As set out in our previous Health Communiqué, amendments to the Personal Health Information Protection Act, 2004 (PHIPA) require mandatory notification to the Information and Privacy Commissioner/Ontario (IPC) if the circumstances surrounding a theft, loss or unauthorized use or disclosure meet certain “prescribed requirements”.

Amendments to Regulation 329/04 made under PHIPA (the “Regulation”) have now been filed, setting out the circumstances when notice must be provided to the IPC. The requirements come into force on October 1, 2017.

Prescribed Circumstances to Notify the IPC

The Regulation does not require notification in all circumstances, for example, in cases where there has been an inadvertent breach, such as a misdirected fax or email. Nevertheless, the notification requirements are broad and far reaching. As of October 1, 2017, a health information custodian (HIC) must notify the IPC where:

  1. It has reasonable grounds to believe that personal health information (PHI) was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority, or where the HIC has reasonable grounds to believe PHI was stolen.
  2. It has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of PHI in the custodian’s custody or control, the PHI was or will be further used or disclosed without authority.
  3. The loss or unauthorized use or disclosure of PHI is part of a pattern of similar losses or unauthorized uses or disclosures of PHI in the custody or control of the HIC.
  4. It is required to give notice to a regulated health professional’s governing body or College in accordance with PHIPA, as it relates to the loss or unauthorized use or disclosure of PHI.
  5. It would be required to give notice to a College in accordance with PHIPA in respect of the loss or unauthorized use or disclosure of PHI by the HIC’s agent, if the agent were a member of a College.
  6. The HIC determines that the loss or unauthorized use or disclosure of PHI is significant after considering all relevant circumstances, including:
    • Whether the PHI that was lost, used or disclosed without authority is sensitive.
    • Whether the loss, unauthorized use or disclosure involved a large volume of PHI.
    • Whether the loss, unauthorized use or disclosure involved many individuals’ PHI.
    • Whether more than one HIC or agent was responsible for the loss, unauthorized use or disclosure of the PHI.

These amendments mandate reporting not only when PHI is stolen, lost, used or disclosed without authority, but also when College notification requirements are triggered by an agent of a HIC being disciplined for a privacy breach. The notification requirement extends to employees and agents who are not part of regulated health professions, such as personal support workers, ward clerks and administrative staff, who might otherwise be immune from scrutiny.

The last subsection is designed to capture “significant” privacy breaches. Although the term significant is not defined, the four listed factors will serve as guidelines to determine whether reporting is required.

Annual Reporting Requirement

Beginning in 2019, HICs will be required to submit an annual report to the IPC setting out the number of occurrences in the preceding year where PHI in the HIC’s custody or control was stolen, lost, used or disclosed without authority. The report will be submitted electronically, however the specific means have not yet been determined by the IPC.

The complete version of Regulation 329/04 can be found on eLaws. In addition, the IPC recently published detailed guidelines for the health sector on reporting a privacy breach to the Commissioner.