In Ontario, the Personal Health Information Protection Act (PHIPA)[1] governs the collection, use and disclosure of personal health information within the health sector. The term “personal health information” is broadly defined in PHIPA and includes identifying information which is not strictly personal health information but is contained in a record containing personal health information.

Health information custodians[2] in Ontario are required to take reasonable steps to ensure that personal health information is protected against theft, loss and unauthorized use and disclosure, and to ensure that records containing personal health information are protected against unauthorized copying, modification or disposal (each individually or collectively a “Privacy Breach”).

In the course of delivering health care services or conducting clinical research in Ontario, or conducting research outside of Ontario using personal health information collected in that province, entities which are not health information custodians as defined in PHIPA may be similarly required to implement measures to protect personal health information in accordance with PHIPA and/or pursuant to an Information Sharing Agreement, Data Transfer Agreement, or other formal arrangement governing the sharing of personal health information. As such, it is important for entities engaging in activities which necessarily require the collection, use, and disclosure of personal health information to be aware of the applicable legislation and the implications of changes to that legislation for their operations.

Mandatory breach reporting

In response to a number of highly publicized incidents involving unauthorized access to patient records, the Ontario provincial government recently amended the regulatory regime under PHIPA to include mandatory privacy breach reporting. PHIPA provides that, under certain circumstances, a health information custodian must notify the Ontario Information and Privacy Commissioner (“OIPC”) of a Privacy Breach.[3]

Recent amendments[4] to Ontario Regulation 329/04 made under PHIPA (the “Regulation”) provide further guidance for health information custodians concerning when they must to notify the OPIC of a Privacy Breach.[5] Such circumstances include when:

  1. the health information custodian has reasonable grounds to believe that:

(a)        a Privacy Breach has occurred; or

(b)        following the discovery of a Privacy Breach, the personal health information which is the subject of the breach was, or will be, further used or disclosed without authority;

  1. the loss or unauthorized use or disclosure of personal health information is part of a pattern of similar Privacy Breaches; or
  2. the health information custodian determines that the Privacy Breach is significant after considering all relevant circumstances, including whether:

(a)        the personal health information which is the subject of the Privacy Breach is sensitive;

(b)        the Privacy Breach involved a large volume of personal health information;

(c)        the Privacy Breach involved many individuals’ personal health information; and

(d)        more than one health information custodian or agent was responsible for the Privacy Breach.

Furthermore, PHIPA requires health information custodians to notify the professional regulatory college of the termination, suspension, or disciplinary action against any health care practitioner employee if that termination, suspension or disciplinary action was as a result if a Privacy Breach. College reporting is also required where the health information custodian has reasonable grounds to believe that an employee’s resignation is related to an investigation or other action in respect of a Privacy Breach.[6] The recent amendments to the Regulation now require further reporting of these types of incidents to the OIPC.[7]

Finally, commencing in 2019, on or before March 1 each year, health information custodians will be required to submit a report to the OIPC which sets out the number of times a Privacy Breach occurred in respect of personal health information in their custody and/or control during the previous calendar year.[8]

These amendments come into force on October 1, 2017.

[1] 2004, SO 2004.

[2] 2004, SO 2004, s 3.

[3] 2004, SO 2004, s 12(3).

[4] O Reg 224/17 filed on June 29, 2017, amending O Reg 329/04.

[5] O Reg 329/04, s 6.3(1).

[6] 2004, SO 2004, s 17(2).

[7] O Reg 329/04, s 6.3(1).

[8] O Reg 329/04, s 6.4.