How do I report a breach under PHIPA?
October 17, 2022
The number of records stored online continues to grow every day, and with it, the threat of privacy breach. Personal health information (PHI) is among the most desirable data for hackers and with the transition to virtual care, cybercrime against Healthcare Professionals has skyrocketed in recent years.
Rising calls for greater data security prompted amendments to the Personal Health Information Protection Act (PHIPA) in 2020, with stricter protocols—and sanctions—for all offenders. Given the changes, it’s important for Healthcare Professionals to fully understand their responsibilities when it comes to data stewardship. How do you identify a breach? How do you report one? And what are the consequences if you don’t? Keep reading to learn more.
Disclaimer: The information presented herein is general in nature and provided for educational purposes only. It is not exhaustive nor is it a substitute for legal or insurance advice. For specialized guidance, please consult a lawyer.
Overview of PHIPA:
First things first: what's PHIPA?
Before we get started, here’s a quick refresher on PHIPA. In Ontario, regulated Healthcare Professionals and healthcare organizations must comply with the Personal Health Information Protection Act (PHIPA) to ensure the safe collection, use, and disclosure of personal health information (PHI). PHIPA’s mandate also includes key rules for breach notification, record-keeping, and risk assessment.
PHIPA applies to:
- All individuals and organizations that are considered “health information custodians” (HICs) and agents that are authorized to act on behalf of HICs;
- All recipients of personal health information from HICs; and
- Electronic service providers that collect, store, or transmit PHI, including health information network providers.
Compliance with PHIPA is overseen by an independent body of oversight known as the Information and Privacy Commissioner of Ontario (IPC). The IPC has the authority to review and adjudicate complaints and order organizations to abide by PHIPA (i.e. to correct or dispose of records).
What about PIPEDA?
PHIPA has been deemed “substantially similar” to Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) and will respond in its place within the province of Ontario (except in circumstances involving commercial activities or the interprovincial transfer of PHI).
What's a privacy breach?
A privacy breach is the theft, loss, or unauthorized use or disclosure of personal health information, including the unauthorized viewing of health records. Anything from a major cyberattack or a ransomware infection to a snooping employee to a stolen briefcase containing patient files counts as a breach.
Breach Reporting Requirements:
How will I know if my organization has experienced a privacy breach?
You may become aware of a privacy breach in a variety of ways, such as:
- During the normal course of business;
- Through a complaint filed by an individual (patient, client, employee, or a member of the general public);
- Through a notification from the IPC when it receives a formal complaint.
What should I do if my organization experiences a breach?
Under PHIPA, all HICs and agents have a duty to:
- Report a privacy breach to the appropriate parties (see below);
- Maintain an accurate and up-to-date record of ALL breaches; and
- As of March 1, 2019, file an annual report with the IPC on the number of times personal health information was stolen, lost, or used or disclosed without authority in the past year.
What are my reporting requirements if there's a breach?
PHIPA has notification requirements for both agents and HICs. If a breach occurs, an agent must immediately inform the HIC at first reasonable opportunity.
Once a custodian is made aware of a breach, they must notify the following parties at first reasonable opportunity:
1. Affected Individuals
In addition to news of the breach itself, all affected individuals should also know that they are entitled to file a complaint about the breach with the IPC.
2. Information and Privacy Commissioner of Ontario (IPC)
All serious and/or deliberate breaches must be immediately reported to the IPC (see below). Reports should be submitted as soon as possible by mail or at www.ipc.on.ca. The IPC will review your report and may request additional information or begin a formal investigation.
3. Regulatory College
You must inform the appropriate governing body or College if you suspect the involvement of an agent that is a member of a professional college specified under by the Regulated Health Professions Act, 1991 or the Ontario College of Social Workers and Social Service Workers (OCSWSSW). This is critical if you intend to take disciplinary action against them, such as suspension, termination, and restriction of business privileges, and in situations where the member resigns in the face of such action. The notice must be given in writing within 30 days of the disciplinary action or resignation occurring.
For more information on reporting requirements, please see the following guidelines from the IPC: Responding to a Health Privacy Breach: Guidelines for the Health Sector, October 2018.
What kinds of breaches should I report to the IPC?
You must notify the IPC immediately if you have reasonable grounds to believe:
- Information in your custody was stolen, lost, or used or disclosed without authority;
- Information will be further used or disclosed without authority after the initial breach;
- The breach is part of a similar pattern of losses;
- The loss is sizeable or significant, considering all relevant factors;
- The breach involves any agents that are a member of a Regulatory College;
- And more.
A full list of reportable breaches can be found here, in s. 6.3 of Ontario Regulation 224/17 under PHIPA.
What information should I include in my breach report?
At minimum, all breach reports (as well as your organization’s breach records) should include:
- The date or estimated period of the breach;
- A description of the circumstances and scope of the breach and, if known, the cause (e.g. how the information was lost, stolen, or accessed, how the breach was discovered, etc.);
- The number of individuals affected or, if unknown, the approximate number;
- A description of the nature and type of the personal information compromised (personal details do not need to be included unless absolutely necessary);
- Whether or not and how you informed affected individuals; and
- The steps you’ve taken to address, investigate, and remediate the breach and prevent any future occurrences (including any ongoing work).
Offences Under PHIPA:
What happens if I don’t report a breach?
If organizations fail to safeguard, retain, or dispose of personal information in their custody or fail to report a privacy breach, they risk severe penalties for compliance violations. HICs and agents who have acted reasonably and in good faith will generally be protected from liability. But the penalties for those who willfully violate or disregard PHIPA are steep—and they’ve climbed even higher in recent years.
Following the amendments to PHIPA in 2020, the maximum fines for privacy offences have doubled from $100,000 to $200,000 for individuals and from $500,000 to $1,000,000 for organizations, with the possibility of up to one year of imprisonment.
Additionally, whether or not the organization itself is prosecuted or convicted, PHIPA holds officers, members, employees or agents of corporations personally liable for corporate offences if they authorize an offence or knowingly refrain from preventing an offence.
Keep in mind: regulatory fines will be levied on top of existing breach remediation costs, such as forensic investigation, client notification, credit monitoring, legal fees, and more. Plus, anyone convicted of an offence under PHIPA may be subject to lawsuits from disgruntled patients whose information was compromised. Finally, PHIPA allows courts to award up to $10,000 in mental anguish damages per victim if they determine that harm was caused by reckless misconduct.
How can I protect PHI?
Now more than ever, it is crucial for all healthcare organizations, large and small, to safeguard their data by adopting a more proactive stance towards privacy management. After all, minimizing the risk of a breach minimizes your costs—including any fines levied by the IPC.
Take steps to build a more cyber-aware workforce. Ensure all staff know how to securely collect, use, store, and dispose of PHI. Implement adequate physical, administrative, and technical defences to protect sensitive information and backup all data regularly.
For maximum protection, invest in a comprehensive Cyber Insurance policy to help you get your practice back online following a breach and offset some of the potential financial loss from legal fees, damages, and associated expenses. Depending on your provider, your plan may also include access to a specialized breach coach that will advise you on legal proceedings, regulatory compliance, and incident response.
For more guidance, connect with PROLINK. As a licensed broker with over 40 years of experience, we’ve seen it all—privacy breaches, laws, amendments, and more. We’ll help you plan and protect with a comprehensive cyber risk management strategy and Cyber Insurance policy tailor-made for your organization’s unique needs.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.