Mandatory Reporting of Privacy Breaches to Ontario’s Information and Privacy Commissioner to Take Effect Under the Personal Health Information Protection Act

In June 2017, the Ontario government published its amended Regulations to the Personal Health Information Protection Act (PHIPA) that detail the prescribed requirements under which health information custodians must report privacy breaches to the Information and Privacy Commissioner of Ontario. The mandatory notification provisions under section 12 of PHIPA came into force last June, while the amended Regulations are scheduled to take effect on October 1, 2017.

Under section 6.3 of the Regulations, notice to the Commissioner will be required where a custodian has reasonable grounds to believe that personal health information (PHI) in his or her custody or control was:

1. used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority;
2. stolen;
3. subsequently used or disclosed without authority after an initial privacy breach; or
4. part of a pattern of similar privacy breaches under custodian’s custody or control.

Notice to the Commissioner will also become mandatory where an agent handling PHI on behalf of a custodian is subject to disciplinary action relating to privacy breaches. Furthermore, notice will be required where the privacy breach is significant, taking into consideration the sensitivity and volume of the PHI at issue; the number of individuals whose information was involved in the breach; and whether more than one custodian or agent were responsible for the breach.

Under Section 6.4 of the Regulations, custodians will have to submit an annual report as early as March 1, 2019 that sets out the number of times PHI in the custodian’s custody or control was stolen, lost, used or disclosed without authority.

For more information, see our previous E-TIPS® Newsletter article.

Summary By: Anna Troshchynsky