New Rule Clarifies Circumstances Requiring Breach Reporting Under Ontario PHIPA

The Ontario government recently amended the Personal Health Information Protection Act (PHIPA) to include mandatory breach reporting.1 A new regulation filed on June 29, 2017 provides direction on the circumstances that require reporting.2 This regulation comes into force on October 1, 2017.

What You Need To Know

  • The regulation outlines the circumstances in which a health information custodian is required to notify the Information and Privacy Commissioner (IPC) of the theft, loss or unauthorized use or disclosure of personal health information.
  • The regulation also requires health information custodians to submit a yearly report to the IPC which includes the number of times personal health information was stolen, lost or used or disclosed without authority in the previous year.
  • PHIPA provides that, under certain circumstances, a health information custodian must notify the IPC of the theft, loss or unauthorized use or disclosure of personal health information in the custody or control of that health information custodian. The regulation filed on June 29, 2017 now provides guidance on the circumstances that require such reporting. These circumstances are as follows:
    • The health information custodian has reasonable grounds to believe that personal health information was used or disclosed without authority, was stolen, or, if after an initial loss or unauthorized use or disclosure, the personal health information was or will be further used or disclosed without authority.
    • The loss or unauthorized use or disclosure of personal health information is part of a pattern of similar losses or unauthorized uses or disclosures.
    • The health information custodian is required under PHIPA to give notice to a health professional College of an event that relates to a loss or unauthorized use or disclosure of personal health information.
    • The health information custodian determines that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or involved many individuals’ personal health information and whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure.
  • The regulation also requires that, as of 2019, health information custodians submit a report each year to the IPC stating the number of times in the previous year that personal health information in the custodian's custody or control was stolen, lost, or used or disclosed without authority. This report will be submitted by electronic means to be determined by the IPC.

_________________________

1 See: https://www.torys.com/insights/publications/2015/06/ontario-to-strengthen-health-privacy-laws.

2 See: https://www.ontario.ca/laws/regulation/r17224.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2017 by Torys LLP.
All rights reserved.

Tags:

Get in Touch