by Written on behalf of Wise Health Law October 05, 2017 4 min read

The Ontario Information and Privacy Commissioner recently issued guidelines intended to assist health information custodians with new privacy breach notification requirements under the Personal Health Information Act(PHIPA).

The New Guidelines

The privacy breach notice requirements took effect on October 1, 2017. Under the new requirements, custodians must report seven categories of privacy breaches to the Commissioner. The categories are not mutually exclusive and more than one can apply to a single privacy breach. Where at least one of the situations applies, a custodian is required to report it. These new reporting obligations are separate from the duty to notify affected individuals under subsection 12(2) of PHIPA in instances of theft, loss, unauthorized use, or disclosure of personal health information. The guidelines are not binding law, but do provide helpful examples of the sorts of breaches that the Commissioner would like reported.

Situations Where the Commissioner Must be Informed of a Breach

  1. Use or Disclosure Without Authority

This includes situations where the individual committing the privacy breach knew or ought to have known that their actions were not permitted by either the Act or the custodian responsible. This includes situations involving “snooping”, such as when a person looks at their ex-spouse’s or co-workers medical history for a reason that is not work related, or where hospital employees look at the records of a celebrity, politician, or other well-known person admitted to the hospital. This applies whether or not there was any malice or personal motive behind the actions. The Commissioner generally does not need to be notified where:
  • the breach is accidental, for instance, when information is inadvertently sent by email to the wrong person;
  • when a person who is permitted to access patient information accidentally accesses the wrong patient record.
  1. Stolen Information

This category includes situations such as: All such instances should be reported to the Commissioner, even if the breach was accidental. The Commissioner does not need to be notified if the stolen information was de-identified or correctly encrypted.
  1. Further Use or Disclosure Without Authority After a Breach

This category includes situations such as discovering that, after an initial privacy breach, the breached information was further used or disclosed without the patient’s authority. For instance, where an employee accidentally sent a fax containing patient information to the wrong person and that person kept a copy of the information and threatened to make the information public.
  1. Pattern of Similar Breaches

This category includes situations in which a series of small breaches may point to larger systemic issues such as inadequate training or procedures, or malfunctioning systems. To assist in detecting patterns, all privacy breaches should be tracked internally using a standardized approach and the time between breaches should be monitored.
  1. Disciplinary Action Against a College Member

This category encompasses situations where a member of a health regulatory college is terminated, suspended, disciplined, or resigns due to a privacy breach, or where a member’s privileges are revoked, suspended, restricted or voluntarily restricted as a result of a breach. Even where a custodian is not clear whether the resignation or voluntary restriction are a result of a breach, but believes that the resignation or voluntary restriction is related to a breach it must be reported.
  1. Disciplinary Action Against a Non-College Member

This category encompasses the same situations as the above, but in relation to employees or agents who are not members of a health regulatory college. For example, where a registration clerk has an unpleasant encounter with a patient and then posts about it on Facebook. Although the clerk is not a member of a college, the breach must be reported.
  1. Significant Breach

Even where none of the above apply, all “significant” breaches must be reported to the Commissioner. Factors to consider in determining whether a breach is significant include:
  • Is the information sensitive?
  • Does the breach involve a large volume of information?
  • Does the breach involve many affected individuals?
  • Was more than one custodian or agent responsible for the breach?

Annual Reporting

In addition to reporting breaches in the above situations to the Commissioner, Custodians will also be required to start tracking privacy breach statistics as of January 1, 2018, and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting in March 2019. Custodians should be aware of these changes and prepare accordingly, including through updating internal policies and procedures. At Wise Health Law, we regularly assist healthcare professionals with emerging regulatory issues and provide them with exceptional and skilled support. Our team of health lawyers are well-known in the legal, regulatory, and health-care communities for our exceptional legal guidance. With offices in both Toronto and Oakville, Ontario we are easily accessible to professionals throughout South-Western Ontario. Contact us online, or at 416-915-4234 for a consultation.


Also in Blog

Pandemic Exemptions for CPSO Registration

by Mina Karabit March 11, 2021 3 min read

It is no surprise that the COVID-19 pandemic continues to affect the delivery of health services and the regulation of various health professions.

In a welcomed move, the College of Physicians and Surgeons of Ontario (CPSO) Council recently approved a new registration policy allowing the Registration Committee to issue a Certificate of Registration authorizing Independent Practice to applicants who have not completed Part II of the Medical Council of Canada Qualifying Examination (MCCQE).

Supreme Court of Canada Confirms Test for Standard of Care

by Rozmin Mediratta February 08, 2021 4 min read

The test for the standard of care in medical negligence cases has remained untouched since the Supreme Court of Canada’s 1995 decision in ter Neuzen v. Korn.

On January 18, 2021, the Supreme Court of Canada heard the appeal in Armstrong v. Ward. Their unanimous decision maintains the status quo with respect to the standard of care in medical negligence cases.

Expanding the Pharmaceutical Scope of Practice (Again)

by Mina Karabit January 19, 2021 2 min read

Like other professionals, pharmacists have been adjusting to an expanded scope of practice as all health professionals work to combat the COVID-19 pandemic. We wrote about some of these changes in our previous blog posts.

Last week, the Minister of Health made additional changes to the Regulated Health Professions Act relevant to pharmacy professionals. Now, members of the Ontario College of Pharmacists — including pharmacists, interns, registered pharmacy students, or pharmacy technicians — can administer coronavirus vaccines by injection. These individuals must be certified to administer vaccines and must do so while being engaged by an organization that has an agreement with the Minister governing the administration of the vaccine (e.g., a hospital).