As of October 1, 2017, health information custodians are required to notify the Information and Privacy Commissioner ("IPC") when they have reasonable grounds to believe there has been a breach of the Personal Health Information Protection Act, 2004 ("PHIPA"). This represents a change from prior legislation that afforded institutions more discretion.
Under subsection 6.3(1)(1) of the regulations and 12(4) of PHIPA, a health information custodian will be required to notify the Commissioner where it has reasonable grounds to believe that personal health information in its custody or control "was used or disclosed without authority by a person who knew or ought to have known" that he or she did not have permission to do so. In particular, notification will be required in cases of snooping or reckless handling of personal health information.
Custodians are also required to notify the Commissioner where they have reasonable grounds to believe that personal health information has been stolen under subsection 6.3(1)(2), where there was or will be further disclosure of personal health infromation that was lost, used or disclosed without authority under subsection 6.3(1)(3), or where there has been a pattern of similar losses of personal health information or of unauthorized use or disclosure. For example, notification would be required if a custodian experienced a series of inadvertent disclosures or losses due to a fax machine error or other systemic issue.
The purpose of these regulations is to require notification to the Commissioner in nearly all situations where there is a privacy breach which required patient notification. At least initially, this will likely generate a significant increase in the number of notifications to the Commissioner.