Informationmanagers.ca Logo
How Often Should Privacy Awareness Training Be Provided

How Often Should Privacy Awareness Training Be Provided

What Is the Best Practice for Privacy Awareness Training?

Privacy awareness training should not be a one-time event. Best practice is to provide privacy awareness training annually and reinforce key concepts throughout the year.

This expectation is frequently reinforced by privacy regulators, including the Office of the Information and Privacy Commissioner (OIPC), in privacy breach investigation reports. Organizations are expected to demonstrate that privacy awareness is an ongoing program rather than a single training activity.

As a best practice, I recommend that all employees complete comprehensive privacy awareness training at least annually, supplemented by ongoing refresher activities throughout the year. Annual training helps reinforce foundational concepts, demonstrate accountability, and ensure your organization can show consistent compliance if it is ever reviewed.

Most Privacy Breaches are Caused by People, Not Technology

Privacy training is often treated as:

  • A checkbox
  • A one-time event
  • Something to “get done”

However, most privacy breaches are caused by people, not technology. Common examples include:

  • Curiosity snooping
  • Misdirected communication
  • Lack of awareness
  • Inconsistent practices
  • Failure to follow established procedures

Technology plays an important role in protecting information, but employees make decisions every day about how information is collected, used, disclosed, and safeguarded. Effective privacy awareness training helps employees make the right decisions when faced with real-world situations.

Privacy awareness training is one of the most effective ways to prevent avoidable privacy breaches.

Privacy Awareness Training Is Your First Line of Defense

To make privacy awareness training practical and effective, think of it as a program with three layers:

1. Foundational Training (At Orientation and Annually)

Provide comprehensive privacy and security awareness training to all employees, vendors, and business associates at onboarding. The Corridor Interactive Healthcare Essentials course is an easy-to-implement solution that supports consistent training across the organization:

Privacy awareness training should then be repeated annually for all staff. Alternate the annual content with the Corridor Refresher Privacy Awareness Training (PAT) and with supplemental training and resources to keep content engaging, relevant and current.

2. Supplemental Training and Resources

Annual training provides the foundation, but employees benefit from additional learning opportunities throughout the year. Information Managers’ Practical Privacy Officer Strategies training includes a module on designing and implementing a privacy awareness training plan that you can reuse year after year. This on-line course is ideal for privacy officers and clinic managers.

Practice Management Success membership includes monthly Q&A sessions and practical training topics you can use for refresher training throughout the year. Workshop-on-demand topics include privacy breach management, release of information best practices, AI Governance, and more!

3. Ongoing Reinforcement (Throughout the Year)

The most effective privacy programs keep privacy visible throughout the year.

Reinforce key concepts through:

  • Short privacy reminders
  • Team discussions
  • Privacy breach case studies
  • Staff meetings
  • Policy and procedure reviews
  • Privacy Awareness Week activities

Use real-world privacy scenarios and your organization’s policies and procedures as discussion tools to keep expectations clear and top of mind.

These small but consistent reminders help employees apply privacy principles in their day-to-day work and reduce the risk of privacy incidents.

What Regulators Expect: Demonstrable Accountability

Privacy awareness training is not simply a best practice—it is often a factor considered by privacy regulators when investigating privacy breaches.

For example, in Ontario PHIPA Administrative Monetary Penalty, a healthcare worker repeatedly accessed patient records without authorization. The Information and Privacy Commissioner emphasized the organization’s responsibility to implement safeguards, monitor compliance, and ensure employees understand their privacy obligations. While policies existed, the case highlights the importance of ongoing privacy awareness, monitoring, and reinforcement to prevent curiosity snooping and other inappropriate access.

Similarly, privacy commissioners across Canada frequently examine whether organizations can demonstrate that employees received privacy training and understood their responsibilities. During investigations, regulators often ask for evidence such as training records, attendance logs, signed confidentiality agreements, policy acknowledgements, privacy reminders, and documentation of corrective actions.

This is where many organizations struggle. They may have policies and procedures, but they cannot demonstrate that employees reviewed them, understood them, or applied them in practice.

When a privacy breach occurs, documentation matters. Organizations that can show a planned privacy awareness program, annual training, ongoing reminders, and documented participation are in a much stronger position to demonstrate due diligence and accountability.

The lesson is simple: privacy awareness training should not be viewed as a one-time event. It should be an ongoing program that helps employees recognize risks, make good decisions, and protect patient information every day.

Privacy regulators and group practice reviews increasingly focus on an organization’s ability to demonstrate accountability.

