Ontarians have the right to privacy. Health care professionals must follow the rules of the Personal Health Information Protection Act (PHIPA).

PHIPA governs the collection, use and disclosure of ‘personal health information’ (such as identifying information about an individual that relates to their physical or mental health) by Health Information Custodians (HICs). Healthcare practitioners, hospitals and pharmacies are all defined as HICs. Agents of HICs (for example, employees of a physiotherapy clinic) hold the same duties and responsibilities as HICs under the Act.

As of January 1, 2018, changes were made to Ontario’s Personal Health Information Protection Act (PHIPA). If you are a Health Information Custodian (HIC) working in a hospital or a clinic owner it is important to understand how the rules will affect your organization. One of the most critical changes requires health organizations document privacy and data breaches.

As of March 1, 2019 you could be asked by the Information and Privacy Commissioner to show a record of your breaches from the past year. 

What You Need To Know About Privacy Breaches

  • Health Information Custodians (HICs) must determine that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or involved many individuals’ personal health information and whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure.

  • Health Information Custodians must notify the affected person at the first reasonable opportunity, mentioning that a complaint may be made to the Information and Privacy Commissioner of Ontario. Examples might include stolen or lost charts, or if health information about patients erroneously included in a distribution email sent to individuals not involved in the care of the patient. 

  • Agents of Health Information Custodians (e.g. the PT) must let their employer know at the first reasonable opportunity and ensure that the breach is contained.

  • The HIC must notify the regulatory College if an employee or agent of the custodian was terminated, suspended or subject to disciplinary action as the result of a breach.

  • Disciplinary action can include suspension or termination of employment, revocation or restrictions on privileges or business affiliations, or situations where a member resigns before disciplinary actions are completed.

  • You must notify the College in writing within 30 days of an action or resignation.

What You Need To Do

You must notify the Information & Privacy Commissioner, if you have reasonable grounds to believe a breach has occurred.

These are the types of breaches to be aware of:

  • lost information
  • use of information without authority and becoming aware the information is used after the initial breach
  • patterns of conduct of unauthorized disclosure
  • significant breaches
  • disciplinary actions against both a PT and another non regulated professional (for example: office staff or a PTA).

When to Notify Colleges

PHIPA already requires HICs to notify a College if a member is terminated, suspended or subject to disciplinary action as the result of unauthorized collection, use, disclosure, retention or disposal of personal health information.

The new rules expand that obligation, now requiring HICs to notify a College of an event relating to a loss or unauthorized use or disclosure of personal health information. 

Information and Privacy Commissioner—New Mandatory Statistics Reporting 

According to rules under the Personal Health Information Protection Act (PHIPA), health information custodians in Ontario are now required to report statistics relating to health privacy breaches annually to the Information and Privacy Commissioner of Ontario. 

The report will set out the number of times in 2018 that personal health information held by a health information custodian (HIC) was stolen, lost, used without authority and/or disclosed without authority. The other sections of the report will focus on the cause of the breach and the number of individuals affected. 

The online statistics submission website is open for health information custodians across Ontario to submit their statistics for the 2018 reporting year. 

Health information custodians that have experienced at least one health privacy breach during the 2018 reporting year—from January to December—are required by law to complete the online questionnaire. The deadline to submit is Friday, March 1, 2019.

Note that if you have zero privacy breaches you are not required to submit a report. 

Learn more on the IPC website.

Have Questions? Contact the Practice Advisor

practiceadvice@collegept.org | 647-484-8800 | 1-800-583-5885