Privacy Breach Reporting Requirements
Ensure you understand the requirements for reporting privacy breaches
Privacy Breach Reporting Requirements
Ensure you understand the requirements for reporting privacy breaches

What Members Need to Know:

The Personal Health Information Protection Act (PHIPA) requires all Health Information Custodians (HICs) to report certain privacy breaches, including:

  1. Annually submitting counts of instances where personal health information (PHI) under their custody or control was lost, stolen, or used or disclosed without authority
  2. Notifying the individual (patient) and, in certain circumstances, the Information and Privacy Commissioner of Ontario (IPC), of a breach upon discovery.

Reporting privacy breaches is the responsibility of the HIC, which may or may not be the physician. Reporting is required by law.

1. Annual Reporting of Privacy Breach Statistics

It is now required by law in Ontario for all HICs to report statistics about privacy breaches that occurred or were discovered in the previous calendar year involving patient records in their custody or control.

HIC Type HIC that is not an institution subject to FIPPA/MFIPPA HIC that is also an institution subject to FIPPA/MFIPPA
Number of privacy breaches that occurred or were discovered in 2018 0 ≥1 0 ≥1
Is reporting required? No.
Do not submit a report.
Yes.
Complete all sections of the online report
Yes.
Complete only section 1.
Yes.
Complete all sections of the online report
All 2018 reports must be submitted online only at https://statistics.ipc.on.ca by March 1, 2019
  • Who Needs to Report:

    All Health Information Custodians (HICs) who experienced or discovered one or more privacy breaches in 2018 must submit a report.

    A physician is not always the HIC.

    Depending on how the practice is set up, the HIC can often be the clinic owner or other person operating a group of health care practitioners. In a large organization, the individual physician is almost never the HIC; in these cases, the physician should follow the organization’s policies on reporting privacy breaches.

    How to Report:

    Reports must be submitted online only using the form provided by the IPC at: https://statistics.ipc.on.ca by March 1, 2019. Mailed or faxed reports will not be accepted. A username and password are required to access the site. To get one, email statistics.ipc@ipc.on.ca with:

    • The name of your HIC
    • The name and email of the person responsible for the content of the report
    • The name, email, telephone and fax numbers and the mailing address of the person responsible for completing the report

    You should receive a response within 1-2 business days.

    Notes:

    • A staff member (e.g., administrative assistant) may submit the report on behalf of the HIC
    • You may report in batches; the system will remember where you left off when you next log on
    • You may make changes to reported information up until March 1, 2019
    • The online reporting system will not be accessible after March 1, 2019

    What Information to Report:

    For any privacy breaches that occurred or were discovered in 2018, the following information must be reported:

    Privacy Breach Type

    (total number of breaches per type)

    Number of Individuals Affected by
    Each Breach of This Type

    (counts of each)
    Circumstances of Each Breach of This Type
    (counts of each)

    Personal health information was:

    Stolen

    Count: __________

    • _ 1
    • _ 2-10
    • _ 11-50
    • _ 51-100
    • _ >100
    • _ Stolen by an internal party
    • _ Stolen by a stranger
    • _ Stolen as a result of a ransomware attack
    • _ Stolen as a result of another cyber attack
    • _ Theft of an unencrypted electronic device (e.g. USB stick)
    • _ Theft of paper records
    • _ Other

    Personal health information was:

    Lost

    Count: __________

    • _ 1
    • _ 2-10
    • _ 11-50
    • _ 51-100
    • _ >100
    • _ Lost as a result of a ransomware attack
    • _ Lost as a result of another cyber attack
    • _ Loss of an unencrypted electronic device (e.g. USB stick)
    • _ Loss of paper records
    • _ Other

    Personal health information was:

    Used without authority

    Count: __________

    • _ 1
    • _ 2-10
    • _ 11-50
    • _ 51-100
    • _ >100
    • _ Unauthorized use via electronic records
    • _ Unauthorized use via paper records
    • _ Unauthorized use through other means

