by Written on behalf of Wise Health Law October 05, 2017 4 min read

The Ontario Information and Privacy Commissioner recently issued guidelines intended to assist health information custodians with new privacy breach notification requirements under the Personal Health Information Act(PHIPA).

The New Guidelines

The privacy breach notice requirements took effect on October 1, 2017. Under the new requirements, custodians must report seven categories of privacy breaches to the Commissioner. The categories are not mutually exclusive and more than one can apply to a single privacy breach. Where at least one of the situations applies, a custodian is required to report it. These new reporting obligations are separate from the duty to notify affected individuals under subsection 12(2) of PHIPA in instances of theft, loss, unauthorized use, or disclosure of personal health information. The guidelines are not binding law, but do provide helpful examples of the sorts of breaches that the Commissioner would like reported.

Situations Where the Commissioner Must be Informed of a Breach

  1. Use or Disclosure Without Authority

This includes situations where the individual committing the privacy breach knew or ought to have known that their actions were not permitted by either the Act or the custodian responsible. This includes situations involving “snooping”, such as when a person looks at their ex-spouse’s or co-workers medical history for a reason that is not work related, or where hospital employees look at the records of a celebrity, politician, or other well-known person admitted to the hospital. This applies whether or not there was any malice or personal motive behind the actions. The Commissioner generally does not need to be notified where:
  • the breach is accidental, for instance, when information is inadvertently sent by email to the wrong person;
  • when a person who is permitted to access patient information accidentally accesses the wrong patient record.
  1. Stolen Information

This category includes situations such as: All such instances should be reported to the Commissioner, even if the breach was accidental. The Commissioner does not need to be notified if the stolen information was de-identified or correctly encrypted.
  1. Further Use or Disclosure Without Authority After a Breach

This category includes situations such as discovering that, after an initial privacy breach, the breached information was further used or disclosed without the patient’s authority. For instance, where an employee accidentally sent a fax containing patient information to the wrong person and that person kept a copy of the information and threatened to make the information public.
  1. Pattern of Similar Breaches

This category includes situations in which a series of small breaches may point to larger systemic issues such as inadequate training or procedures, or malfunctioning systems. To assist in detecting patterns, all privacy breaches should be tracked internally using a standardized approach and the time between breaches should be monitored.
  1. Disciplinary Action Against a College Member

This category encompasses situations where a member of a health regulatory college is terminated, suspended, disciplined, or resigns due to a privacy breach, or where a member’s privileges are revoked, suspended, restricted or voluntarily restricted as a result of a breach. Even where a custodian is not clear whether the resignation or voluntary restriction are a result of a breach, but believes that the resignation or voluntary restriction is related to a breach it must be reported.
  1. Disciplinary Action Against a Non-College Member

This category encompasses the same situations as the above, but in relation to employees or agents who are not members of a health regulatory college. For example, where a registration clerk has an unpleasant encounter with a patient and then posts about it on Facebook. Although the clerk is not a member of a college, the breach must be reported.
  1. Significant Breach

Even where none of the above apply, all “significant” breaches must be reported to the Commissioner. Factors to consider in determining whether a breach is significant include:
  • Is the information sensitive?
  • Does the breach involve a large volume of information?
  • Does the breach involve many affected individuals?
  • Was more than one custodian or agent responsible for the breach?

Annual Reporting

In addition to reporting breaches in the above situations to the Commissioner, Custodians will also be required to start tracking privacy breach statistics as of January 1, 2018, and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting in March 2019. Custodians should be aware of these changes and prepare accordingly, including through updating internal policies and procedures. At Wise Health Law, we regularly assist healthcare professionals with emerging regulatory issues and provide them with exceptional and skilled support. Our team of health lawyers are well-known in the legal, regulatory, and health-care communities for our exceptional legal guidance. With offices in both Toronto and Oakville, Ontario we are easily accessible to professionals throughout South-Western Ontario. Contact us online, or at 416-915-4234 for a consultation.

Also in Blog

Bill 218: Supporting Ontario’s Recovery Act, 2020

by Valerie Wise October 23, 2020 3 min read

On October 20, 2020, the Ontario government introduced legislation to provide protection from liability for workers, volunteers and organizations who make “good faith efforts” to comply with federal, provincial or municipal law and public health guidance relating to COVID-19.   
Cases to Watch: Marchi v. Nelson

by Mina Karabit September 22, 2020 3 min read

In August 2020, the Supreme Court heard and granted leave to appeal in Marchi v. Nelson, a case from the British Columbia Court of Appeal. The decision is one to watch as it will likely result in a renewed discussion of the distinction of policy versus operational decisions and their impacts on liability in tort law. The discussion will likely impact many of the anticipated post-COVID-19 lawsuits against public and government institutions.
Judicial Review: New Time Limits and a Helpful Primer

by Mina Karabit September 17, 2020 4 min read

In December 2019, Ontario’s Attorney General introduced Bill 161, the Smarter and Stronger Justice Act (the “Act”), which became law on July 8, 2020. The Act hopes to simplify a complex and outdated justice system by bringing changes to how legal aid services are delivered, how class actions are handled, and how court processes are administered.

Of note, the Act has amended the Judicial Review Procedures Act (JRPA) to establish new rules as to when an application for judicial review may be brought.

Any decisions made on or after July 8, 2020 are now subject to a 30-day limit for bringing an application for judicial review unless another Act provides otherwise. Courts, however, retain powers to extend the time for making an application for judicial review if satisfied that there are apparent grounds for relief and that no prejudice or hardship will be incurred by the delay. Before these amendments, the JRPA did not set out any time limits for bringing an application, but courts had powers to extend the time to bring an application if another Act prescribed the limit.