Privacy breach reporting requirements

Understand the requirements for reporting privacy breaches

The Personal Health Information Protection Act (PHIPA) requires all Health Information Custodians (HICs) to:

  • Annually submit counts of instances where personal health information (PHI) under their custody or control was lost, stolen, used or disclosed without authority
  • Notify the individual (patient) and, in certain circumstances, the Information and Privacy Commissioner of Ontario (IPC), of a breach upon discovery

Annual reporting of privacy breach statistics

It is required by law in Ontario for all HICs to report statistics about privacy breaches that occurred or were discovered, in the previous calendar year involving patient records in their custody or control.

How to report

Reports must be submitted online using the form provided by the IPC by March 1 of the following calendar year. Mailed or faxed reports will not be accepted. A username and password are required to access the site. To get one, email statistics.ipc@ipc.on.ca with the following:

  • Name of your HIC
  • Name and email of the person responsible for the content of the report
  • Name, email, telephone and fax numbers and mailing address of the person completing the report

You should receive a response within one to two business days.

Note:

  • A staff member (e.g., administrative assistant) may submit the report on behalf of the HIC
  • You may report in batches; the system will remember where you left off when you next log on
  • You may make changes to reported information up until the reporting deadline
Resources
Report a health privacy breach
Responding to a health privacy breach: Guidelines for the health sector
Reporting a privacy breach to the commissioner – Guidelines for the health sector
Ontario MD general privacy training module
Health privacy breach statistical report FAQs
Annual statistical report workbook and completion guide

Additional support

Information and Privacy Commissioner of Ontario

For questions about annual reporting or reporting upon occurrence email IPC or call 1-800-387-0073

OMA Legal Services
For questions about PHIPA and your responsibilities email legal affairs or call 1-800-268-7215

Who needs to report

All HICs who experienced or discovered one or more privacy breaches in a calendar year must submit a report.

A physician is not always the HIC.

Depending on how the practice is set up, the HIC can often be the clinic owner or another person operating a group of health-care practitioners. In a large organization, the individual physician is rarely the HIC; in these cases, the physician should follow the organization’s policies on reporting privacy breaches.

HIC that is NOT an institution subject to FIPPA/MFIPPA

  • If there were no privacy breaches that occurred or were discovered in the previous calendar year, you are NOT required to submit a report
  • If there were one or more privacy breaches that occurred or were discovered in the previous calendar year, you are required to complete all sections of the online report

HIC that is an institution subject to FIPPA/MFIPPA

  • If no privacy breaches occurred or were discovered in the previous calendar year, you are required to submit a report; complete only section one
  • If one or more privacy breaches occurred or were discovered in the previous calendar year, you are required to complete all sections of the online report

What information to report

Count privacy breaches that were discovered in the previous calendar year, even if they occurred in a year prior to that. 

There are four types of privacy breaches. Find out what information needs to be reported for each type. 

1. PHI that was stolen
Previous
Next
1. PHI that was stolen

Information to be reported

Total number of this type of breach

Number of individuals affected by each breach:

  • 1
  • 2-10
  • 11-50
  • 51-100
  • >100

Circumstances of each breach of this type:

  • Stolen by an internal party
  • Stolen by a stranger
  • Stolen as a result of a ransomware attack
  • Stolen as a result of another cyber attack
  • Theft of unencrypted electronic device (e.g. USB stick)
  • Theft of paper records
  • Other

Note: a single privacy breach may fit into more than one category (e.g. type and/or circumstance); in this case, report the event as the type that best fits.

Previous
Next
2. PHI that was lost
Previous
Next
2. PHI that was lost

Information to be reported

Total number of this type of breach

Number of individuals affected by this type of breach:

  • 1
  • 2-10
  • 11-50
  • 51-100
  • >100

Circumstances of each breach of this type:

  • Lost as a result of a ransomware attack
  • Lost as a result of another cyber attack
  • Loss of an unencrypted electronic device (e.g. USB stick)
  • Loss of paper records
  • Other

Note: a single privacy breach may fit into more than one category (e.g. type and/or circumstance); in this case, report the event as the type that best fits.

Previous
Next
3. PHI that was used without authority
Previous
Next
3. PHI that was used without authority

Information to be reported

Total number of this type of breach

Number of individuals affected by each breach:

  • 1
  • 2-10
  • 11-50
  • 51-100
  • >100

Circumstances of each breach of this type:

  • Unauthorized use via electronic records
  • Unauthorized use via paper records
  • Unauthorized use through other means

Note: a single privacy breach may fit into more than one category (e.g. type and/or circumstance); in this case, report the event as the type that best fits.

