Who Says Size Matters? What PHIPA Decision 298 Teaches Businesses About Operationalizing Privacy

Written By Sharon Bauer

Introduction: A Healthcare Case with Cross-Sector Lessons

In August 2025, Ontario’s Information and Privacy Commissioner (IPC) issued a landmark ruling under the Personal Health Information Protection Act (PHIPA): its first-ever administrative monetary penalty (AMP). The case, PHIPA Decision 298, involved a privacy breach at Windsor Regional Hospital (WRH) and a small pediatric clinic, WE Kidz.

Although the facts arose in a healthcare setting, the implications extend far beyond. Whether you're a tech startup, a dental office, or a retail company collecting customer data, the message is clear: privacy must be operationalized. And yes, size doesn’t matter. Small entities are held to the same legal standards as large institutions.

This decision is a powerful reminder that privacy compliance is not just about having policies on paper. It’s about embedding privacy into your operations, training, governance, and culture; and being able to prove it.

The Breach and the Hospital’s Response

The breach involved a physician who accessed a shared electronic health record (EHR) system used by multiple hospitals to identify newborn patients. He then contacted their families to offer a private medical service through his clinic. The IPC found that the physician had used search filters to extract personal health information (PHI), including names, dates of birth, and contact details, without opening individual charts.

This misuse of PHI for commercial purposes triggered complaints from affected families and led to an investigation. The IPC examined not only the actions of the physician but also the privacy practices of the institutions involved, particularly WRH and WE Kidz.

WRH, which hosted the shared EHR system, was not fined. Why? Because it had taken reasonable steps to protect personal health information, even though its practices weren’t perfect.

WRH had a comprehensive privacy management program. It required annual privacy training for staff and physicians, maintained confidentiality agreements, and had documented policies and procedures that were reviewed regularly. When the breach occurred, WRH responded swiftly, launching an internal investigation, suspending the physician’s access, notifying affected individuals, and cooperating fully with the IPC.

Importantly, WRH was able to demonstrate accountability. It had records to show its privacy practices were implemented and monitored. The IPC emphasized that custodians must be able to provide evidence of compliance, not just claim it.

The IPC did identify areas for improvement. WRH was advised to:

  • Date its privacy policies and procedures.

  • Require individuals to print their name beside their signature on confidentiality agreements.

  • Track each agent’s annual training, including course completion.

  • Demonstrate that staff renew confidentiality commitments annually.

  • Update staff bylaws to reference privacy and confidentiality obligations explicitly.

Despite these recommendations, the IPC concluded that WRH’s overall approach met the standard of reasonableness under PHIPA. The hospital’s governance, training, and response were judged sufficient to avoid a penalty.

What’s more, WRH took proactive steps following the breach. It began exploring ways to enhance its ability to detect and identify anomalous user activity in real time. It also considered whether it could limit the functionality of the EHR search feature to prevent overly broad queries, an important safeguard in shared systems.

This case demonstrates that even when a breach occurs, organizations can avoid penalties if they have effectively operationalized privacy. It’s not about being perfect. it’s about being prepared, responsive, and accountable.

 

The Compliance Divide: WRH vs. WE Kidz

The IPC’s investigation revealed a stark contrast between the two organizations, a compliance dichotomy that shaped the outcome.

WRH had a privacy management program in place. It provided annual training, required confidentiality agreements, maintained documented policies, and responded swiftly to the breach. WE Kidz, by contrast, had no privacy policies, no training, and no breach response protocol.

This difference in operational practices was pivotal. WRH was found to have taken reasonable steps to protect PHI, while WE Kidz’s failures were systemic.

 

Understanding Section 12(1): Reasonableness Over Perfection

This brings us to a key legal standard under PHIPA: section 12(1). It requires custodians to take steps that are reasonable in the circumstances to protect personal health information. The IPC emphasized that this does not require perfection. Instead, it requires a thoughtful, risk-based approach to privacy safeguards, one that is proportionate and evidence-based.

For businesses, this means that compliance is achievable. You don’t need to be flawless, but you do need to be intentional, consistent, and able to show your work.

 

WE Kidz: Systemic Failure and Commercial Misuse

WE Kidz had no privacy program at all. The clinic lacked documented policies, staff training, and breach response protocols. It also benefited financially from the misuse of PHI, charging families for services that were solicited using hospital records.

The IPC found that WE Kidz had custody and control of PHI in the context of its clinic operations, and therefore had the same obligations under PHIPA as any other health information custodian. The clinic’s small size did not exempt it from compliance.

“Size does not exempt a custodian from responsibility. Once an entity has custody or control of PHI, it must meet the obligations set out in PHIPA.” (PHIPA Decision 298)

This is one of the most important takeaways from the decision: small businesses are not immune. Whether you’re a solo practitioner, a startup, or a small clinic, if you handle personal health information, you’re held to the same legal standards.

 

The Penalties: AMP as a Compliance Signal

The IPC imposed:

  • $5,000 AMP on the physician.

  • $7,500 AMP on WE Kidz.

No AMP was issued to WRH. The difference? Operationalization of privacy.

The IPC made it clear that the presence of a breach alone does not automatically warrant a penalty. What matters is whether the organization took reasonable steps to prevent it, and whether those steps were documented and demonstrable.

This decision sets a precedent: regulators are looking not just at outcomes, but at processes. If your organization can show that it has a functioning privacy program, you’re in a stronger position to defend against enforcement.

 

Lessons for Businesses: Operationalizing Privacy in Practice

Whether you’re in healthcare or not, the implications of Decision 298 are clear. Here’s how businesses can apply these lessons:

1. Operationalize Privacy from Day One

Privacy compliance must be embedded into your organization’s operations. That means:

  • Documented privacy policies.

  • Regular staff training.

  • Access controls and audit trails.

  • Breach response protocols.

These measures must be active, not theoretical. If your privacy program exists only on paper, it won’t protect you.

2. Document Everything

If it’s not documented, it didn’t happen. The IPC emphasized the importance of demonstrable accountability. Businesses should maintain records of:

  • Training completion.

  • Policy reviews.

  • Audit logs.

  • Incident response actions.

This documentation is your best defence in the event of a breach or investigation.

3. Understand the Reasonableness Standard

PHIPA doesn’t expect perfection. It expects organizations to take reasonable steps based on their context, risk level, and resources. This gives businesses flexibility, but also requires thoughtful implementation.

4. Avoid Commercial Misuse of Personal Data

Using personal information for economic gain, especially without consent, is a serious breach. It can trigger penalties and reputational damage. Businesses should ensure that any use of personal data aligns with legal and ethical standards.

5. Know Your Custodian Status

If your business has custody or control of personal information, you’re responsible under privacy law. That includes small clinics, solo practitioners, and startups. The IPC made it clear: size does not exempt you from responsibility.

6. Shared Systems Require Shared Accountability

If your organization participates in a shared data platform, ensure that access controls, monitoring, and breach protocols are clearly defined. You’re responsible for what your agents do with that access.

Conclusion: Privacy Is a Practice, Not a Policy

PHIPA Decision 298 is a wake-up call not just for healthcare, but for any business handling sensitive personal information. The IPC made it clear: privacy must be operationalized. That means embedding privacy into your governance, training, and daily practices.

So yes, size doesn’t matter, but your privacy program does.

 

How Bamboo Data Consulting Can Help

At Bamboo Data Consulting, we specialize in helping organizations operationalize privacy, from startups to hospitals to small clinics. Whether you need to build a privacy program from scratch, update your policies, train your staff, or prepare for a privacy audit, we’re here to guide you.

We offer:

  • Privacy program design and implementation

  • PHIPA and multi-jurisdictional compliance assessments

  • Staff training and awareness workshops

  • Breach response planning and tabletop exercises

  • Documentation support for policies, procedures, and accountability

Let us help you turn privacy from a risk into a strategic advantage. Contact Bamboo Data Consulting to learn how we can support your compliance journey.

 

Sharon Bauer
Previous

When Personalization Breaks Privacy: Lessons from the TikTok Decision
Next

A Strategic Guide to Managing AI Vendor Relationships