PRACTICE PARTNER
New rules for reporting a
privacy breach to the IPC
In our last issue of Dialogue, we wrote about amend-
ments now in force that create new instances for health
information custodians to report privacy breaches to
health colleges, and the Information and Privacy Com-
missioner (IPC). These amendments also create new
provisions with respect to notifying affected individuals
of privacy breaches and double the maximum fines for
privacy offences.
The IPC has released a guidance document to assist
physicians and other health information custodians (HICs)
to comply with the recent amendments to the Personal
Health Information Protection Act (PHIPA). The IPC docu-
ment is called “Reporting a Privacy Breach to the Commis-
sioner: Guidelines for the Health Sector.”
Physicians are also urged to be familiar with the expec-
tations in the College’s Confidentiality of Personal Health
Information policy.
Below are the new instances for health information
custodians to report privacy breaches to the Information
and Privacy Commissioner.
Use or disclosure without authority
This category addresses those “medical snooping” situations – where the person committing the breach
knew or ought to have known that their actions are not permitted either by PHIPA or the responsible
custodian. An example would be where a person looks at an ex-spouse’s or perhaps a local celebrity’s medical his-
tory for no work-related purpose. This includes situations where the unauthorized use or disclosure is not done for a
personal or malicious motive.
Generally, the IPC states that its Commissioner does not need to be notified when the
breach is accidental, for example, when information is inadvertently sent by email or
couriered to the wrong person, or a letter is placed in the wrong envelope. Also, the Com-
missioner does not need to be notified when a person who is permitted to access patient
information accidentally accesses the wrong patient record. However, even accidental
privacy breaches must be reported if they fall into one of the following categories.
1
2
42
DIALOGUE ISSUE 1, 2018
Further use or disclosure without
authority after a breach
Following an initial privacy breach, the
custodian may become aware that the information was
or will be further used or disclosed without author-
ity; this must be reported to the
Commissioner.
For example, a medical office
employee inadvertently sends a fax
containing patient information
to the wrong person. Although
the person returned the fax to the
office, it is learned that he kept a
copy and is threatening to make the information public.
Even if the initial incident was not reported, the Com-
missioner must be notified of this situation.
3
Stolen information
A typical example of this would be where
someone has stolen paper records, or a
laptop or other electronic device. Another example
would be where patient information is subject to a
ransomware or other malware attack, or where the
information has been seized
through use of a portable
storage device.
The Commissioner does
not need to be notified if
the stolen information was
de-identified or properly
encrypted.