You must be able to demonstrate:

  • Training is planned and intentional
  • Staff participated in training
  • Staff understood key concepts
  • Training is relevant to employee roles
  • Privacy awareness activities occur throughout the year

This concept is often referred to as demonstrable accountability.

Demonstrable accountability means having evidence that your privacy program is working—not simply having written policies and procedures sitting on a shelf.

See Why “Demonstrable Accountability” Matters

Need Help to Create Your Privacy Awareness Program?

In the Practical Privacy Officer Strategies training, you quickly create a privacy awareness plan that can be reused and updated each year.

A successful privacy awareness program combines annual comprehensive training with ongoing reinforcement throughout the year. This approach helps reduce privacy risks, supports employee confidence, and demonstrates the due diligence and accountability expected by regulators, patients, and healthcare organizations alike.

PHIPA Administrative Monetary Penalty

PHIPA Administrative Monetary Penalty

 436 Patient Records. One Clerk. A $2,000 Fine. What Your Organization Needs to Know.

PHIPA Decision 334 from the Information and Privacy Commissioner of Ontario is a wake-up call for every health organization.

A hospital clerk spent six months snooping through the personal health information of 436 patients. She lost her job and was personally fined $2,000.

The message is clear: having privacy policies on paper is not enough. Organizations must ensure that staff understand and follow those policies—and be able to prove it. When they cannot, patients lose trust and organizations face increased regulatory scrutiny

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, organizations, and healthcare or public sector institutions. Let’s break down what happened, what the decision found, and how these lessons apply to privacy and records management programs.

What Happened

A patient services clerk at the Children’s Hospital of Eastern Ontario (CHEO) inappropriately accessed the personal health information (PHI) of 436 patients between March and September 2024. The breach came to light when a nurse contacted CHEO’s Privacy Office with questions about her stepchild’s care. The Privacy Office became concerned about how the nurse appeared to know information she should not have known. An audit revealed that a clerk working in the same unit had accessed the child’s record without authorization.

A broader investigation showed that the clerk had accessed:

  • Her own health record
  • Family members’ records
  • Hundreds of other patient records

The information viewed included demographic details, appointment histories, clinical notes, test results, and referral information.

Managing the Breach

We can analyze the hospitals and clinic’s response using the 4-Step Response Plan.

Step 1 – Spot and Stop

The first step is to recognize that a privacy breach has occurred and immediately stop further unauthorized access.

A privacy breach occurs when personal health information is lost, accessed, used, disclosed, or destroyed without authorization.

In this case, CHEO’s Privacy Office received a tip on September 10, 2024, when a nurse raised concerns about her stepchild’s health information.

Step 2 – Investigate

CHEO acted quickly:

  • Conducted an initial audit
  • Placed the clerk on administrative leave
  • Revoked access to the electronic health record system
  • Expanded the audit to six months of activity
  • Conducted formal interviews and justification exercises

The investigation confirmed that the clerk had accessed 436 patient records without authorization.

There was no evidence that she copied, disclosed, or financially benefited from the information.

Remember: Simply viewing a patient record without a legitimate need to know is a privacy breach.

CHEO also confirmed that the clerk had completed initial privacy training and had signed a confidentiality agreement upon hire and a renewal in January 2023.

Step 3 – Notify

When a privacy breach occurs, the right people must be informed promptly.

Internally, notify your Privacy Officer and Custodian immediately.

CHEO reported the breach to the Ontario IPC on October 15, 2024.

CHEO initially notified 189 affected patients by mail. After a more extensive audit identified additional affected individuals, the hospital sent a further 107 notification letters in April 2025. Where current addresses were unavailable, notification letters were added to patient files for delivery at the next visit.

Step 4 – Prevent the Breach from Happening Again

After containing the incident, organizations must take steps to reduce the likelihood of recurrence.

CHEO:

  • Implemented their progressive discipline process.
  • Terminated the clerk’s employment on October 24, 2024.
  • Conducted proactive audits twice monthly for six months.
  • Implemented a comprehensive staff re-training initiative.
  • Reinforced the importance of appropriate access and confidentiality.

Commissioner’s Investigation

The Ontario IPC reviewed the incident and imposed Ontario’s second Administrative Monetary Penalty (AMP) under PHIPA.

An AMP is a financial penalty that the IPC can impose without commencing a court prosecution. The purpose is to encourage compliance and ensure that individuals or organizations do not benefit from privacy violations.

Under the PHIPA AMP regulations:

  • Individuals may be fined up to $50,000
  • Organizations may be fined up to $500,000

In this case, the clerk was ordered to pay $2,000 personally.

