Health care organizations in Ontario are now required by law to report privacy breaches to the Ontario Information and Privacy Commissioner (IPC), due to new regulations amending the Personal Health Information Protection Act (PHIPA) that came into force on October 1st, 2017. The new rules on mandatory breach reporting, to both the IPC as well as relevant regulatory colleges, pose an additional duty on health professionals over and above the already existing duty under section 12(2) of PHIPA to notify individuals whose privacy has been breached.
Ontario IPC Guidelines for the Health Sector
Earlier this month, the IPC published guidelines to assist health professionals understand and comply with the new reporting rules. These guidelines provide useful tips and examples for each of the seven categories under which the health sector must inform the IPC that personal health information in their custody or control has been compromised:
- If there has been use or disclosure of personal health information without authority;
- If personal health information has been stolen;
- When there is further use or disclosure without authority after a breach;
- Where there is a pattern of similar breaches;
- If disciplinary action has been taken against a college member who has breached an individual’s privacy;
- If disciplinary action has been taken against a non-college member for a breach of privacy;
- Where there has been a significant breach (e.g. the information is sensitive, a large volume of personal health information is involved, or more than one health professional or agent, such a service provider, was responsible for the breach).
The categories are not mutually exclusive – more than one can apply to a single privacy breach.
As stated by Commissioner Brian Beamish, the new rules are intended to “improve accountability and transparency in Ontario’s health care system. And clearly they should impress upon the health sector that strong security safeguards need to be in place for the personal health information that the public entrust their caregivers and the health network with.
Privacy breaches must be taken seriously, regardless of the number of records affected. As the health sector’s privacy regulator, the new rules will give the IPC a better perspective on whether health organizations in the province are making patient privacy a priority. And in today’s world of cybersecurity threats, medical snooping and other privacy risks, the new reporting rules are certainly in line with other regulator efforts to direct breach response plans and protect individuals from harm (see the draft breach notification and regulations published under PIPEDA).
For assistance with your data breach response strategy, or to ensure compliance with the new PHIPA regulations, contact PRIVATECH.
Related Blog Article: Ontario’s Health Sector Must Prepare for PHIPA Changes