Mandatory reporting for misuse of records

TORONTO – As of October 1, 2017, all health information custodians in Ontario, such as regulated health professionals, hospitals, clinics and long-term care facilities, will be required to notify the Information and Privacy Commissioner (IPC) when personal health information is lost, stolen or used or disclosed without authority.

In addition, health information custodians will be required to report annually to the Information and Privacy Commissioner on the total number of times personal health information was either lost, stolen, or used or disclosed without authority. The first annual reports will be due to the IPC on or before March 1, 2019.

The regulation will come into force on October 1st 2017, so it is important for HICs to think about the policies and procedures they need to put into place to ensure they are meeting their reporting obligations. This should include a breach log template and breach response plan.

Since 2004, section 12(2) of PHIPA has required HICs to notify affected individuals at the first reasonable opportunity if personal information is stolen, lost or used or disclosed without authority. Now the Ontario government is requiring that the law’s regulators know as well.

The consolidated regulation can be viewed at https://www.ontario.ca/laws/regulation/040329.

Privatech, a consulting and training company, notes on its website that the regulation, unfortunately, is not as clear as it could be, stating circumstances under which breaches should be reported, such as those where individual notification is required. However, it also states that the HIC would report to the IPC if the loss or unauthorized use or disclosure of personal health information is significant, considering such attributes such as its sensitivity and the volume of information compromised.

“We also aren’t provided with a clear sense of what exactly needs to be reported to the IPC,” says the Privatech release. “However, the IPC’s Privacy Breach Report form found at https://www.ipc.on.ca/privacy-breach-report/ provides a good indication of what will be expected by the regulators.”

“We can expect to receive further guidance from the Ontario IPC on the new breach reporting requirements. However, it is important to prepare for the amendment now, given that the change comes into force in a short month a half. A strong breach reporting program, as well as adequate training on breach escalation and logging are critical.” For assistance, contact PRIVATECH at https://privatech.ca.