Report a privacy breach
Under subsection 12(3) and clause 55.5(7)(b) of the Personal Health Information Protection Act (the act) and its related regulation, custodians must notify the Information and Privacy Commissioner of Ontario (IPC) at the first reasonable opportunity about certain privacy breaches.1
As a custodian, you must report breaches to the IPC in seven categories described in the regulation and summarized below. The categories are not mutually exclusive; more than one can apply to a single privacy breach. If at least one of the situations applies, you must report it. The following is a summary — for the complete wording of the regulation, see the Regulations webpage.
It is important to remember that even if you do not need to notify the IPC, you have a separate duty to notify individuals whose privacy has been breached under subsection 12(2) or clause 55.5(7)(a) of the act.2
Situations where you must notify the IPC of a privacy breach
There may be situations where you or another person uses or discloses personal health information in your custody or control without authority. You must report such breaches to the IPC where the person committing the breach either knew or should have known that their actions were not permitted under the law. That person could be your employee, a health care practitioner with privileges, a third party (such as a service provider), or even someone with no relationship to you.
One example is where an employee looks at the personal health information of their neighbour, a friend’s child, or a celebrity, for a non-work related purpose. This is called “snooping.”
Whether done maliciously or out of curiosity or even concern, snooping is a type of unauthorized use of information. Regardless of the motive, you must report this type of breach to the IPC.
By contrast, you generally do not need to notify the IPC when the breach is accidental, for example, if information is inadvertently sent by email or courier to the wrong person, or a letter is placed in the wrong envelope. Also, you do not need to notify the IPC when a person who is permitted to access patient information accidentally accesses the wrong patient record. However, you must report even accidental privacy breaches if they fall into one of the other categories below.
If you believe personal health information was stolen you must report it to the IPC. A typical example would be where someone has stolen paper records, a laptop, a USB drive, or other electronic device. Another example would be where personal health information is subject to a ransomware or other malware attack. You must report these types of breaches to the IPC.
You do not need to notify the IPC if the stolen information was de-identified or encrypted.
3. Further use or disclosure without authority after a breach
Following an initial privacy breach, you may become aware that the information was or will be further used or disclosed without authority. If this is the case, you must report it to the IPC.
For example, an employee accidentally sends a letter containing a patient’s personal health information to the wrong person. Although the person returned the letter to you, you learn that they kept a copy and are threatening to make the information public. Even if you did not report the initial incident, you must notify the IPC of this situation.
Another example is where you learn an employee wrongfully accessed a patient’s personal health information and subsequently used this information to market products or services or to commit fraud (for example, health care or insurance fraud). You would also need to report this breach.
Even if a privacy breach is accidental or insignificant, you must report it to the IPC if it is part of a pattern of similar breaches. Such a pattern may reflect systemic issues that need to be addressed, such as inadequate training or procedures.
For example, you discover that a letter to a patient inadvertently included information relating to a different patient. Over a few months, the same mistake is repeated several times because an automated process for generating letters has been malfunctioning for some time. You should report this to the IPC.
Use your judgment in deciding if a privacy breach is an isolated incident or part of a pattern. Consider, for instance, the time between the breaches and their similarities. Keeping track of privacy breaches in a uniform way can help you identify patterns.
If you are required to report an employee or another agent to a health regulatory college because of a breach, you must also report the breach to the IPC.
Where the agent is a member of a college, you must notify the IPC of a privacy breach if:
you terminate, suspend or discipline them as a result of the breach
they resign and you believe this action is related to the breach
Where a health care practitioner with privileges or otherwise affiliated with you is a member of a college, you must notify the IPC of a privacy breach if:
you revoke, suspend or restrict their privileges or affiliation as a result of the breach
they give up or voluntarily restrict their privileges or affiliation with you, and you believe this action is related to the breach
For example, a doctor reveals on social media that a well-known individual is receiving services from your hospital. You formally discipline the doctor by placing a written reprimand in their personnel file. Or, an employee resigns, and you suspect the resignation relates to their recent breach of patient privacy. You should report these breaches to the IPC.
Similar requirements apply to health care practitioners who are employed to provide health care for a board of health.
6. Disciplinary action against a non-college member
Not all agents of a custodian are members of a college. If an agent is not a member, you must still notify the IPC in the same circumstances that would have triggered notification to a college.
For example, a registration clerk has an unpleasant encounter with a patient and posts information about the patient on social media. You suspend the clerk for a month. Although the clerk is not a member of a college, you must still report this privacy breach.
Even if none of the above six circumstances apply, you must notify the IPC if the privacy breach is significant. To decide whether a breach is significant, you must consider all the relevant circumstances, including whether
the information is sensitive
the breach involves a large volume of information
the breach involves many individuals’ information
more than one custodian or agent was responsible for the breach
For example, you are a health care practitioner and you accidentally disclose a patient’s mental health assessment to other practitioners through a group email, rather than to just the patient’s physician. This information is highly sensitive and you disclosed it to a number of persons to whom you did not intend to send the information. Or, you post detailed information on a website about a group of patients receiving specialized treatment for an unusual health issue. It comes to your attention that while you did not use any patients’ names, others can easily identify them. This breach involves many patients, whose information has potentially been made widely available. You should report these types of breaches to the IPC.
Note that even breaches that cause no particular harm may still be significant. For example, the recipients of a misdirected group email that contains a patient’s mental health assessment may, upon realizing the mistake, delete the email and successfully contain the breach. Containing the breach might minimize or eliminate the potential for harm to the patient, but the breach may still be significant in that it reveals an underlying problem in your information policies and practices.
Unauthorized collection by means of the EHR
Custodians may collect, use, and disclose personal health information by means of the electronic health record (EHR) according to the rules set out in Part V.1 of the act.
In the EHR context, custodians must comply with the breach notification requirements set out elsewhere in the act, as well as an additional requirement: if personal health information is collected without authority by means of the EHR, the custodian responsible for the collection must, in certain circumstances, notify the IPC. That is, if the unauthorized collection by means of the EHR had been a use or disclosure under any of the seven circumstances described on this page, the custodian must notify the IPC at the first reasonable opportunity.
For example, one of the circumstances described on this page is that the use or disclosure is part of a pattern. This means that the custodian must notify the IPC if an unauthorized collection by means of the EHR is part of a pattern.
Annual report to the commissioner
By March 1, custodians are required to provide the IPC with an annual report of the previous calendar year’s statistics.3 Note that these statistics include privacy breaches that did not meet the threshold for reporting the breach to the IPC. For more information about submitting annual statistics, please see Annual Reporting of Privacy Breach Statistics to the Commissioner.
1 Under subsection 18.10(1) of the regulation, a coroner to whom Ontario Health provides personal health information under subsection 55.9.1 (1) of the act must, with respect to that information, comply with a number of obligations as if the coroner were a custodian, including the obligation to notify the IPC of the breaches described here.
2 Or, for coroners, subsection 18.10(1) or clause 18.10(4)(a) of the regulation.
3 A coroner to whom Ontario Health provides personal health information under subsection 55.9.1(1) of the act must, in respect of that information, comply with this annual statistics requirement, with any necessary modification, as if the coroner were a custodian.