Previous
Next
4. PHI that was disclosed without authority
Previous
Next
4. PHI that was disclosed without authority

Information to be reported

Total number of this type of breach

Number of individuals affected by each breach:

  • 1
  • 2-10
  • 11-50
  • 51-100
  • >100

Circumstances of each breach of this type:

  • As a result of a misdirected fax
  • As a result of a misdirected email
  • Through other means

Note: a single privacy breach may fit into more than one category (e.g. type and/or circumstance); in this case, report the event as the type that best fits.

Previous
Next

Notifying the individual and IPC of a privacy breach upon occurrence

In all circumstances, it is required that a HIC will notify the patient when a privacy breach of their PHI has occurred. In certain circumstances, it is also required that the HIC notify the IPC.

If PHI was stolen, notify the patient and notify the IPC if the PHI was not de-identified or encrypted.

If PHI was lost, used, or disclosed without authority, notify the patient, and notify the IPC if any of the following are true:

  • The PHI was used or disclosed without authority by a person who knew or ought to have known that they were doing so
  • The PHI in question continues to be used or disclosed without authority after an initial loss or unauthorized use or disclosure
  • There is a pattern of similar losses or unauthorized uses or disclosures of PHI
  • The situation would require you to report the behaviour to a regulatory college if the employee or agent involved is a member of a regulatory college
  • The privacy breach is deemed to be significant after considering all relevant circumstances including:
    • If the information is sensitive
    • If the breach involves a large volume of information
    • If the breach involves many individuals’ information
    • If there is more than one custodian or agent responsible for the breach

When the privacy breach involves a regulated health-care professional, the HIC must report the individual to their regulatory college in select situations.

Notifying affected patients

The HIC must notify the patient of any theft, loss, or unauthorized use or disclosure of PHI at the first reasonable opportunity.

The notification must include a statement that the individual is entitled to make a complaint to the IPC. Information on how patients can file a complaint with the IPC and the form can be found on the IPC website.

PHIPA does not specify how the notification must be carried out. For example, the HIC can notify the affected individual by telephone or in writing or, depending on the circumstances, make a note in the patient’s file to discuss it at his/her next appointment.

The HIC should consider the sensitivity of the PHI that was compromised and use the best judgment to determine the appropriate way to notify the individual.

Notifying the IPC

To report the types of privacy breaches listed above upon occurrence, use the IPC online form.

Notifying regulatory colleges

If a HIC employs, extends privileges to, or is affiliated with a regulated health professional who is involved in a privacy breach, the HIC must report that individual to their regulatory college within 30 days of the privacy breach occurs when:

  • The individual is an employee/agent of the HIC and their privacy breach results in:
    • Termination, suspension, disciplinary action or
    • Resignation, which the HIC reasonably believes is the result of an investigation or other action related to the alleged breach
  • The individual has privileges or is affiliated with the HIC and their privacy breach results in:
    • Suspension, restriction or revocation of their privileges or affiliation with the HIC, or
    • Relinquishment or voluntary restriction of their privileges or affiliation, which the HIC reasonably believes is the result of an investigation or other action related to the alleged breach

Examples of when to report a breach to the IPC

For example, a nurse looks at his neighbour’s medical record for a non work-related purpose.

For example, the theft of a laptop computer containing PHI that was not encrypted.

For example, a custodian inadvertently sends a fax containing PHI to the wrong recipient and although the recipient returned the fax, the custodian becomes aware that he or she kept a copy and is threatening to make it public.

For example, a letter to a patient inadvertently included the PHI of another patient. The same mistake re-occurs several times in the course of a couple of months as a result of a new automated process for generating letters.

For example, a hospital suspends the privileges of a physician for accessing the PHI of her ex-spouse for a non work-related purpose. The hospital must report this to the College of Physicians and Surgeons of Ontario and to the IPC.

For example, a hospital registration clerk posts information about a patient on social media and the hospital suspends the clerk. The clerk does not belong to a regulated health-professional college.

To determine the significance, a HIC must consider whether:

  • The information is sensitive
  • The breach involves a large volume of information
  • The breach involves many individuals’ information
  • More than one HIC or agent is responsible for the breach

For example, disclosing a patient’s PHI to a large email distribution group rather than just to the patient’s health-care practitioner.