaches

The Information and Privacy Commissioner of Ontario (IPC) recently held a PHIPA workshop, which provided valuable updates on the evolving privacy compliance landscape for health information custodians.

The session highlighted recent legislative and regulatory developments under PHIPA, practical tools for strengthening privacy programs, and important lessons from recent court and tribunal decisions—including the growing use of administrative monetary penalties as an enforcement tool. Recently, the IPC issued its second administrative monetary penalty against a Health Information Custodian. In PHIPA Decision 334, the IPC reinforced that custodians must have information practices to protect personal health information in their custody or control and to ensure they also comply with these practices. The decision reflects the IPC's broader focus on accountability, documentation, and demonstrating reasonable safeguards in practice.

For clinicians, the key takeaway is clear: privacy compliance is no longer just about responding to breaches, but being able to show that appropriate safeguards, policies, and oversight are in place and applied in daily practice. Ongoing privacy training and regular review of clinic practices remain essential in reducing clinicians' risk and meeting professional obligations. To assist you in meeting your accountability obligations, physicians can take OMD's complimentary online Privacy & Security Training.