The Ontario Information and Privacy Commissioner recently issued guidelines intended to assist health information custodians with new privacy breach notification requirements under the Personal Health Information Act (PHIPA).
The New Guidelines
The privacy breach notice requirements took effect on October 1, 2017. Under the new requirements, custodians must report seven categories of privacy breaches to the Commissioner. The categories are not mutually exclusive and more than one can apply to a single privacy breach. Where at least one of the situations applies, a custodian is required to report it.
These new reporting obligations are separate from the duty to notify affected individuals under subsection 12(2) of PHIPA in instances of theft, loss, unauthorized use, or disclosure of personal health information.
The guidelines are not binding law, but do provide helpful examples of the sorts of breaches that the Commissioner would like reported.
Situations Where the Commissioner Must be Informed of a Breach
Use or Disclosure Without Authority
This includes situations where the individual committing the privacy breach knew or ought to have known that their actions were not permitted by either the Act or the custodian responsible. This includes situations involving “snooping”, such as when a person looks at their ex-spouse’s or co-workers medical history for a reason that is not work related, or where hospital employees look at the records of a celebrity, politician, or other well-known person admitted to the hospital. This applies whether or not there was any malice or personal motive behind the actions.
The Commissioner generally does not need to be notified where:
- the breach is accidental, for instance, when information is inadvertently sent by email to the wrong person;
- when a person who is permitted to access patient information accidentally accesses the wrong patient record.
This category includes situations such as:
- stolen paper records;
- stolen laptops or other electronic devices;
- instances where patient information is subject to a ransomware or other malware attack.
All such instances should be reported to the Commissioner, even if the breach was accidental. The Commissioner does not need to be notified if the stolen information was de-identified or correctly encrypted.
Further Use or Disclosure Without Authority After a Breach
This category includes situations such as discovering that, after an initial privacy breach, the breached information was further used or disclosed without the patient’s authority. For instance, where an employee accidentally sent a fax containing patient information to the wrong person and that person kept a copy of the information and threatened to make the information public.
Pattern of Similar Breaches
This category includes situations in which a series of small breaches may point to larger systemic issues such as inadequate training or procedures, or malfunctioning systems. To assist in detecting patterns, all privacy breaches should be tracked internally using a standardized approach and the time between breaches should be monitored.
Disciplinary Action Against a College Member
This category encompasses situations where a member of a health regulatory college is terminated, suspended, disciplined, or resigns due to a privacy breach, or where a member’s privileges are revoked, suspended, restricted or voluntarily restricted as a result of a breach. Even where a custodian is not clear whether the resignation or voluntary restriction are a result of a breach, but believes that the resignation or voluntary restriction is related to a breach it must be reported.
Disciplinary Action Against a Non-College Member
This category encompasses the same situations as the above, but in relation to employees or agents who are not members of a health regulatory college. For example, where a registration clerk has an unpleasant encounter with a patient and then posts about it on Facebook. Although the clerk is not a member of a college, the breach must be reported.
Even where none of the above apply, all “significant” breaches must be reported to the Commissioner. Factors to consider in determining whether a breach is significant include:
- Is the information sensitive?
- Does the breach involve a large volume of information?
- Does the breach involve many affected individuals?
- Was more than one custodian or agent responsible for the breach?
In addition to reporting breaches in the above situations to the Commissioner, Custodians will also be required to start tracking privacy breach statistics as of January 1, 2018, and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting in March 2019.
Custodians should be aware of these changes and prepare accordingly, including through updating internal policies and procedures. At Wise Health Law, we regularly assist healthcare professionals with emerging regulatory issues and provide them with exceptional and skilled support. Our team of health lawyers are well-known in the legal, regulatory, and health-care communities for our exceptional legal guidance. With offices in both Toronto and Oakville, Ontario we are easily accessible to professionals throughout South-Western Ontario. Contact us online, or at 416-915-4234 for a consultation.