New Obligations on Custodians in Event of Privacy Breach
Since the implementation of the Personal Health Information Protection Act, 2004 (“PHIPA”) in 2004, Health Information Custodians (“Custodians”) have had a duty to take steps to safeguard the personal health information (“PHI”) in their custody and control to prevent PHI from being lost, stolen, or accessed by someone without authorization (a privacy breach). Custodians have also had an obligation to notify individuals at the first reasonable opportunity if their PHI is lost, stolen or accessed by unauthorized persons. While the Information and Privacy Commissioner of Ontario (the “IPC”) has previously recommended that Custodians contact the IPC in the event of a breach, and that Custodians contact health regulatory colleges (the “college”) if employees who are regulated health professionals engage in conduct that results in a privacy breach, recent amendments to PHIPA and to the regulation there under make such reporting a legal obligation of Custodians.
Circumstances where a Custodian is Required to Notify Colleges
Amendments to PHIPA introduced in 2016 set out the circumstances where Custodians are required to notify the regulatory body of any agent or employee who is found to have engaged in conduct that results in a privacy breach.
New section 17.1(2) of PHIPA imposes a reporting obligation on Custodians in circumstances where, as a result of a breach involving the unauthorized collection, use, disclosure, retention or disposal of PHI, the Custodian terminates, suspends, or takes other disciplinary action against an employee who is a member of a regulated health profession or the Ontario College of Social Workers and Social Service Workers (OCSWSSW). A report must be made to the employee’s college or to the OCSWSSW within 30 days of the suspension, termination or imposition of other disciplinary action. This reporting obligation is also triggered where an employee resigns and the Custodian has reasonable grounds to believe that the resignation is related to an investigation or other action by the Custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of PHI by the employee. This means that an employee cannot avoid action by his or her college by resigning his or her employment prior to disciplinary action being imposed.
A similar reporting obligation exists under section 17.1(4) where a member of a college or the OCSWSSW is not an employee of the custodian but is an “agent”, meaning that he or she acts for or on behalf of the Custodian in respect of PHI for the purposes of the Custodian and with the authorization of the Custodian. An “agent” may include an independent professional who does work for the Custodian or its clients, or a third party that is engaged by the Custodian to provide services to the Custodian or the Custodian’s clients or patients.
Where the Custodian is a hospital or other health facility at which health professionals exercise privileges, and a health professional’s privileges are revoked, suspended or restricted, or his or her affiliation is revoked, suspended or restricted, as a result of the unauthorized collection, use, disclosure, retention or disposal of PHI by the health professional, the Custodian must report this to the health professional’s college. As above, a similar obligation is imposed where the health professional relinquishes or voluntarily restricts his or her privileges or his or her affiliation with the Custodian and the Custodian has grounds to believe that this is related to an investigation or other action with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of PHI.
Circumstances where a Custodian is Required to Notify the IPC
Recent amendments to PHIPA relating to privacy breaches have imposed two significant requirements on Custodians. First, pursuant to subsection 12(2) of PHIPA, where a Custodian notifies an individual of the theft or loss or of the unauthorized use or disclosure (as it is required to do at the first reasonable opportunity), it must include a statement that the individual is entitled to make a complaint to the IPC under Part VI of PHIPA. This significant change is intended to increase the IPC’s oversight of Custodians, as it will very likely result in more complaints to the IPC.
Second, subsection 12(3) of PHIPA was amended in 2016 to provide that if the circumstances surrounding a theft, loss or unauthorized use or disclosure of PHI meet certain prescribed requirements, the Custodian is required to notify the IPC. These requirements were recently prescribed with amendments to Ontario Regulation 329/04, the sole regulation under PHIPA, and take effect on October 1, 2017. The prescribed notification must occur in circumstances where the Custodian has reasonable grounds to believe that:
PHI was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority;
PHI was stolen;
After an initial loss or unauthorized use or disclosure of PHI, the PHI was or will be further used or disclosed without authority;
The loss or unauthorized use or disclosure of PHI is part of a pattern of similar losses or unauthorized uses or disclosures of PHI;
The Custodian is required to give notice to a college or to the OCSWSSW of an event described above;
The breach was due to the unauthorized collection, use, disclosure, retention or disposal of PHI by an employee of the Custodian, and the employee is terminated, suspended or subjected to disciplinary action as a result of same, or the employee resigns and the Custodian has reasonable grounds to believe that the resignation is related to its investigation or other action with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of PHI by the employee;
The Custodian determines that the loss or unauthorized use or disclosure of PHI is significant, after considering all relevant circumstances, including the following factors:
The sensitivity of the PHI;
The volume of the PHI;
Whether it involved many individuals’ PHI;
Whether more than one employee or agent was responsible; and/or
Whether more than one Custodian or agent was responsible for the loss or unauthorized use or disclosure of the PHI.
Custodians Should Amend Privacy Breach Protocols to Reflect these Changes
In addition to a Privacy Statement (which is a legal obligation of Custodians) and a Privacy Policy (which is strongly recommended for any health care provider or other Custodian of PHI), Custodians should have a protocol in place so they are prepared to manage and respond to privacy breaches when they occur (instead of wasting precious time determining what steps are required). We have previously written about the importance of having a Privacy Breach Protocol and the necessary elements of same. These elements (which include: identification, internal reporting, containment, notification, investigation, and remediation) remain necessary. But with legislated obligations to report to the IPC and colleges, every Custodian should update its privacy breach management protocol to reflect these new requirements.
Rosen Sunshine has the expertise to assist you with the development of privacy breach management policies and procedures. We can also provide privacy training workshops to educate your staff regarding their privacy obligations.
For more information on how we can place you or your organization in the best position possible to respond to a privacy breach or a complaint under PHIPA, please contact us.
