Reporting a Breach: Critical Professional Regulatory Compliance Considerations
In Ontario, the collection and use of personal health information is governed by the Personal Health Information Protection Act (“PHIPA”) Under the Act, Regulated healthcare professionals are considered “custodians” of healthcare information.
In the event of a breach of personal health information, custodians have a duty to report the breach to the individual(s) whose privacy was breached. In some instances, custodians are further obligated to report the breach to the Information and Privacy Commissioner (“IPC”). Failure to do so is considered a breach of the PHIPA and can lead to a complaint, reports, and disciplinary action by your regulator. As such, regulatory compliance with this regime is crucial.
What is the first step in responding to a breach?
Once a breach is identified, it is crucial to notify the individual(s) whose information was breached at the earliest opportunity. You may notify the individual by any means, including in writing, by phone or in person. In the event that you notify a patient of a breach by person or by phone, you should note that you did so and when. This is information that may be requested by the IPC, in the event a report is required or a complaint is made and information that may be required by your regulator in the event of a report or complaint.
When do I need to report to the IPC?
In the event that personal health information is stolen or lost, or it is used and/or disclosed without authority, you are required to report the breach to the IPC. Given the increasing shift to electronic medical record-keeping, privacy breaches often occur within the context of ransomware. Ransomware attacks typically involve a hack in which an outside intruder gains access to an organization’s computer system and encrypts the stored information while demanding money.
What do I need to report to the IPC?
A custodian of health information, including pharmacists and clinic owners, are required to report to the IPC anytime personal health information is stolen, lost, used, or disclosed without authority. The IPC will request the following information:
- description of the breach: including how and when it happened, how it was discovered, and the extent of the breach
- containment efforts: steps taken to contain the breach, the dates they occurred, and the outcome
- notification: confirmation that the affected individual(s) were notified of the breach and when
- investigation/remediation: steps taken to investigate the breach
The IPC will review the information provided and determine next steps.
If you are a health information custodian and there has been a breach of personal health information, a lawyer can assist you to ensure that you are in compliance with your obligations under PHIPA and your professional regulations. At Damien Frost & Associates LLP we are experienced professional regulation lawyers and will assist you in properly managing a privacy breach, including notifying those affected and ensuring that your IPC reporting obligations are fulfilled. We can further assist with developing internal privacy policies to safeguard personal health information and develop proper privacy breach protocol.