The Information and Privacy Commissioner (IPC) has always strongly encouraged health information custodians (HICs) to report privacy breaches to its office, particularly where they may have broader implications. Although the Personal Health Information Protection Act, 2004 (PHIPA) prescribes mandatory notification of privacy breaches to affected individuals, until recently, reporting to the IPC has been voluntary.
Bill 119, the Health Information Protection Act, 2016 (HIPA), which came into force on June 3, 2016, introduced a number of amendments to the notice requirements under PHIPA. These include mandatory:
- Notice to the individual (i.e. patient/resident/client or substitute decision-maker) where personal health information (PHI) that is in the custody or control of the HIC is “stolen or lost or if it is used or disclosed without authority”. In this instance, the HIC must notify the individual at the first reasonable opportunity and include in the notice a statement that the individual is entitled to make a complaint to the IPC.Under the previous provision, notification was triggered by PHI being lost, stolen or “accessed by unauthorized persons”, which was somewhat ambiguous and subject to interpretation. The amendments tighten up the language and also require a statement advising the individual of their right to make a complaint.
- Notice to Commissioner if the circumstances surrounding a theft, loss or unauthorized use or disclosure “meet the prescribed requirements”. Although the provisions are in force, they are not operational without a corresponding regulation setting out the “prescribed requirements”.Regulatory amendments to Regulation 329/04 made under PHIPA have been proposed to address when notice must be provided to the IPC, as detailed below.
- Notice to Governing College where an agent of a HIC who is a member of a regulated health profession has been terminated, suspended or subject to disciplinary action or whose privileges or affiliation have been revoked, suspended or restricted as a result of the unauthorized collection, use, disclosure, retention or disposal of PHI by the agent. This requirement also applies if the HIC has reasonable grounds to believe that the agent has resigned or voluntarily restricted their privileges or affiliation as a result of an investigation or other action into such an alleged breach.
Proposed Amendment to Regulation 329/04 Regarding Notices to the Commissioner
The Ministry of Health and Long Term Care (MOHLTC) has circulated a consultation draft of the proposed regulatory amendments prescribing the circumstances when a HIC must notify the IPC. If approved, the notification requirements would take effect on July 1, 2017.
Prescribed Circumstances to Notify the IPC
1. The HIC has reasonable grounds to believe that the PHI that was stolen, lost or used or disclosed without authority has been or will be subsequently used or disclosed without authority.
2. The theft, loss or unauthorized use or disclosure is part of a pattern of similar thefts, losses or unauthorized uses or disclosures of personal PHI under the custody or control of the HIC.
3. The HIC has given notice to a College in accordance with PHIPA in respect of a theft, loss or unauthorized use or disclosure of PHI.
4. The HIC would have been required to give notice to a College in accordance with PHIPA in respect of the theft, loss or unauthorized use or disclosure of PHI by the HIC’s agent if the agent were a member of a College.
5. The HIC has reasonable grounds to believe that the PHI was intentionally used or disclosed without authority.
6. The circumstances do not meet the requirements in any of the preceding paragraphs, and the HIC determines that the theft, loss or unauthorized use or disclosure is significant, having regard to all relevant circumstances including,
i. the nature of the PHI that was stolen, lost or used or disclosed without authority;
ii. the number of records of PHI that were stolen, lost or used or disclosed without authority;
iii. the number of individuals whose PHI was contained in the record or records that were stolen, lost or used or disclosed without authority; and
iv. the number of HICs or agents responsible for the theft, loss or unauthorized use or disclosure.
The prescribed circumstances are very broad reaching. If a circumstance does not meet the requirements of paragraphs 1 to 5, the final “circumstance” is meant to capture all other situations that the HIC considers “significant”.
Based on the proposed wording of the regulation, notice requirements to a Governing College in respect of a member are broader than reporting requirements to the IPC. Specifically, while instances of unauthorized retention or disposal of PHI must be reported to the Governing College, as currently worded, this would not necessarily trigger reporting to the IPC.
Annual Reporting to the IPC
In addition to incident-specific reporting to the IPC, the proposed amendments would also require a HIC to inform the IPC of the total number of times that notices were provided to individuals under subsection 12(2) of PHIPA, in respect of their PHI being stolen, lost or used or disclosed without authority. If this amendment is approved, the first report would be due on or before March 1, 2019 (and every year thereafter) in respect of notices given in the previous calendar year.
The proposed amendments also give the IPC discretion to request and require a HIC to provide:
- Information contained in any notice given to an individual; and
- Information the HIC relied on in deciding to notify the individual.
While IPC requests would not cover notifications issued in 2017, it would be prudent for organizations that do not currently formally record the reasons or facts considered when deciding to issue a notice to begin doing so in anticipation and as preparation for the proposed regulatory change.
The MOHLTC is currently seeking public comment on the proposed regulations. The deadline to provide feedback is May 8, 2017.
Complete versions of the proposed amendments and information on how to provide feedback can be found on Ontario’s Regulatory Registry. You may also inquire with us if you have any questions.