    Personal health information was:

    Disclosed without authority

    Count: __________

    • _ 1
    • _ 2-10
    • _ 11-50
    • _ 51-100
    • _ >100
    • _ As a result of a misdirected fax
    • _ As a result of a misdirected email
    • _ Through other means

    Note: a single privacy breach may fit into more than one of the above categories (e.g. Type and/or Circumstance); in this case, report the event as the type that best fits

    Example:

    A group specialty practice experienced three privacy breaches in 2018:

    • Theft of an unencrypted USB stick with ten patients’ records on it
    • Theft of 200 patient records via ransomware attack
    • Misdirected fax containing one patient’s record

    The following information would need to be reported by the HIC by March 1, 2019 as part of the annual reporting submission:

    Privacy Breach Type

    (total number of breaches per type)

    Number of Individuals Affected by
    Each Breach of This Type

    (counts of each)
    Circumstances of Each Breach of This Type
    (counts of each)

    Personal health information was:

    Stolen

    Count: ____2_____

    • _ 1
    • 1 2-10
    • _ 11-50
    • _ 51-100
    • 1 >100
    • _ Stolen by an internal party
    • _ Stolen by a stranger
    • 1 Stolen as a result of a ransomware attack
    • _ Stolen as a result of another cyber attack
    • 1 Theft of an unencrypted electronic device (e.g. USB stick)
    • _ Theft of paper records
    • _ Other

    Personal health information was:

    Lost

    Count: __________

    • _ 1
    • _ 2-10
    • _ 11-50
    • _ 51-100
    • _ >100
    • _ Lost as a result of a ransomware attack
    • _ Lost as a result of another cyber attack
    • _ Loss of an unencrypted electronic device (e.g. USB stick)
    • _ Loss of paper records
    • _ Other

    Personal health information was:

    Used without authority

    Count: __________

    • _ 1
    • _ 2-10
    • _ 11-50
    • _ 51-100
    • _ >100
    • _ Unauthorized use via electronic records
    • _ Unauthorized use via paper records
    • _ Unauthorized use through other means

    Personal health information was:

    Disclosed without authority

    Count: ____1_____

    • 1 1
    • _ 2-10
    • _ 11-50
    • _ 51-100
    • _ >100
    • 1 As a result of a misdirected fax
    • _ As a result of a misdirected email
    • _ Through other means

    Additional Resources Tools Available:

2. Notifying the Individual and IPC of a Privacy Breach Upon Occurrence

In all circumstances, it is required that a Health Information Custodian (HIC) will notify the individual (i.e. the patient) when a privacy breach of their personal health information has occurred. In addition to this, in certain circumstances, it is also required that the HIC notify the Information and Privacy Commissioner of Ontario (IPC).

Type of Breach Notify the Individual (i.e. the patient) Notify the IPC
PHI was stolen Yes Yes if the PHI was not de-identified or encrypted
PHI was lost, used, or disclosed without authority Yes Yes only if (any of the following):
  1. The PHI was used or disclosed without authority by a person who knew or ought to have known that they were doing so
  2. The PHI in question continues to be used or disclosed without authority after an initial loss or unauthorized use or disclosure
  3. There is a pattern of similar losses, or unauthorized uses or disclosures of PHI
  4. The situation would require you to report the behaviour to a regulatory college, if the employee or agent involved is a member of a regulatory college
  5. The privacy breach is deemed to be significant after considering all relevant circumstances including:
    • if the information is sensitive
    • if the breach involves a large volume of information
    • if the breach involves many individuals’ information, and
    • if there is more than one custodian or agent responsible for the breach.

When the privacy breach involves a regulated healthcare professional, the HIC is also required to report the individual to their regulatory college in select situations.

  • Who Needs to Report:

    Any Health Information Custodian (HIC) who discovers a privacy breach as a result of theft, loss, or unauthorized use or disclosure of PHI that is in their custody or control.

    A physician is not always the HIC.

