Who Needs to Report:
Any Health Information Custodian (HIC) who discovers a privacy breach as a result of theft, loss, or unauthorized use or disclosure of personal health information (PHI) that is in their custody or control.
A physician is not always the HIC.
Depending on how the practice is set up, the HIC can often be the clinic owner or other person operating a group of health care practitioners. In a large organization, the individual physician is almost never the HIC; in these cases, the physician should follow the organization’s policies on reporting privacy breaches.
How to Report:
Notifying Affected Patients:
The HIC must notify the patient of any theft, loss, or unauthorized use or disclosure of PHI at the first reasonable opportunity.
The notification must include a statement that the individual is entitled to make a complaint to the IPC. Information on how patients can file a complaint with the IPC, and a link to the IPC complaint form can be found here.3
PHIPA does not specify how the notification must be carried out. For example, the HIC can notify the affected individual by telephone or in writing or, depending on the circumstances, make a note in the patient’s file to discuss it at his/her next appointment.
The HIC should consider the sensitivity of the PHI that was compromised and use best judgment to determine the appropriate way to notify the individual.
Notifying the IPC:
To report the types of privacy breaches listed above upon occurrence, use the online form provided by the IPC.4
You may also submit a breach report by mail or fax to:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Notifying Regulatory Colleges:
If a HIC employs, extends privileges to, or is affiliated with a regulated health professional who is involved in a privacy breach, the HIC must report that individual to their regulatory college within 30 days of the privacy breach occurring when:
- the individual is an employee/agent of the HIC and their privacy breach results in:
- termination, suspension, or disciplinary action, or
- resignation, which the HIC reasonably believes is the result of an investigation or other action related to the alleged breach
- the individual has privileges or is affiliated with the HIC and their privacy breach results in:
- suspension, restriction or revocation of their privileges or affiliation with the HIC, or
- relinquishment or voluntary restriction of their privileges or affiliation, which the HIC reasonably believes is the result of an investigation or other action related to the alleged breach
When to Report
Examples of when it is mandatory to report a privacy breach to the IPC
|Type of Breach
|1. PHI was used or disclosed without authority by a person who knew or ought to have known that they were doing so
||A nurse looks at his neighbour’s medical record for no work-related purpose.
|2. PHI that was not de-identified or properly encrypted is stolen
||Theft of a laptop computer containing PHI that was not encrypted.
|3. Further use or disclosure of a patient’s PHI following an initial privacy breach
||A custodian inadvertently sends a fax containing PHI to the wrong recipient and although the recipient returned the fax, the custodian becomes aware that he or she kept a copy and is threatening to make it public
|4. The loss or unauthorized use or disclosure of PHI is part of a similar pattern
||A letter to a patient inadvertently included the PHI of another patient. The same mistake re-occurs several times in the course of a couple months as a result of a new automated process for generating letters.
|5. Where the HIC is required to give notice to a regulatory college of an event in accordance with PHIPA as it relates to a loss or unauthorized use or disclosure of PHI
||A hospital suspends the privileges of a physician for accessing the personal health information of her ex-spouse for no work-related purpose. The hospital must report this to the College of Physicians and Surgeons of Ontario and to the IPC.
|6. Where losses or unauthorized uses and disclosures of PHI occur by a non-college member (i.e. unregulated staff) in the same circumstances that a HIC is required to notify a regulatory college
||A hospital registration clerk posts information about a patient on social media and the hospital suspends the clerk. The clerk does not belong to a regulated health professional college.
|7. Where the circumstances do not meet any of the requirements above, but it is determined that the loss or unauthorized use or disclosure of PHI is significant after considering all relevant circumstances.
To determine the significance, a HIC must consider whether
- - the information is sensitive,
- - the breach involves a large volume of information,
- - the breach involves many individuals’ information, or
- - more than one HIC or agent is responsible for the breach.
Disclosing a patient’s PHI to a large email distribution group rather than just to the patient’s healthcare practitioner.