The Ontario Privacy Commissioner Awaits your Health Privacy Breach Statistics

2018 saw many initiatives to strengthen privacy laws and enforcement in Canada. In particular, there was a heavy focus on breach reporting to the relevant privacy regulators. A few examples are the coming into force of mandatory breach reporting under PIPEDA and provincial laws such as Ontario’s Personal Health Information Protection Act as well as Alberta’s Health Information Act.

This article focuses on the breach statistics reporting requirements for health information custodians in Ontario and related guidance released by the Ontario Information and Privacy Commissioner (IPC) in December 2018.

This requirement is found in section 6.4 of Ontario Regulation 329/04 that came into force under PHIPA last year. It reads:

(1) On or before March 1 in each year starting in 2019, a health information custodian shall provide the Commissioner with a report setting out the number of times in the previous calendar year that each of the following occurred:

  1. Personal health information in the custodian’s custody or control was stolen.
  2. Personal health information in the custodian’s custody or control was lost.
  3. Personal health information in the custodian’s custody or control was used without authority.
  4. Personal health information in the custodian’s custody or control was disclosed without authority.

(2) The report shall be transmitted to the Commissioner by the electronic means and format determined by the Commissioner.

In November 2017, the Ontario IPC released an extremely useful guidance document that outlined for the health sector the information that the IPC will require in the annual report.

The IPC recently announced that their office’s online statistics submission website is now open. Institutions/medical practices must request a login ID from in order to complete an on-line questionnaire to create their annual report and submit it using the IPC’s portal. Workbooks and fact sheets are also available to assist in meeting the new requirements.

Note that health information custodians that are also institutions under FIPPA/MFPPA (e.g. health units, public hospitals) must submit health privacy breach statistics, even if they experienced no breaches during the 2018 reporting year. Health information custodians that are not institutions under FIPPA/MFIPPA only need to submit breach statistics if they experienced a breach. Examples of custodians include doctors, nurses, dentists and other regulated health professionals governed by the Regulated Health Professions Act.

If such Ontario health organizations have not already organized their breach records to support the breach statistics reporting requirements (with a deadline of March 1, 2019 for breaches that occurred in the 2018 calendar year), we strongly recommend that you familiarize yourselves with the new requirements.

For assistance with breach reporting and statistics, contact PRIVATECH.