What PHIPA Decision 334 Means for Health Information Custodians and Their Agents

Privacy
Written By Albina Magomedova

The Information and Privacy Commissioner of Ontario (IPC) issued its second Administrative Monetary Penalty (AMP) under the Personal Health Information Protection Act (PHIPA) since this enforcement authority came into effect on January 1, 2024. PHIPA Decision 334 is a landmark case: not only because of what happened, but because of who was penalized, and who wasn't.

A Tale of Two Outcomes

At the centre of Decision 334 is a patient services clerk (an Agent of a hospital) who repeatedly accessed patient records without authorization. No legitimate reason. No treatment purpose. Just snooping.

The IPC issued the AMP directly against the Agent (the individual clerk), not the hospital. Why? Because the hospital did exactly what a well-governed organization should do: it identified the issue, investigated promptly, implemented corrective measures, and cooperated fully with the IPC throughout the process. As a result, while the IPC issued recommendations to the hospital, no financial penalty was levied against the institution itself.

This outcome sends a clear and practical message: how an organization responds to a privacy incident is often just as important as the incident itself. Preparedness, accountability, and timely action meaningfully influence enforcement outcomes.

Agents Are Directly Accountable, and the Stakes Are High

One of the most significant takeaways from Decision 334 is that PHIPA enforcement is not limited to institutions or health information custodians (HICs). Agents (including employees, volunteers, students, and contracted staff who handle personal health information on behalf of a HIC) can be held directly and personally accountable under PHIPA.

Under the legislation, AMPs can reach:

  • Up to $50,000 for individuals

  • Up to $500,000 for organizations

Beyond the financial impact, these decisions are typically made public. For an individual found to have engaged in repeated, unauthorized snooping, the reputational consequences can be career-defining: making future employment in health care difficult or impossible to secure.

This broadens the privacy risk landscape significantly. Organizations can no longer treat privacy compliance as purely a systems or policy issue. The human element (individual agents who access PHI daily) must be actively managed, monitored, and supported with the knowledge and culture to make the right choices.

What the IPC Flagged: Key Gaps for HICs

Bamboo Data Consulting recently attended the From Insights to Impacts PHIPA Workshop hosted by the IPC, where commentary revealed specific gaps the regulator has observed that are highly relevant to all HICs.

1. Training Records Matter as Much as Training Itself

The hospital in this case had difficulty producing evidence of completed annual privacy training. This is a critical point. Delivering privacy training is not enough. Organizations must be able to demonstrate it: who completed it and when. If you cannot prove your staff was trained, regulators may have reasons for concern.

Practically speaking, training records should capture:

  • The specific version or scenario set used

  • The date each staff member completed the training

  • Confirmation that training addressed real breach scenarios and the consequences of non-compliance

2. Access to PHI Should Follow, Not Precede, Training

The IPC reinforced that staff should not be granted access to personal health information before they have completed privacy training and signed a confidentiality agreement. In practice, onboarding timelines can create pressure to move quickly, but providing systems access before foundational training creates real and unnecessary risk.

3. Confidentiality Agreements Must Be Substantive

Weak or generic confidentiality agreements were flagged as a significant gap. These agreements must clearly articulate expectations, specific obligations under PHIPA for HICs and Agents, and the consequences of non-compliance. Boilerplate language is not sufficient.

Snooping Is a Serious Harm, Even Without Material Damage

The IPC made clear that snooping represents a significant departure from PHIPA compliance, even when there is no copying, no retention, no disclosure to third parties, and no economic benefit. The unauthorized access itself is the violation.

The IPC also emphasized that emotional distress and loss of confidence in the health system can be recognized harms under PHIPA, even where tangible or financial damage is limited. Patients who discover they have been snooped on worry about speaking candidly with their care providers, and that erosion of trust undermines the very purpose of health care. As IPC Commissioner Patricia Kosseim noted, PHIPA is not a barrier to care; it is an enabler of trust.

With snooping accounting for more than 34% of privacy issues examined by the IPC in 2024, and the IPC characterizing it as a rising concern, organizations cannot treat it as an isolated, low-risk event.

Culture and Governance Are Not Optional

Decision 334 reinforces something that compliance frameworks sometimes overlook: policies alone do not create a privacy-protective organization. Culture does.

The IPC's guidance is direct: HICs are expected to establish and enforce a zero-tolerance culture for snooping. This means:

  • Leadership messaging that treats privacy as a core organizational value, not a regulatory burden

  • Consistent enforcement and education prior to and if/when violations occur

  • Active access monitoring and audit log review, not just as a reactive measure, but as a standing operational practice

  • Clear communication to Agents that violations carry real consequences, including termination and personal regulatory penalties

Organizations where privacy is treated as a shared accountability, from the front desk to the C-suite, are better positioned to prevent incidents and to respond effectively when they do occur.

The Practical Takeaway for Your Organization

PHIPA Decision 334 is not cause for alarm. It is cause for review.

For organizations that have invested in building strong privacy programs, this decision validates that approach. The hospital at the centre of this case faced serious examination and walked away without a financial penalty precisely because it had done the foundational work: it investigated, responded decisively, and cooperated with the regulator.

Ask yourself whether your organization can demonstrate the same:

  • Can you produce dated, version-specific training records for every staff member with PHI access?

  • Are your employee confidentiality agreements substantive, not generic?

  • Is PHI access gated on completed training, not granted before it?

  • Do you have audit controls in place to detect unauthorized access?

  • When a breach occurs, do you have an incident response process that enables prompt investigation and regulatory cooperation?

If the answer to any of these is uncertain, now is the right time to address it, before the IPC comes knocking.

For more information, see the official IPC decision: PHIPA Decision 334

Have questions about your organization's PHIPA compliance program? Reach out to the Bamboo Data Consulting team.

Albina Magomedova
Next

AI Risk Tiering: Not All AI Is Equal