Please be aware that government has introduced additional reporting requirements that come into effect October 1, 2017, for all health care professionals.

Ontarians have the right to privacy. Health care professionals must follow the rules of the Personal Health Information Protection Act (PHIPA). 
PHIPA governs the collection, use and disclosure of ‘personal health information’ (such as identifying information about an individual that relates to their physical or mental health) by Health Information Custodians (HICs). Healthcare practitioners, hospitals and pharmacies are all defined as HICs. Agents of HICs (for example, employees of a physiotherapy clinic) hold the same duties and responsibilities as HICs under the Act.

What You Need To Know About Privacy Breaches

  • Health Information Custodians must notify the affected person at the first reasonable opportunity, mentioning a complaint may be made to the Information and Privacy Commissioner of  Ontario. Examples might include stolen or lost charts, or if health information about patients erroneously included in a distribution email sent to individuals not involved in the care of the patient. 

  • Agents of Health Information Custodians  (e.g. the PT) must let their employer know at the first reasonable opportunity and ensure that the breach is contained.

  • Health Information Custodians must report to the appropriate regulatory College when they take any disciplinary action against a member of a health regulatory College (including the Ontario College of Social Workers and Social Service Workers) due to the member’s unauthorized collection, use, disclosure or disposal of personal health information, for example a PT posts a picture of a patient on social media or shares videos of patients with other health professionals without their consent.

  • Disciplinary action can include suspension or termination of employment, revocations or restrictions on privileges or business affiliations, or situations where a member resigns before disciplinary actions are completed.

  • You must notify the College in writing within 30 days of an action or resignation.

What You Need To Do

You must notify the Information & Privacy Commissioner, if you have reasonable grounds to believe a breach has occurred.

These are the types of breaches to be aware of:

  • lost information
  • use of information without authority and becoming aware the information is used after the initial breach
  • patterns of conduct of unauthorized disclosure
  • significant breaches
  • disciplinary actions against both a PT and another non regulated professional (for example: office staff or a PTA).

When to Notify Colleges

PHIPA already requires HICs to notify a College if a member is terminated, suspended or subject to disciplinary action as the result of unauthorized collection, use, disclosure, retention or disposal of personal health information.

The new rules expand that obligation, now requiring HICs to notify a College of an event relating to a loss or unauthorized use or disclosure of personal health information.

What You Must Report to the Information and Privacy Commissioner in The Future

In 2019, all HICs are required to provide the Privacy Commissioner with a report on March 1 of each year, setting out the number of times in the previous calendar year personal health information was stolen, lost, used without authority or disclosed without authority.

Have Questions? Contact the Practice Advisor | 647-484-8800 | 1-800-583-5885