CHEO was not fined, but the Commissioner issued two formal recommendations to improve the organization’s ability to monitor, track, and document:

  • Annual privacy training completion
  • Annual confidentiality agreement renewals

 

Demonstrable Accountability

One of the most important lessons from this decision is the concept of demonstrable accountability.

It is not enough to say that staff are trained and confidentiality agreements are renewed annually.

You must be able to prove it.

In this case, CHEO had strong privacy policies and procedures, but it could not produce documented evidence that the employee had completed her 2024 privacy training or re-signed confidentiality agreements in 2023 and 2024.

The Commissioner summarized this principle clearly:

Organizations must “say what they will do, and then do what they say.”

Take-Aways

✅ A privacy breach can start with one suspicious question–train staff to pay attention and speak up.

✅ Having privacy policies is not enough; you must be able to prove your staff are following them.

✅ Track and document annual privacy training and confidentiality agreement renewals for every single staff member.

✅ Curiosity snooping is a serious breach, even when there is no intention to disclose the information.

✅ Simply viewing a patient record without a legitimate need to know is a privacy breach.

Call to action

Want to strengthen your privacy breach response and accountability program?

Join Kayla Das and Jean L. Eaton for our How to Manage a Privacy Breach in Your Canadian Practice Workshop, where we provide practical tools, templates, and training to help your organization respond confidently to privacy incidents and demonstrate compliance.

Reference

Information and Privacy Commissioner of Ontario. PHIPA Decision 334. April 23, 2026. https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/522336/1/document.do

Why “Demonstrable Accountability” Matters

Why “Demonstrable Accountability” Matters

Why “Demonstrable Accountability” Matters

Does Your Privacy Program Have ‘Demonstrable Accountability’?

The first Ontario decision to include an Administrative Monetary Penalty (AMP) under the Personal Health Information Protection Act (PHIPA) shows how serious the consequences can be when personal health information (PHI) is used for an unauthorized secondary purpose.

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.

What Happened

This case includes the Windsor Regional Hospital, Chatham-Kent Hospital Alliance, Erie Shores Healthcare, WE Kidz Pediatrics, and Dr. Omar Afandi.

Between April 20 and May 7, 2024, Dr. Afandi accessed the shared electronic health record (EHR) system of CKHA’s Women’s and Children’s Program. He used it to identify newborns so he could contact their parents to offer circumcision services at his private practice, WE Kidz Pediatrics.

Several parents reported receiving these unsolicited calls and complained to the hospitals. Dr. Afandi later stated he did not realize these accesses were unauthorized under PHIPA.

Managing the Breach

We can analyze the hospitals’ and clinic’s response using the 4-Step Response Plan.

Step 1 – Spot and Stop

The breach was reported by patients who received unsolicited contact from the physician.

The Chief of Staff wrote to Dr. Afandi on May 15, 2024, advising that his actions constituted an unauthorized collection and use of PHI and inviting him to withdraw his reappointment application with the hospital.

Step 2 – Investigate

The hospital conducted an internal investigation and notified the Information and Privacy Commissioner (IPC).

Records showed that Dr. Afandi had completed Privacy, Security, and Confidentiality training in October 2020 and had signed a confidentiality agreement with WRH. He also confirmed he reviewed WRH’s privacy module again when he reapplied in April 2024.

Step 3 – Notify

The hospitals reported the breach to the IPC on May 31, 2024, and to the College of Physicians and Surgeons of Ontario on June 1, 2024.

Notification letters were sent to potentially affected families the week of July 2, 2024, describing the incident, the PHI involved, and corrective actions. A hotline was provided for questions.

Step 4 –Prevent the Breach from Happening Again

AMP powers to address a privacy breach signal a new era of active enforcement in Ontario’s health privacy landscape.

Administrative Monetary Penalties (AMPs) came into effect under PHIPA on January 1, 2024. This update to the legislation gives the Information and Privacy Commissioner (IPC) authority to issue AMPs of up to $50,000 for individuals and $500,000 for organizations in cases of PHIPA non-compliance.

In this case, the Commissioner exercised those new powers and fined:

  • Dr. Afandi (individual)$5,000
  • WE Kidz Pediatrics (clinic as custodian)$7,500

Both were penalized for unauthorized access and use of PHI for personal gain.

The IPC found that WE Kidz opened without a compliant privacy program — a key factor in the penalty decision. 

WE Kidz was also required to complete privacy training and develop formal privacy policies and procedures. The Commissioner also recommended that WRH improve its record-keeping and monitoring to better demonstrate compliance in future audits.

Commissioner’s Investigation

The IPC emphasized the importance of “demonstrable accountability.”