    Depending on how the practice is set up, the HIC can often be the clinic owner or other person operating a group of health care practitioners. In a large organization, the individual physician is almost never the HIC; in these cases, the physician should follow the organization’s policies on reporting privacy breaches.

    How to Report:

    Notifying Affected Patients:

    The HIC must notify the patient of any theft, loss, or unauthorized use or disclosure of PHI at the first reasonable opportunity.

    The notification must include a statement that the individual is entitled to make a complaint to the IPC. Information on how patients can file a complaint with the IPC and a link to the IPC complaint form can be found here.3

    PHIPA does not specify how the notification must be carried out. For example, the HIC can notify the affected individual by telephone or in writing or, depending on the circumstances, make a note in the patient’s file to discuss it at his/her next appointment.

    The HIC should consider the sensitivity of the PHI that was compromised and use best judgment to determine the appropriate way to notify the individual.

    Notifying the IPC:

    To report the types of privacy breaches listed above upon occurrence, use the online form provided by the IPC.4

    You may also submit a breach report by mail or fax to:

    Registrar
    Information and Privacy Commissioner of Ontario
    2 Bloor Street East, Suite 1400
    Toronto, Ontario M4W 1A8
    Email: reportabreach@ipc.on.ca
    FAX: 416-325-9188

    Notifying Regulatory Colleges:

    If a HIC employs, extends privileges to or is affiliated with a regulated health professional who is involved in a privacy breach, the HIC must report that individual to their regulatory college within 30 days of the privacy breach occurring when:

    • the individual is an employee/agent of the HIC and their privacy breach results in:
      • termination, suspension, or disciplinary action, or
      • resignation, which the HIC reasonably believes is the result of an investigation or other action related to the alleged breach
    • the individual has privileges or is affiliated with the HIC and their privacy breach results in:
      • suspension, restriction or revocation of their privileges or affiliation with the HIC, or
      • relinquishment or voluntary restriction of their privileges or affiliation, which the HIC reasonably believes is the result of an investigation or other action related to the alleged breach

    When to Report

    Examples of when it is mandatory to report a privacy breach to the IPC

    Type of Breach Example
    1. PHI was used or disclosed without authority by a person who knew or ought to have known that they were doing so A nurse looks at his neighbour’s medical record for no work-related purpose.
    2. PHI that was not de-identified or properly encrypted is stolen Theft of a laptop computer containing PHI that was not encrypted.
    3. Further use or disclosure of a patient’s PHI following an initial privacy breach A custodian inadvertently sends a fax containing PHI to the wrong recipient and although the recipient returned the fax, the custodian becomes aware that he or she kept a copy and is threatening to make it public
    4. The loss or unauthorized use or disclosure of PHI is part of a similar pattern A letter to a patient inadvertently included the PHI of another patient. The same mistake re-occurs several times in the course of a couple months as a result of a new automated process for generating letters.
    5. Where the HIC is required to give notice to a regulatory college of an event in accordance with PHIPA as it relates to a loss or unauthorized use or disclosure of PHI A hospital suspends the privileges of a physician for accessing the personal health information of her ex-spouse for no work-related purpose. The hospital must report this to the College of Physicians and Surgeons of Ontario and to the IPC.
    6. Where losses or unauthorized uses and disclosures of PHI occur by a non-college member (i.e. unregulated staff) in the same circumstances that a HIC is required to notify a regulatory college A hospital registration clerk posts information about a patient on social media and the hospital suspends the clerk. The clerk does not belong to a regulated health professional college.
    7. Where the circumstances do not meet any of the requirements above, but it is determined that the loss or unauthorized use or disclosure of PHI is significant after considering all relevant circumstances.

    To determine the significance, a HIC must consider whether

    • - the information is sensitive,
    • - the breach involves a large volume of information,
    • - the breach involves many individuals’ information, or
    • - more than one HIC or agent is responsible for the breach.
    Disclosing a patient’s PHI to a large email distribution group rather than just to the patient’s healthcare practitioner.

Additional Support Available:

General Privacy Education

To learn more about PHIPA and your responsibilities, please review the Privacy Training module prepared by OntarioMD

  • This module has been certified as a Self-Learning Program by the College of Family Physicians of Canada for two Mainpro + credits upon successful completion of the training.
  • This module can be claimed for credit(s) under the Royal College Maintenance of Certification (MOC) Program as a Section 2: Personal Learning Project for 2 credits/hour.

Contact Information:

For more information, please contact the following

Topic Organization Contact
For questions about annual reporting Information and Privacy Commissioner of Ontario

By email: statistics.ipc@ipc.on.ca
By phone: 416 326-3333 or 1-800-387-0073 from 8:30 a.m. - 5 p.m. EST Monday-Friday

For questions about reporting upon occurrence

By email: info@ipc.on.ca
By phone: 416 326-3333 or 1-800-387-0073 from 8:30 a.m. - 5 p.m. EST Monday-Friday

For questions about PHIPA and your responsibilities OMA Legal Services

By email: Legal.Affairs@oma.org
By phone: 1.800.268.7215 or 416.599.2580 Ext: 3997

For questions about the OntarioMD Privacy and Security Training Module or for help to access the module OntarioMD By email: support@ontariomd.com

Health Information Custodian (HIC)

A HIC refers to a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any 1:

  1. A health care practitioner or a person who operates a group practice of health care practitioners.

  2. A service provider within the meaning of the Home Care and Community Services Act, 1994 who provides a community service to which that Act applies.

    Note:

    • A HIC is responsible for collecting, using and disclosing personal health information and for taking steps to ensure that the personal health information in their custody or control (i.e. medical records) is protected against theft, loss and unauthorized use or disclosure.
    • A physician is not always the HIC. Depending on how the practice is set up, the HIC can often be the clinic owner or other person operating a group of health care practitioners.

Privacy Breach

A privacy breach occurs when Ontario’s Personal Health Information Protection Act (PHIPA) has been contravened, for example, where personal health information is stolen, lost or if it is used or disclosed without authority. 2

Personal Health Information (PHI)

Identifying information about an individual in oral or recorded form, as it relates to1:

  • the physical or mental health of the individual, including information that consists of the medical history of the individual’s family,
  • the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
  • is a plan of services within the meaning of the Home Care and Community Services Act, 1994 for the individual,
  • relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,
  • relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
  • is the individual’s health number, or
  • identifies an individual’s substitute decision-maker.

Count privacy breaches that were discovered in 2018 even if they occurred in a previous calendar year.

Institutions

Institutions subject to FIPPA/MFIPPA are listed in the Government of Ontario's Directory of Institutions

Agent of a HIC

A person that, with the authorization of the HIC, acts for or on behalf of the HIC in respect of personal health information for the purposes of the HIC, and not the agent’s own purposes, whether or not the agent has the authority to bind the HIC, whether or not the agent is employed by the HIC and whether or not the agent is being remunerated. 1

References:
  1. Government of Ontario. (2004) Personal Health Information Protection Act (2004, S.O. 2004, c. 3, Sched. A) Retrieved from: https://www.ontario.ca/laws/statute/04p03  Queen’s Printer for Ontario
  2. Information and Privacy Commissioner of Ontario [Internet] Toronto, ON: Information and Privacy Commissioner of Ontario. Responding to a Privacy Breach. Retrieved from: https://www.ipc.on.ca/health/breach-reporting-2/
  3. Information and Privacy Commissioner of Ontario [Internet] Toronto, ON: Information and Privacy Commissioner of Ontario. Filing a Privacy Complaint  Retrieved from: https://www.ipc.on.ca/privacy/filing-a-privacy-complaint/
  4. Information and Privacy Commissioner of Ontario [Internet] Toronto, ON: Information and Privacy Commissioner of Ontario. Privacy Breach Report Form  https://www.ipc.on.ca/health/report-a-privacy-breach/privacy-breach-report-form/