What is PHIPA Breach Reporting?

The Personal Health Information Protection Act (PHIPA) is Ontario’s health information privacy law. PHIPA imposes privacy obligations on health information custodians. PHIPA regulates when health information custodians may collect, use, or disclose personal health information of Ontarians. PHIPA also requires health information custodians to report data breaches to the Information and Privacy Commissioner of Ontario (“Commissioner”). The requirements of PHIPA breach reporting are discussed below. 

PHIPA Breach Reporting and Health Information Custodians

PHIPA Breach Reporting

A health information custodian (HIC) is a person or organization listed in PHIPA that, as a result of his, her, or its powers or duties or work, has custody or control of personal health information. An HIC is generally the institution, facility or private practice health practitioner that provides healthcare to an individual.

Want to learn more about Canadian data privacy compliance? Click here

Examples of custodians include:

  • Healthcare practitioners (including doctors, nurses, speech-language pathologists, chiropractors, dental professionals, dieticians, medical laboratory technologists, massage therapists, midwives, occupational therapists, opticians, and physiotherapists).
  • Hospitals.
  • Psychiatric facilities. 
  • Long-term care homes.
  • Pharmacies.
  • Laboratories.
  • Ambulance services.
  • Retirement homes and homes for special care.
  • The Minister of Health and Long-Term Care.

Personal health information includes oral or written information about an individual, if the information:

  • Relates to the individual’s physical or mental health, including family health history;
  • Relates to the provision of healthcare, including the identification of persons providing
  • care;
  • Is a plan of service for individuals requiring long-term care;
  • Relates to payment or eligibility for healthcare;
  • Relates to the donation of body parts or bodily substances or is derived from the testing or examination of such parts or substances;
  • Is the individual’s health number; or
  • Identifies an individual’s substitute decision-maker.

PHIPA Breach Notification

To strengthen the privacy protection of personal health information, the Ontario government amended the Personal Health Information Protection Act in 2017. Under the amended law,  health information must notify the Information and Privacy Commissioner of Ontario (the Commissioner) about certain privacy breaches. This PHIPA breach reporting is required in seven situations. Under the PHIPA breach reporting amendments, more than one category can apply to a single breach; the categories are not mutually exclusive.

The situations in which health information custodians (HICs) must notify the Commissioner of a privacy breach include: 

  1. When there has been use or disclosure of personal health information without authority;
  2. When personal health information has been stolen;
  3. When there has been further use or disclosure of personal health information without authority after a breach;
  4. When there has been a pattern of similar breaches;
  5. When there has been disciplinary action against a member of a healthcare practitioner’s regulatory college;
    • When an employee is a member of a regulatory college, a health information custodian must notify the Commissioner of a privacy breach if the custodian terminates, suspends, or disciplines the member as a result of the breach, or, the member resigns, and the custodian believes the resignation is related to the breach.
    • When a healthcare practitioner with privileges or otherwise affiliated with you is a member of a college, health information custodians must notify the Commissioner of a privacy breach if the health information custodian revokes, suspends, or restricts the practitioner’s privileges or affiliation as a result of the breach. HICs must also notify the Commissioner of a breach if the practitioner relinquishes or voluntarily restricts their privileges or affiliation, and the health information custodian believes this action is related to the breach.
  6. When there has been disciplinary action taken against a non-college member;
    • Not all employees or other agents of a custodian are members of a college. If an agent is not such a member, the health information custodian must still notify the Commissioner in the same circumstances that would have triggered notification to a college, had the agent been a member.
    • For example, one of a health information custodian’s registration clerks has had an unpleasant encounter with a patient. The clerk posts information about the patient on social media. In response, the health information custodian suspends the clerk for a month. Although the clerk is not a member of the college, the health information custodian must report this privacy breach.
  7. When there has been a significant breach. In deciding whether a breach is significant, a healthcare information custodian must consider all the relevant circumstances, including whether:
    • The information is sensitive;
    • The breach involves a large volume of information; and
    • More than one custodian or agent was responsible for the breach.

For example, a healthcare practitioner accidentally discloses a patient’s mental health assessment to other practitioners on a group email distribution list, rather than to just the patient’s physician. This information is highly sensitive and has been disclosed to a number of persons to whom the custodian did not intend to send the information. The breach here is “sensitive,” and must therefore be reported.

By March 1 of each year, custodians are required to provide the Commissioner with an annual report of the previous calendar year’s statistics.