Health Privacy Breach Statistical Report FAQ

Do I have to submit a health privacy breach statistics report?

Yes, if you are both a health information custodian and a FIPPA/MFIPPA institution whether you have experienced health breaches or not.

Yes, if you are a health information custodian and have experienced health breaches.

No, if you are a health information custodian and have experienced 0 (zero) breaches.

Note for coroners to whom Ontario Health provides personal health information that is accessible by means of the electronic health record: the requirement to submit a health privacy breach statistics report applies, with any necessary modification, to such coroners as if they were health information custodians.

How do I submit my health privacy breach statistics?

You must submit your report online at https://statistics.ipc.on.ca.

How do I do it?

Use the workbook and guide posted on the statistics website. It has all the instructions for submitting your health privacy breach statistics.

Also see: How to Register and Submit Your Annual Health Information Breach Statistics

What is the deadline for submitting my statistics?

All reports must be submitted by Friday, March 1, 2024.

Can I fill out the workbook and mail or fax it to the IPC?

No. Fax or mailed copies will not be accepted. The questionnaire must be filled out online at statistics.ipc.on.ca.

Where do I get a login for the statistics website?

Visit our Registration for Statistical Reporting page to set up an account and get a login id and a password. You will need to include:

the name of your organization
the name and e-mail address of the head of the organization
the name, mailing address, e-mail address, and telephone number of the person responsible for completing the report (the primary contact)
your language preference (English or Français)

Once you have started the questionnaire, you can log off the system at any time and it will remember where you left when you log on the next time. This means you do not have to complete and submit your questionnaire all in one session as long as you complete and submit it on or before Friday, March 1, 2024.

I already have a login ID and password for the statistics I submitted under FIPPA/MFIPPA and my PHIPA report. Do I need a separate login for submitting health privacy breach statistics?

Not necessarily.

You have three options for logging in:

Use a single login id and password to submit your FIPPA/MFIPPA report, your PHIPA access report, and your PHIPA privacy breach statistics report. Having a single login id and password is convenient if the same person will be submitting all three reports.
One login id and password for FIPPA/MFIPPA and a second login id and password for the two PHIPA reports.
Separate logins and passwords for each of the three reports.

The option you choose all depends on the structure of your institution and how you assign statistics reporting. Please indicate in your email to the IPC whether you want a single login id set or two or three separate ones.

We are only subject to PHIPA and not to FIPPA/MFIPPA. We didn’t have any breaches. Do I need to submit anything?

No. If a health information custodian is only subject to PHIPA and has no breaches to report, then it doesn’t need to submit a breach statistics report.

We are a health information custodian as well as an institution under FIPPA/MFIPPA, but we have no breaches to report. Do I need to submit a report?

Yes, however in this case you only need to complete part one of the breach statistics report.

Our institution has several health care practitioners on our staff. Do we submit a separate report for each practitioner?

That depends on who is the health information custodian. If your institution is the health information custodian, then the institution submits the report. Alternatively, if the health care practitioner is the custodian, then they would have to submit a report separately, but only if they have experienced one or more breaches.

We had a breach that fit into more than one category of reportable breaches (e.g., the personal health information was stolen, used, and disclosed). Do we report once or in each category?

You would report the breach once, under the category that best fits the circumstances of the breach.

Occasionally we have incidents where an employee opens a wrong file by mistake, but quickly realizes the mistake and closes the file (e.g. pulls the wrong paper file off a shelf, or clicks on the wrong name in a list of names on the screen). We didn’t report them to the patient or the IPC. Do we submit these incidents in the annual report?

No, you do not have to report on those kinds of incidents in the annual statistics report.

What about an incident that did not meet the criteria to report to the IPC under section 6.3 or section 18.3 (or for coroners, clause 18.10(4)(b)) of the Regulation at the time it happened, but where we did notify the patient?

As a rule of thumb, anything that required notice to a patient under subsection 12(2) or clause 55.5(7)(a) of PHIPA (or for coroners, clause 18.10(4)(a) of the Regulation) should be included in the statistical report, even if you did not need to report it to the IPC under the Regulation.

Can institutions or health information custodians see the stats before they go public?

The IPC does not release a preview of its annual report to institutions or health information custodians before it is published.

Will the IPC include the name of my institution or health information custodian in health privacy breaches section of the annual report?

No. The IPC’s annual report will only include statistics related to categories of institutions and health information custodians and types and numbers of health privacy breaches.

Who can I contact if I need more information or have questions?

If you have any questions, please email @email or call 416-326-3333 (Toronto) or toll-free at 1-800-387-0073.