by Written on behalf of Wise Health Law October 05, 2017 4 min read

The Ontario Information and Privacy Commissioner recently issued guidelines intended to assist health information custodians with new privacy breach notification requirements under the Personal Health Information Act(PHIPA).

The New Guidelines

The privacy breach notice requirements took effect on October 1, 2017. Under the new requirements, custodians must report seven categories of privacy breaches to the Commissioner. The categories are not mutually exclusive and more than one can apply to a single privacy breach. Where at least one of the situations applies, a custodian is required to report it. These new reporting obligations are separate from the duty to notify affected individuals under subsection 12(2) of PHIPA in instances of theft, loss, unauthorized use, or disclosure of personal health information. The guidelines are not binding law, but do provide helpful examples of the sorts of breaches that the Commissioner would like reported.

Situations Where the Commissioner Must be Informed of a Breach

  1. Use or Disclosure Without Authority

This includes situations where the individual committing the privacy breach knew or ought to have known that their actions were not permitted by either the Act or the custodian responsible. This includes situations involving “snooping”, such as when a person looks at their ex-spouse’s or co-workers medical history for a reason that is not work related, or where hospital employees look at the records of a celebrity, politician, or other well-known person admitted to the hospital. This applies whether or not there was any malice or personal motive behind the actions. The Commissioner generally does not need to be notified where:
  • the breach is accidental, for instance, when information is inadvertently sent by email to the wrong person;
  • when a person who is permitted to access patient information accidentally accesses the wrong patient record.
  1. Stolen Information

This category includes situations such as: All such instances should be reported to the Commissioner, even if the breach was accidental. The Commissioner does not need to be notified if the stolen information was de-identified or correctly encrypted.
  1. Further Use or Disclosure Without Authority After a Breach

This category includes situations such as discovering that, after an initial privacy breach, the breached information was further used or disclosed without the patient’s authority. For instance, where an employee accidentally sent a fax containing patient information to the wrong person and that person kept a copy of the information and threatened to make the information public.
  1. Pattern of Similar Breaches

This category includes situations in which a series of small breaches may point to larger systemic issues such as inadequate training or procedures, or malfunctioning systems. To assist in detecting patterns, all privacy breaches should be tracked internally using a standardized approach and the time between breaches should be monitored.
  1. Disciplinary Action Against a College Member

This category encompasses situations where a member of a health regulatory college is terminated, suspended, disciplined, or resigns due to a privacy breach, or where a member’s privileges are revoked, suspended, restricted or voluntarily restricted as a result of a breach. Even where a custodian is not clear whether the resignation or voluntary restriction are a result of a breach, but believes that the resignation or voluntary restriction is related to a breach it must be reported.
  1. Disciplinary Action Against a Non-College Member

This category encompasses the same situations as the above, but in relation to employees or agents who are not members of a health regulatory college. For example, where a registration clerk has an unpleasant encounter with a patient and then posts about it on Facebook. Although the clerk is not a member of a college, the breach must be reported.
  1. Significant Breach

Even where none of the above apply, all “significant” breaches must be reported to the Commissioner. Factors to consider in determining whether a breach is significant include:
  • Is the information sensitive?
  • Does the breach involve a large volume of information?
  • Does the breach involve many affected individuals?
  • Was more than one custodian or agent responsible for the breach?

Annual Reporting

In addition to reporting breaches in the above situations to the Commissioner, Custodians will also be required to start tracking privacy breach statistics as of January 1, 2018, and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting in March 2019. Custodians should be aware of these changes and prepare accordingly, including through updating internal policies and procedures. At Wise Health Law, we regularly assist healthcare professionals with emerging regulatory issues and provide them with exceptional and skilled support. Our team of health lawyers are well-known in the legal, regulatory, and health-care communities for our exceptional legal guidance. With offices in both Toronto and Oakville, Ontario we are easily accessible to professionals throughout South-Western Ontario. Contact us online, or at 416-915-4234 for a consultation.

Also in Blog

Health Care Professionals in Ontario Begin the Restart

by Valerie Wise May 28, 2020 3 min read

The Chief Medical Officer of Health for Ontario has issued an updated Directive #2 (dated May 26, 2020) for Regulated Health Professionals in the province. 

Pursuant to the updated Directive #2, all deferred non-essential and elective services by health care providers may be gradually restarted – subject to the rest of the requirements set out in the Directive.

The updated Directive #2 does not provide particularly detailed guidance to health professionals on how to proceed, likely because it applies to such a broad spectrum of health care and health professionals. It does, however, provide some principles to assist health care providers in making decisions as we enter this transitional period.

International Medical Graduates Reinforcing the Healthcare Frontlines

by Mina Karabit May 25, 2020 2 min read

In addition to the mask and hand sanitizer shortages, Ontario’s response to COVID-19 highlights the need for more frontline health care workers. Each regulated health profession’s college responded differently, and we have discussed some of those changes in other posts to keep you apprised.

Today, we focus on the College of Physicians and Surgeons of Ontario (CPSO), who set out to increase the number of available and licenced physicians out on the frontlines through certificates of registration that authorize supervised practice of short duration. The temporary licences authorize practice for 30 days.  

Pharmacists’ Time-Limited Change in Scope of Practice During COVID-19

by Mina Karabit May 05, 2020 4 min read

Undoubtedly, COVID-19 has affected how health professionals practice. Pharmacists across the country are not only experiencing changes in how they practice (for example, accepting emailed prescriptions, where appropriate) but the scope of their practice as well. The latter change is not permanent, although the disruptions in practice may be felt long after the COVID-19 emergency subsides.

On March 19, 2020, Health Canada issued a short-term section 56(1) exemption under the Controlled Drugs and Substances Act (CDSA) that would authorize pharmacists to prescribe, sell, or provide controlled substances in limited circumstances, or transfer prescriptions for controlled substances (the CDSA Exemption).