New requirements in the management of privacy breaches came into force on October 1, 2017. If you or your organization manages personal health information, you need to be aware of these changes. The changes dictate when and to whom an organization must report when there has been a privacy breach. Starting January 1, 2018, there will also be a requirement to track all privacy breach statistics in the health care sector. Health information custodians will then be required to provide annual reports of their privacy breach statistics to the Information and Privacy Commissioner (IPC) starting March, 2019. The IPC will be releasing details on these annual reporting requirements later in the fall of 2017.
PHIPA requires that if personal health information about an individual that is in the custody or control of a “health information custodian” is lost, stolen, used or disclosed without authority, then, subject to very limited exceptions, the custodian must notify the affected individual at the first reasonable opportunity and advise them that they may make a complaint to the IPC. Health information custodians include health care practitioners or persons who operate in a group health care practice, home care providers, community care access corporations, hospitals, retirement homes, pharmacies, laboratories, ambulance services, homes for special care, community or mental health centres, programs or services, among others.
The new rules also dictate when a custodian needs to notify the IPC of a privacy breach. Custodians must notify the IPC under the following circumstances:
- Use or disclosure without authority. This would include people snooping into medical records when they either knew or ought to have known that their snooping was not permitted. It could also include unauthorized use or disclosure for personal or malicious reasons. Importantly, you do not generally need to notify the IPC when the breach is truly accidental, however the breach may still need to be reported if it falls within one of the other circumstances below.
- Stolen information. This could be a result of an employee having their electronic device or laptop stolen. Information can also fall within this category if it was subject to ransomware or malware or seized through a portable storage device, such as a thumb drive.
- Further use or disclosure without authority after a breach. This would include situations where there was a privacy breach, but then you later learned that the information was being used again or disclosed further without authority. For example, an employee accessed the medical records of their ex-spouse without authorization and then later used that same information to discredit their ex-spouse on social media. In this case, you would need to report the breach twice.
- Pattern of similar breaches. If you discover a pattern of similar breaches, even if they seem insignificant or were accidental, this must be reported to the IPC. The reason is that the pattern may signify an issue with your information protocols and procedures that should be addressed. Whether a breach is part of a pattern or not, is a judgement call you need to make, but it should be taken seriously because failure to identify the pattern could have negative consequences on your organization.
- Disciplinary action against a college member. Requirements to report the actions of health regulatory college members to their respective college triggers a concurrent mandatory report to the IPC. When an employee is a member of a health regulatory college, then you must notify the IPC if you terminate, suspend or discipline them or revoke, suspend or restrict their privileges as a result of a privacy breach. In addition, you must report to the IPS if that college member resigns, relinquishes or restricts their privileges and you believe it is related to a privacy breach. This also applies if the practitioner is employed by a board of health.
- Disciplinary action against a non-college member. If you would have reported the actions of an employee to their college, if they had been members of a college, then you would have to report the actions of this non-college member employee to the IPC. For example, a doctor’s receptionist publishes patient data in a public place.
- Significant breach. If the breach does not fall into the circumstances listed above, then considering all the circumstances, you should report the breach to the IPC if the breach involved:
• sensitive information;
• a large volume of information;
• the information of many individuals;
• more than one custodian or agent.It is important to remember that even breaches that do not cause any significant harm may still be considered significant under these new rules.
Remember: failure to report breaches may result in a complaint to the IPC and a potential adverse ruling against you or your organization.