Before we get started, here’s a quick refresher on PHIPA. In Ontario, regulated Healthcare Professionals and healthcare organizations must comply with the Personal Health Information Protection Act (PHIPA) to ensure the safe collection, use, and disclosure of personal health information (PHI). PHIPA’s mandate also includes key rules for breach notification, record-keeping, and risk assessment.

PHIPA applies to:

• All individuals and organizations that are considered “health information custodians” (HICs) and agents that are authorized to act on behalf of HICs;
• All recipients of personal health information from HICs; and
• Electronic service providers that collect, store, or transmit PHI, including health information network providers.

Compliance with PHIPA is overseen by an independent body of oversight known as the Information and Privacy Commissioner of Ontario (IPC). The IPC has the authority to review and adjudicate complaints and order organizations to abide by PHIPA (i.e. to correct or dispose of records).

RELATED: Which healthcare privacy laws apply to my practice?

PHIPA has been deemed “substantially similar” to Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) and will respond in its place within the province of Ontario (except in circumstances involving commercial activities or the interprovincial transfer of PHI).

RELATED: All About PIPEDA: How do privacy laws affect my business?

A privacy breach is the theft, loss, or unauthorized use or disclosure of personal health information, including the unauthorized viewing of health records. Anything from a major cyberattack or a ransomware infection to a snooping employee to a stolen briefcase containing patient files counts as a breach.

RELATED: Surviving the Other Pandemic: What’s Ransomware, Who’s at Risk, and Why?

You may become aware of a privacy breach in a variety of ways, such as:

• During the normal course of business;
• Through a complaint filed by an individual (patient, client, employee, or a member of the general public);
• Through a notification from the IPC when it receives a formal complaint.

RELATED: Cyber Risk Trends: 10 Threats to Watch Out For

Under PHIPA, all HICs and agents have a duty to:

• Report a privacy breach to the appropriate parties (see below);
• Maintain an accurate and up-to-date record of ALL breaches; and
• As of March 1, 2019, file an annual report with the IPC on the number of times personal health information was stolen, lost, or used or disclosed without authority in the past year.

RELATED: Healthcare Professionals are most vulnerable to a data breach. Why?

PHIPA has notification requirements for both agents and HICs. If a breach occurs, an agent must immediately inform the HIC at first reasonable opportunity.

Once a custodian is made aware of a breach, they must notify the following parties at first reasonable opportunity:

1. Affected Individuals

In addition to news of the breach itself, all affected individuals should also know that they are entitled to file a complaint about the breach with the IPC.

2. Information and Privacy Commissioner of Ontario (IPC)

All serious and/or deliberate breaches must be immediately reported to the IPC (see below). Reports should be submitted as soon as possible by mail or at www.ipc.on.ca. The IPC will review your report and may request additional information or begin a formal investigation.

3. Regulatory College

You must inform the appropriate governing body or College if you suspect the involvement of an agent that is a member of a professional college specified under by the Regulated Health Professions Act, 1991 or the Ontario College of Social Workers and Social Service Workers (OCSWSSW). This is critical if you intend to take disciplinary action against them, such as suspension, termination, and restriction of business privileges, and in situations where the member resigns in the face of such action. The notice must be given in writing within 30 days of the disciplinary action or resignation occurring.

For more information on reporting requirements, please see the following guidelines from the IPC: Responding to a Health Privacy Breach: Guidelines for the Health Sector, October 2018.

RELATED: How Can Healthcare Professionals Manage the Risks of Virtual Care?

You must notify the IPC immediately if you have reasonable grounds to believe:

• Information in your custody was stolen, lost, or used or disclosed without authority;
• Information will be further used or disclosed without authority after the initial breach;
• The breach is part of a similar pattern of losses;
• The loss is sizeable or significant, considering all relevant factors;
• The breach involves any agents that are a member of a Regulatory College;
• And more.

A full list of reportable breaches can be found here, in s. 6.3 of Ontario Regulation 224/17 under PHIPA.

At minimum, all breach reports (as well as your organization’s breach records) should include:

• The date or estimated period of the breach;
• A description of the circumstances and scope of the breach and, if known, the cause (e.g. how the information was lost, stolen, or accessed, how the breach was discovered, etc.);
• The number of individuals affected or, if unknown, the approximate number;
• A description of the nature and type of the personal information compromised (personal details do not need to be included unless absolutely necessary);
• Whether or not and how you informed affected individuals; and
• The steps you’ve taken to address, investigate, and remediate the breach and prevent any future occurrences (including any ongoing work).

If organizations fail to safeguard, retain, or dispose of personal information in their custody or fail to report a privacy breach, they risk severe penalties for compliance violations. HICs and agents who have acted reasonably and in good faith will generally be protected from liability. But the penalties for those who willfully violate or disregard PHIPA are steep—and they’ve climbed even higher in recent years.

Following the amendments to PHIPA in 2020, the maximum fines for privacy offences have doubled from $100,000 to $200,000 for individuals and from $500,000 to $1,000,000 for organizations, with the possibility of up to one year of imprisonment.

Additionally, whether or not the organization itself is prosecuted or convicted, PHIPA holds officers, members, employees or agents of corporations personally liable for corporate offences if they authorize an offence or knowingly refrain from preventing an offence.

Keep in mind: regulatory fines will be levied on top of existing breach remediation costs, such as forensic investigation, client notification, credit monitoring, legal fees, and more. Plus, anyone convicted of an offence under PHIPA may be subject to lawsuits from disgruntled patients whose information was compromised. Finally, PHIPA allows courts to award up to $10,000 in mental anguish damages per victim if they determine that harm was caused by reckless misconduct.

RELATED: The Consequences of a Breach: Can Your Business Survive a Cyberattack?

Now more than ever, it is crucial for all healthcare organizations, large and small, to safeguard their data by adopting a more proactive stance towards privacy management. After all, minimizing the risk of a breach minimizes your costs—including any fines levied by the IPC.

Take steps to build a more cyber-aware workforce. Ensure all staff know how to securely collect, use, store, and dispose of PHI. Implement adequate physical, administrative, and technical defences to protect sensitive information and backup all data regularly.

For maximum protection, invest in a comprehensive Cyber Insurance policy to help you get your practice back online following a breach and offset some of the potential financial loss from legal fees, damages, and associated expenses. Depending on your provider, your plan may also include access to a specialized breach coach that will advise you on legal proceedings, regulatory compliance, and incident response.