The Ontario government recently amended the Personal Health Information Protection Act (PHIPA) to include mandatory breach reporting.1 A new regulation filed on June 29, 2017 provides direction on the circumstances that require reporting.2 This regulation comes into force on October 1, 2017.
What You Need To Know
- The regulation outlines the circumstances in which a health information custodian is required to notify the Information and Privacy Commissioner (IPC) of the theft, loss or unauthorized use or disclosure of personal health information.
- The regulation also requires health information custodians to submit a yearly report to the IPC which includes the number of times personal health information was stolen, lost or used or disclosed without authority in the previous year.
- PHIPA provides that, under certain
circumstances, a health information custodian must notify the IPC
of the theft, loss or unauthorized use or disclosure of personal
health information in the custody or control of that health
information custodian. The regulation filed on June 29, 2017 now
provides guidance on the circumstances that require such reporting.
These circumstances are as follows:
- The health information custodian has reasonable grounds to believe that personal health information was used or disclosed without authority, was stolen, or, if after an initial loss or unauthorized use or disclosure, the personal health information was or will be further used or disclosed without authority.
- The loss or unauthorized use or disclosure of personal health information is part of a pattern of similar losses or unauthorized uses or disclosures.
- The health information custodian is required under PHIPA to give notice to a health professional College of an event that relates to a loss or unauthorized use or disclosure of personal health information.
- The health information custodian determines that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or involved many individuals' personal health information and whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure.
- The regulation also requires that, as of 2019, health information custodians submit a report each year to the IPC stating the number of times in the previous year that personal health information in the custodian's custody or control was stolen, lost, or used or disclosed without authority. This report will be submitted by electronic means to be determined by the IPC.
Footnotes
1 See: http://www.torys.com/insights/publications/2015/06/ontario-to-strengthen-health-privacy-laws.
2 See: https://www.ontario.ca/laws/regulation/r17224.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
