by Written on behalf of Wise Health Law October 05, 2017 4 min read

The Ontario Information and Privacy Commissioner recently issued guidelines intended to assist health information custodians with new privacy breach notification requirements under the Personal Health Information Act(PHIPA).

The New Guidelines

The privacy breach notice requirements took effect on October 1, 2017. Under the new requirements, custodians must report seven categories of privacy breaches to the Commissioner. The categories are not mutually exclusive and more than one can apply to a single privacy breach. Where at least one of the situations applies, a custodian is required to report it. These new reporting obligations are separate from the duty to notify affected individuals under subsection 12(2) of PHIPA in instances of theft, loss, unauthorized use, or disclosure of personal health information. The guidelines are not binding law, but do provide helpful examples of the sorts of breaches that the Commissioner would like reported.

Situations Where the Commissioner Must be Informed of a Breach

  1. Use or Disclosure Without Authority

This includes situations where the individual committing the privacy breach knew or ought to have known that their actions were not permitted by either the Act or the custodian responsible. This includes situations involving “snooping”, such as when a person looks at their ex-spouse’s or co-workers medical history for a reason that is not work related, or where hospital employees look at the records of a celebrity, politician, or other well-known person admitted to the hospital. This applies whether or not there was any malice or personal motive behind the actions. The Commissioner generally does not need to be notified where:
  • the breach is accidental, for instance, when information is inadvertently sent by email to the wrong person;
  • when a person who is permitted to access patient information accidentally accesses the wrong patient record.
  1. Stolen Information

This category includes situations such as: All such instances should be reported to the Commissioner, even if the breach was accidental. The Commissioner does not need to be notified if the stolen information was de-identified or correctly encrypted.
  1. Further Use or Disclosure Without Authority After a Breach

This category includes situations such as discovering that, after an initial privacy breach, the breached information was further used or disclosed without the patient’s authority. For instance, where an employee accidentally sent a fax containing patient information to the wrong person and that person kept a copy of the information and threatened to make the information public.
  1. Pattern of Similar Breaches

This category includes situations in which a series of small breaches may point to larger systemic issues such as inadequate training or procedures, or malfunctioning systems. To assist in detecting patterns, all privacy breaches should be tracked internally using a standardized approach and the time between breaches should be monitored.
  1. Disciplinary Action Against a College Member

This category encompasses situations where a member of a health regulatory college is terminated, suspended, disciplined, or resigns due to a privacy breach, or where a member’s privileges are revoked, suspended, restricted or voluntarily restricted as a result of a breach. Even where a custodian is not clear whether the resignation or voluntary restriction are a result of a breach, but believes that the resignation or voluntary restriction is related to a breach it must be reported.
  1. Disciplinary Action Against a Non-College Member

This category encompasses the same situations as the above, but in relation to employees or agents who are not members of a health regulatory college. For example, where a registration clerk has an unpleasant encounter with a patient and then posts about it on Facebook. Although the clerk is not a member of a college, the breach must be reported.
  1. Significant Breach

Even where none of the above apply, all “significant” breaches must be reported to the Commissioner. Factors to consider in determining whether a breach is significant include:
  • Is the information sensitive?
  • Does the breach involve a large volume of information?
  • Does the breach involve many affected individuals?
  • Was more than one custodian or agent responsible for the breach?

Annual Reporting

In addition to reporting breaches in the above situations to the Commissioner, Custodians will also be required to start tracking privacy breach statistics as of January 1, 2018, and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting in March 2019. Custodians should be aware of these changes and prepare accordingly, including through updating internal policies and procedures. At Wise Health Law, we regularly assist healthcare professionals with emerging regulatory issues and provide them with exceptional and skilled support. Our team of health lawyers are well-known in the legal, regulatory, and health-care communities for our exceptional legal guidance. With offices in both Toronto and Oakville, Ontario we are easily accessible to professionals throughout South-Western Ontario. Contact us online, or at 416-915-4234 for a consultation.


Also in Blog

The Interaction between College Proceedings and Limitation Periods

by Rozmin Mediratta April 02, 2020 3 min read

Earlier this year, Wise Health Law succeeded on a motion for summary judgment in a dental malpractice case on the basis that the limitation period had expired before the Statement of Claim was issued. The (unreported) decision was delivered orally on the day of the motion. 

In part, the plaintiff argued that she did not discover her claim until the Royal College of Dental Surgeons of Ontario (the “RCDSO” or “College”) rendered its decision, as she did not know if the defendant was negligent when she complained to the RCDSO, but merely had a “suspicion”. 

Ontario Gives Statutory Tribunals Discretion to Conduct Proceedings Electronically Amid COVID-19

by Rozmin Mediratta March 30, 2020 2 min read

In the midst of COVID-19, the proceedings of many health colleges, and consequently of the health professionals they regulate, have been in limbo while everyone finds a way forward. 

On March 25, 2020, the Ontario government enacted the Hearings in Tribunal Proceedings (Temporary Measures) Act, 2020 (the “Act”) to help the process along.

The Act empowers statutory tribunals with more discretion over how proceedings before them are held.

Chiropractors: Considerations in Providing “Emergency Care”

by Valerie Wise March 25, 2020 2 min read

Effective 11:59 p.m. on March 24, 2020, the Ontario government ordered the closure of “non-essential” workplaces.  The list of “essential” workplaces included “health care professionals providing emergency care including dentists, optometrists and physiotherapists”.

The College of Chiropractors of Ontario (“CCO”) interprets this list as including chiropractors, and we agree.

So the question becomes – what is “emergency care”?