There are new privacy breach reporting requirements in effect as of October 1, 2017. These new requirements are in addition to the June 2016 requirements made to the
Personal Health Information Protection Act, 2004 (PHIPA).
Here’s what you need to know:
October 1, 2017 – Reporting Privacy Breaches to the Information and Privacy Commissioner
As of October 1, 2017, if you are the health information custodian, in addition to notifying the affected individual of the privacy breach and their right to file a complaint with the Commissioner you will also be required by law to report the privacy breach directly to the Commissioner under the certain circumstances. The legislation and full list of circumstances in which a health information custodian will be required to notify the Commissioner of a privacy breach
are available online and below.
6.3 (1) The following are the circumstances in which a health information custodian is required to notify the Commissioner for the purposes of subsection 12 (3) of the Act:
- The health information custodian has reasonable grounds to believe that personal health information in the custodian’s custody or control was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority.
- The health information custodian has reasonable grounds to believe that personal health information in the custodian’s custody or control was stolen.
- The health information custodian has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of personal health information in the custodian’s custody or control, the personal health information was or will be further used or disclosed without authority.
- The loss or unauthorized use or disclosure of personal health information is part of a pattern of similar losses or unauthorized uses or disclosures of personal health information in the custody or control of the health information custodian.
- The health information custodian is required to give notice to a College of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information.
- The health information custodian would be required to give notice to a College, if an agent of the health information custodian were a member of the College, of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information.
- The health information custodian determines that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including the following:
- Whether the personal health information that was lost or used or disclosed without authority is sensitive.
- Whether the loss or unauthorized use or disclosure involved a large volume of personal health information.
- Whether the loss or unauthorized use or disclosure involved many individuals’ personal health information.
- Whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure of the personal health information.
Reporting Responsibility of Agents of Health Information Custodians
If you are an agent of a health information custodian (for example, if you are an OT working for a community care organization, a hospital or for another regulated health professional) you need to tell the responsible custodian of the breach at the first reasonable opportunity.
Learn more about privacy and the June 2016 requirements.