“Demonstrable accountability” refers to a repeatable and evidence-based system of data governance whereby organizations can show regulators and individuals how they meet their legal and professional responsibilities in practice.

In the data regulatory context, the concept has evolved beyond basic checklist compliance. It now requires organizations to prove that their accountability mechanisms are active and effective — that safeguards are working as intended to reasonably protect personal health information.

In other words, demonstrable accountability means being able to measure, document, and demonstrate that privacy protections are in place, maintained, and effective — not just written in a policy.

Being able to demonstrate compliance is a regulatory expectation under PHIPA — and it’s the key to avoiding costly penalties.

Demonstrable Accountability infographic Information Managers Ltd.

Under Section 10 of PHIPA, custodians must have information practices describing how they collect, use, disclose, retain, and safeguard PHI — and they must comply with those practices in day-to-day operations.

Take-Aways

✅ “Demonstrable accountability” means having evidence that your privacy program is working — not just written policies on a shelf.

✅ Maintain dated policies, training checklists, and signed confidentiality agreements for every team member.

✅ Replace “professional deference” with consistent expectations — all healthcare providers must complete privacy training and demonstrate understanding.

✅ Document and review your privacy program annually to ensure that safeguards and practices are effective in real life.

✅ Unauthorized secondary use of PHI — even for legitimate healthcare services — is a serious breach and can result in financial penalties.

Need Help Training Your Privacy Team?

Join the Practice Management Success Membership to access privacy awareness training, templates, and resources to strengthen your privacy management program.

Reference

Information Privacy Commissioner of Ontario. PHIPA Decision 298. August 28, 2025. https://www.ipc.on.ca/en/decisions/latest-decisions/phipa-decision-298

 

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Investigation Tips Following the NWT Health Authority Incident

When employees make mistakes that result in a privacy breach, the custodian is held responsible to ensure that appropriate investigations are performed. This includes appropriate documentation of the privacy breach incident and sanctions when indicated.

The NWT Information and Privacy Commissioner (IPC) opened an investigation into the Northwest Territories Health and Social Services Authority (NTHSSA) after a reported privacy breach in 2024. This review aimed to assess whether the health authority had adequate safeguards in place to investigate and prevent similar future incidents.

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.

What Happened

In April 2024, a patient filed a complaint with the nurse-in-charge at a health centre in the Northwest Territories. The complaint alleged that a clerk had inappropriately shared the patient’s personal health information with a family member during a casual conversation.

The nurse-in-charge apologized to the patient and escalated the issue to the regional manager. The clerk denied disclosing the health information, but the health authority concluded the incident had indeed occurred.

The Commissioner emphasized that there was no ill intent, stating:

“The interaction between the clerk and the sister was spontaneous and indicates a simple lapse in judgment.”

Managing the Breach

The NTHSSA’s management of the privacy breach can be examined using the 4 Step Response Plan.

Step 1 – Spot and Stop

The privacy breach was identified by the patient and reported to the nurse in charge and escalated to the regional manager.

Step 2 – Investigate

An investigation was initiated. While the clerk denied the allegation, the health authority determined a breach had occurred.

However, the Commissioner noted a serious concern: the investigation was poorly documented. If notes were taken, they could not be located or produced during the review.

Step 3 – Notify

The patient and NTHSSA (the custodian) was aware of the breach. No further notification was required.

Step 4 – Prevent the Breach from Happening Again

The health authority directed the clerk to:

  • Complete updated privacy training
  • Review the oath of office
  • Review patient confidentiality policies

No further disciplinary action was taken.

Commissioner’s Investigation

The IPC made several key recommendations:

  • Equip investigators: Ensure staff who investigate privacy breaches are properly trained and supported to conduct effective, timely, and well-documented investigations.
  • Enforce sanctions: Ensure managers understand the range of disciplinary options available and are aware of their obligation to apply reasonable disciplinary measures when warranted.
  • Annual privacy training: Reinforce the Mandatory Training Policy by ensuring all employees complete refresher privacy training every year.
  • Use real examples: Incorporate this privacy breach as a case study in future privacy training to help employees understand their obligations—at work and outside of work.

Take-Aways

Annual privacy training is not enough.

Training must include real-world, job-relevant examples and emphasize how privacy rules apply in everyday situations.

When employees make mistakes, it’s the custodian’s responsibility to lead an appropriate and well-documented investigation—not just revisit outdated training.

A strong privacy culture includes tools, training, and clarity. Equip your investigators, privacy officers, and managers with the skills they need to respond appropriately.

For more on how to manage privacy-related employee errors, listen to the podcast:

Managing Employees When They Make Mistakes – Episode #105

Need Help Training Your Privacy Team?

