Reporting of Privacy Breach to Privacy Commissioner - Deadline March 1, 2019

According to new rules under the Personal Health Information Protection Act (PHIPA), health information custodians in Ontario are now required to report statistics relating to health privacy breaches annually to the office of the Privacy Commissioner, which oversees compliance with PHIPA.

A Health Information Custodian (HIC) is responsible for collecting, using and disclosing personal health information on behalf of clients.  A HIC is generally the institution, facility or private practice health practitioner that provides health care to an individual.  Examples of health information custodians include health care practitioners such as doctors, nurses, pharmacists, speech-language pathologists, chiropractors, dental professionals, dietitians, medical laboratory technologists, massage therapists, midwives, occupational therapists, opticians and physiotherapists.

What is a Privacy Breach?
Under PHIPA, a privacy breach is the unauthorized use, disclosure, loss, or theft of personal health information. This includes situations such as; the viewing of health records by someone who is not allowed to view those records, loss of health records or a USB key containing health information, a briefcase with patient files stolen from someone’s car or disclosure of health information without authority.  The full list of reportable breaches can be found in s. 6.3 of Ontario Regulation 224/17 made under PHIPA. 

Statistical reports submitted will set out the number of times in 2018 that personal health information held by a health information custodian was stolen, lost, used without authority and/or disclosed without authority. The other sections of the report will focus on the cause of the breach and the number of individuals affected. The report does not ask for personal health information.

If you are an independent occupational therapist who is a health information custodian and have experienced a privacy breach in 2018 (from January to December) you must comply with the law and submit a report by the March 1, 2019 deadline.  However, health information custodians that have 0 (zero) health privacy breaches to report for 2018 should not submit a statistical report.

View Privacy Commissioner, Brian Beamish’s communique to Health Information Custodians. 

How to report

An online statistics submission website  is now open for health information custodians across Ontario to submit their statistics for the 2018 reporting year. The deadline to submit is Friday, March 1, 2019.  View the Commissioner’s Fact Sheet – How to Submit Annual Health Information Breach Statistics.  You will need to review this to engage a log-in ID if you do not already have one.

Implications for Occupational Therapists

Occupational therapists who practice independently and are deemed Health Information Custodians need to address this requirement and to report if they have experienced a health privacy breach in 2018.  Occupational therapists working privately should be familiar the Personal Health Information and Protection Act and the requirements for practice and reporting.  The following resources can support this review: