The Importance of Privacy Awareness Training and Policies in Healthcare Organizations
Mandatory privacy awareness training is one of the clearest requirements the IPC has placed on healthcare organizations operating under PHIPA. Two decisions illustrate what this looks like in practice: PHIPA Decision 260, which found a hospital in violation after failing to train its physicians, and the more recent PHIPA Decision 334, which penalized an individual agent directly while sparing the institution because it had done the foundational work properly.
Both decisions point to the same conclusion. Healthcare organizations that cannot demonstrate trained staff, tracked completion, and substantive confidentiality agreements are exposed. Those that can are in a materially different position when the IPC comes knocking.
PHIPA Decision 260: What Happened When a Hospital Failed to Train Its Physicians
A public hospital experienced a significant privacy breach involving unauthorized access to the personal health information of patients by one of its physicians. The IPC investigated the breach under the Personal Health Information Protection Act (PHIPA).
The IPC found that at the time of the breach, the hospital violated sections 10 (Information practices) and 12 (Security) of PHIPA. PHIPA requires health information custodians to have and comply with information practices that meet the Act's requirements. It also requires custodians to take reasonable steps to protect personal health information against unauthorized use or disclosure.
What The Investigation Found
Lack of Privacy Training for Physicians
Despite having a policy requiring all agents, including physicians, to complete privacy training upon hire and annually, the hospital did not provide mandatory privacy training to its physicians at the time of the breach. The physician involved had not received this training.
Lack of Annual Confidentiality Agreements for Physicians
The hospital's policy also required all agents to sign confidentiality agreements annually. However, at the time of the breach, there was no formal process for physicians to sign or for the hospital to track the signing of these agreements. The physician involved had only signed one upon hire.
Failure to Ensure Compliance by All Agents
Even for non-physician staff, the hospital discovered that a significant percentage (nearly 50%) had not completed the required privacy training or signed confidentiality agreements in the year of the breach. The hospital had not performed the necessary reviews and follow-ups to confirm that agents were complying with its policies.
Lack of Guidance on Specific Use Cases
The physician involved in the breach believed accessing patient records remotely for "educational purposes" was authorized, demonstrating a gap in clear policy or training regarding specific uses of personal health information, such as for self-study or education.
What The IPC Concluded
The IPC emphasized that simply having policies is not enough. Health information custodians must implement their policies in practice and take steps to ensure they have safeguards in place. It is inadequate to have different expectations for privacy training and confidentiality agreements for physicians compared to non-physician staff. The hospital's failure to ensure its physicians were trained on its policies and privacy obligations contributed directly to the unauthorized access.
While the hospital was initially found in violation, the IPC decided that a formal review was not warranted under Part VI of the Act. This was because of the comprehensive steps the hospital took after the breach to address the identified concerns.
What The Hospital Had To Implement
Mandatory Training and Annual Confidentiality Agreements for All Agents
The hospital implemented a system to ensure physicians complete mandatory privacy training and sign confidentiality agreements annually, aligning expectations across all staff.
Tracking and Enforcement
The hospital set up tracking systems to monitor completion rates for both training and confidentiality agreements for all physicians and non-physician agents. Non-compliant agents are now subject to disciplinary processes, including potential loss of hospital privileges for physicians.
Updated Policies and Training with Clear Guidance
The hospital reviewed and updated its privacy policies and training materials to be more specific, including providing clear direction that using personal health information for self-study without authorization is not allowed and constitutes a breach.
Ongoing Education Initiatives
The hospital committed to ongoing privacy education through various methods including eLearning, in-person sessions, huddles, and newsletters, and dedicated a specific month each year to reinforcing privacy expectations.
If your organization is reviewing its privacy training program in light of decisions like this, our Privacy Awareness Training for Healthcare Organizations covers what the IPC expects, including training requirements for physicians, tracking obligations, and confidentiality agreements.
PHIPA Decision 334: What Happens When a Healthcare Organization Gets Privacy Awareness Training and Policies Right
PHIPA Decision 334 is the IPC's second Administrative Monetary Penalty issued under PHIPA and it tells a different story. A patient services clerk, an agent of a hospital, repeatedly accessed patient records without authorization. No treatment purpose. No legitimate reason.
The IPC issued the penalty directly against the individual agent, not the hospital. The reason is straightforward. The hospital identified the issue, investigated promptly, implemented corrective measures, and cooperated fully with the IPC throughout the process. Because it had done the foundational work properly, the institution walked away without a financial penalty.
What protected the hospital
The hospital in Decision 334 was able to demonstrate exactly what Decision 260 established as the standard: mandatory training for all staff, tracked completion, substantive confidentiality agreements, and a clear incident response process. That documentation made the difference between an institution that absorbed the consequences and one that did not.
The IPC also clarified in Decision 334 that training records must go beyond a simple completion log. Organizations should be able to produce the specific version of training completed, the date each staff member completed it, and confirmation that training addressed real breach scenarios and the consequences of non-compliance.
What agents need to understand
Decision 334 makes clear that PHIPA enforcement is not limited to institutions. Individual agents, including employees, volunteers, students, and contracted staff who handle personal health information, can be held directly and personally accountable. Administrative Monetary Penalties for individuals can reach up to $50,000. Beyond the financial impact, these decisions are published. For an individual found to have engaged in repeated unauthorized access, the reputational consequences can affect future employment in healthcare permanently.
For a full breakdown of Decision 334, read our detailed analysis: What PHIPA Decision 334 means for health information custodians
What This Means for Your Organization
Taken together, these two decisions confirm that the IPC evaluates healthcare organizations on three specific dimensions: whether privacy awareness training is mandatory for all staff including physicians, whether completion is tracked and documented, and whether the organization has a process for following up with non-compliant individuals.
Having policies on paper is not enough. Delivering training without tracking it is not enough. Applying different expectations to physicians than to other staff is not enough.
If your organization cannot demonstrate all three, you are in the same position the hospital in Decision 260 was in before the breach occurred. If you can, you are in the position the hospital in Decision 334 was in when the IPC came calling.
Our privacy awareness training for healthcare organizations is instructor-led, tailored to your environment, and structured to produce the completion records a regulator will ask for.