Ask me about Practical Privacy Officer Strategies training to strengthen your internal investigation process and build a more resilient workplace.

Reference

NWT IPC File Number: 24-950-6 on April 4, 2025Northwest Territories Health and Social Services Authority (Re), 2025 NTIPC 97 (CanLII), <https://canlii.ca/t/kc0s6>, retrieved on 2025-06-09

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

AI Scribes in Canada

AI Scribes in Canada

 

AI Scribe in Canada

A lot has changed recently on new AI scribe initiatives in Canada.

A lot has changed recently with AI scribe initiatives in Canada. Here’s a quick update and resources to help your clinic make informed decisions.

What is AI?

Artificial intelligence (AI) is an advanced form of information processing that helps automate or enhance tasks. In healthcare, AI doesn’t replace providers—it supports them. Clinicians still guide its use, review outputs, and make informed decisions.

AI can reduce administrative burden and help address physician burnout. Importantly, it should not be used to increase patient volumes. Instead, it is a tool to enhance care and support the physician’s role.

AI tools typically combine hardware, software, and data. Even familiar tools like Microsoft Copilot or ChatGPT follow this model. In healthcare, software is often applied to patient data, which means privacy and transparency are critical.

What Is an AI Scribe?

“AI Scribe” is a broad term for tools that help generate clinical notes. Common workflows include:

  • Dictation: provider speaks, and AI formats the note.
  • Live Listening (also called Ambient Listening): AI listens during a patient visit and drafts the note based on the conversation.
  • Advanced features: some tools analyze lab trends, suggest diagnoses, or remind providers about follow-ups.

See my article Thinking About Using AI Scribe in Your Healthcare Practice? for additional background.

Why AI Governance Matters

Each clinic must manage how personal health information (PHI) is collected, used, accessed, and disclosed—especially when introducing new technology.

An AI governance framework provides a structured approach to address risks, ethics, and compliance. Think back to when computers first arrived in clinics: there was hype, confusion, and risk. Eventually, we built vendor vetting processes, training, and structured implementation. The same is true today with AI.

Key principles:

  • Create written procedures for evaluating vendors.
  • Set clear expectations: employees should not independently adopt AI tools.
  • Encourage open discussion and collaborative decision-making.

AI Governance and Accountability Framework

Just as it was never appropriate for individuals to bring their own computers from home to manage patient records, it is not appropriate for clinicians or staff to adopt AI tools on their own.

Introducing AI into a clinic requires a collaborative, structured approach. An AI governance framework helps organizations manage risks, ethics, and compliance requirements, including new or emerging risks.

Every clinic should have written procedures that:

  • Set clear expectations for evaluating and selecting vendors.
  • Prohibit staff from independently implementing AI tools.
  • Encourage open discussion and a culture of accountability when considering new technologies.

Without this oversight, indiscriminate use of AI can compromise the accuracy, integrity, and security of personal health information (PHI) — and create risks for the entire organization.

Implementation: Not Plug and Play

AI adoption requires planning. Assign responsibility and accountability for implementation and monitoring. Include your privacy officer in this role.

Your plan should include:

  • Staff training and awareness
  • Confidentiality and end-user agreements
  • Cybersecurity and technical safeguards

Do You Need a Privacy Impact Assessment (PIA)?

Yes! If an AI system introduces new collections, uses, or disclosures of PHI, a PIA is required.

Custodians must ensure PHI is protected against theft, loss, and unauthorized use or disclosure, and that records are securely retained, transferred, and disposed of. This includes ensuring vendors have sufficient safeguards in place.

Recent Resources

Here are a few current references to support your decision-making:

Canada Health Infoway announced in May 2025 a program offering one-year fully funded one-year licenses for eligible primary care providers across Canada. Visit Canada Health Infoway to register for updates and eligibility notifications.

Artificial Intelligence (AI) Scribe Privacy Impact Assessment Guidance developed by the Office of the Information and Privacy Commissioner (OIPC) of Alberta.  September 22, 22025.

Canada Health Infoway Supports AI Scribe Implementation in Alberta with Reference to OIPC Privacy Guidance – September 22, 2025

Contractual Safeguards – Ontario MD Guidance – AI Scribes

Vendor of Record list, Supply Ontario – This list features qualified solutions that meet the needs of clinicians

AMA Artificial Intelligence Principles and Policy, February 7, 2025

Need help getting started with your AI privacy and implementation plan?

      • Explore our blog posts on AI and privacy.
      • Join the Practice Management Success membership for training, templates, and discussions.
      • Or ask me directly about PIA consultation services to support your clinic’s AI implementation.
 
 

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS