As of October 1, 2017, health information custodians (“HICs”) are required to notify the Information and Privacy Commissioner ("IPC") when they have reasonable grounds to believe there has been a breach of the Personal Health Information Protection Act, 2004 ("PHIPA").[1] The IPC has also published a guideline, Reporting a Privacy Breach to the Commissioner (“IPC Reporting Guidelines”), to assist HICS in interpreting the notification requirement under the new regulations.[2] This bulletin will outline the circumstances in which notification to the IPC is required under section 6.3 of the regulations.
We note that the circumstances requiring notification to the patient under PHIPA are unchanged. The change to PHIPA is to now require notification to the IPC in specified circumstances.
Where Information Has Been Lost, Stolen or Used or Disclosed Without Authority
A HIC will be required to notify the IPC where it has reasonable grounds to believe that personal health information in its custody or control "was used or disclosed without authority by a person who knew or ought to have known" that he or she did not have permission to do so under subsection 6.3(1)(1) of the regulations. In particular, notification will be required in cases of snooping of personal health information. A HIC is not required to notify the IPC where information was inadvertently viewed or disclosed. For example, the IPC Reporting Guidelines state that a letter inadvertently sent to the wrong address would not generally need to be reported to the IPC.
HICs are also required to notify the Commissioner where they have reasonable grounds to believe that personal health information has been stolen under subsection 6.3(1)(2); where there was or will be further disclosure of personal health information that was lost, used or disclosed without authority under subsection 6.3(1)(3); and where there has been a pattern of similar losses of personal health information or of unauthorized uses or disclosures under subsection 6.3(1)(4). For example, the IPC Reporting Guidelines suggest that notification is required if a HIC experienced a series of incidents where personal health information was inadvertently disclosed to the wrong recipient.
Additional Circumstances
IPC notification is also required in two additional circumstances: 1) where an agent has been disciplined by the HIC, and 2) where the privacy breach is "significant".
1. Discipline of agents for privacy breaches
Section 17.1 of PHIPA requires HICs to report agents to their regulatory College if the agent was disciplined for the "unauthorized collection, use, disclosure, retention or disposal of personal health information” or resigned in anticipation of discipline. The regulations now provide that the IPC must be notified where the regulatory College receives notice of a privacy breach.
The regulations, however, extend the requirement to notify the IPC of agents who are not members of a regulatory College, as if they were a member of a regulatory College under subsection 6.3(1)(6). In practice, these sections will require that HICs notify the IPC when any agent is disciplined for a privacy breach.
2. "Significant" privacy breaches
The IPC must also be notified where the loss, unauthorized use, or disclosure is "significant". While the term "significant" is not defined in the regulations of the Act, subsection 6.3(1)(7.) lists four factors that a HIC should consider:
1. Whether the personal health information at issue is sensitive;
2. Whether the breach involved a large volume of information;
3. The number of individuals the information relates to; and
4. The number of health information custodians involved.
The goal of this subsection is to capture any large or extensive privacy breach that was not captured by previous circumstances. Further, according to the IPC Reporting Guidelines, an accidental disclosure should be considered “significant” if the personal health information disclosed is particularly sensitive; for example a mental health assessment.
Practical Impact
Overall, IPC notification will be required in almost all cases where patient notification is required. The intention appears to be to ensure that the IPC is made aware of nearly all privacy breaches so that the systemic causes of privacy breaches can be addressed. In the short term, the regulations will likely generate a significant increase in the number of notifications to the IPC and a corresponding increase in investigations and orders relating to HICs. As such, HICs should review and update their policies and procedures in respect of privacy breach prevention, notification, and investigation.
About the author
Roberto Ghignone, Senior Associate, Borden Ladner Gervais LLP
[1] PHIPA, s. 12(3) and PHIPA General Regulation, s. 6.3
[2] Reporting a Privacy breach to the Commissioner: Guidelines for the Health Sector, September 2017, Information and Privacy Commissioner of Ontario