Mandatory reporting of patient privacy breaches

Privacy breaches of patient records continue to make news headlines and are an important issue for all naturopaths to consider. Ontario naturopaths need to be aware of new mandatory reporting obligations under the Personal Health Information Protection Act, 2004 (PHIPA) for all regulated health professionals in the province. 

Key points

  • Naturopaths will be legally required to report patient privacy breaches to the Information and Privacy Commissioner of Ontario as of October 1, 2017.
  • Naturopaths must start tracking patient privacy breaches as of January 1, 2018 and report annually to the Privacy Commissioner starting in 2019.  Guidance documents regarding this annual reporting are anticipated to be released later this fall.

What is a privacy breach?

Under PHIPA, a privacy breach is considered to be the unauthorized use or disclosure of personal information or the loss or theft of personal health information. This includes the viewing of health records by someone who is not allowed to view those records (known as “snooping”). Other examples include where a USB key with health information goes missing or a briefcase with patient files is taken from someone’s car.

Who needs to be notified?

If this occurs, the health information custodian (the person with custody and control of the patient records) needs to notify the patient at the first reasonable opportunity. The law now requires the health information custodian to also notify the patient that they can make a complaint about the breach to the Information and Privacy Commissioner of Ontario. 

If you are an agent of a health information custodian (for example, if you are a naturopath who works for a group practice, a hospital or for another regulated health professional) you need to tell the responsible custodian at the first reasonable opportunity.

Naturopaths, and all other regulated health professionals, will be legally obligated to notify the Privacy Commissioner of privacy breaches as outlined below as of October 1, 2017.

Situations where you must notify the Commissioner of a privacy breach 

A comprehensive list of situations where the Information and Privacy Commissioner must be notified is available on their website and includes the following:

1. Use or disclosure without authority

2. Stolen information

3. Further use or disclosure without authority after a breach

4. Pattern of similar breaches

5. Disciplinary action against a college member

6. Disciplinary action against a non-college member

7. Significant breach

Access the online Privacy Breach Report Form.

Overlap with RHPA

These new notice requirements under PHIPA overlap with the mandatory reporting provisions of the Regulated Health Professions Act, 1991, which require employers to report when a member has been terminated or had their privileges or partnership revoked or restricted for reasons of professional misconduct, incompetence or incapacity.

Other changes

In addition to the new reporting obligations, the following changes were made to PHIPA in June 2016: 

  • The maximum fines for privacy offences have doubled from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations.
  • The limitation period for prosecutions of privacy offences has been removed.
  • The respective responsibilities of health information custodians and agents have been clarified.
  • A framework for a province-wide system of electronic health records has been introduced, but is not yet in force.