PHIPA Violations & Penalties: What Happens When a Custodian Breaches PHIPA
When a health information custodian breaches PHIPA, consequences can include an IPC investigation and binding orders, mandatory breach notification to affected individuals and the Commissioner, professional-college discipline, civil liability, and offence prosecutions with significant fines — historically up to six figures for individuals and higher for organizations. Snooping in records, losing unencrypted devices, and disclosing PHI without authority are common violations.
What counts as a PHIPA violation?
Typical PHIPA violations include: unauthorized access ("snooping") into records by staff; disclosing PHI without consent or legal authority; failing to apply reasonable safeguards (e.g., an unencrypted lost laptop); collecting more information than necessary; and obstructing a patient's right of access. Even accidental breaches — a misdirected fax or email — can trigger obligations.
What happens when a custodian violates PHIPA?
When a breach occurs, the custodian must generally contain it, notify affected individuals at the first reasonable opportunity, and — where statutory thresholds are met — report to the IPC. The IPC may investigate, issue binding orders requiring changes, and publish findings. Regulated professionals may also face reporting to their governing college and discipline.
Penalties and fines
PHIPA includes offence provisions. On conviction, fines can reach substantial amounts — historically up to $100,000 or more for an individual and higher for an organization, with amounts increased by amendments over time. Beyond fines, custodians can face civil claims, including class actions, and significant reputational harm.
What is an offence under PHIPA?
An offence under PHIPA is conduct the Act specifically prohibits — for example, wilfully collecting, using, or disclosing PHI in contravention of the Act, snooping, disposing of records to evade an access request, or obstructing the Commissioner. Offences can be prosecuted, which is what brings the monetary penalties into play.
How to reduce your breach risk
Most breaches are preventable. Encrypt devices and PHI, enforce role-based access and MFA, log and audit access to catch snooping, train staff, and have a tested breach-response plan. These are the controls Northline implements so a lapse doesn't become an offence.
Frequently Asked Questions
What happens when a health custodian violates PHIPA?
They must typically contain the breach, notify affected individuals, and report to the IPC where thresholds are met. The IPC can investigate and issue binding orders, and professionals may face college discipline.
What happens if PHIPA is violated — are there fines?
Yes. PHIPA offence provisions carry significant fines on conviction — historically up to six figures for individuals and more for organizations — plus possible civil liability.
What is an offence under PHIPA?
Conduct the Act prohibits, such as wilful unauthorized collection, use, or disclosure of PHI, snooping, or obstructing the Commissioner.
When can information not be released under PHIPA?
Where the individual has withheld consent (a lock-box), where no consent or legal authority exists, or where a statutory exception requires withholding.
Sources & citations
One breach can cost six figures
Northline hardens your environment with encryption, access auditing, and breach-response planning so a mistake never becomes a PHIPA offence.
Book a free PHIPA readiness consultThis guide is general information from Northline Technologies, an IT solutions provider, and is not legal advice. For binding interpretation of PHIPA, consult a qualified Ontario privacy lawyer or the Information and Privacy Commissioner of Ontario.