Ontario Health Privacy Changes Establish New Breach Notification Requirements
The Ontario Ministry of Health and Long-Term Care intends to ensure that health information custodians (HICs) pay due attention to the personal health information they control by introducing new notification and reporting obligations.
If the proposed amendments to O Reg 329/04 under the Personal Health Information Protection Act, 2004 (PHIPA) come into force,[1] notification obligations would start on July 1st of this year. Health information custodians would be required to: (1) notify the Commissioner if an individual’s personal health information is compromised; and (2) report to the Commissioner on the number of times they had to notify individuals that their privacy had been breached in a year (for this latter obligation, the first reporting period would start on March 1, 2018).
LHINS would be “health information custodians”
A “health information custodian” is a person or organization who, in connection with their work, has custody or control of personal health information.[i] Those designated as HICs include: health care practitioners, home care service providers, and health facilities (hospitals, pharmacies, labs, retirement homes).[2] Under the amendments, “Local Health Integration Networks” (LHINs) will also be designated as HICs. LHINs are responsible for the planning and funding of health facilities and home care services.[3] This is as a result of earlier legislative changes that will see the LHINs becoming direct providers of home care services in place of community care access centres.[4]
Notification requirements in certain circumstances
Under the new rules, HICs must notify the Commissioner of “any theft, loss, or unauthorized use or disclosure” an individual’s personal health information. Essentially, the Commissioner must be informed of any breaches in patients’ privacy, or if their private information is compromised. However, the notification requirements only arise in certain circumstances. These circumstances would include:
- Subsequent Disclosure: If the custodian had reasonable grounds to believe that the compromised information was subsequently used without authority[5]
- Part of a Pattern: If the theft, loss or unauthorized use or disclosure is part of a pattern of similar thefts, losses or unauthorized uses or disclosures of personal health information under the custody or control of the HIC.
- College: If the HIC has given notice to a professional College, as it is required to do if a member of that college was terminated or resigned from a theft, loss, or unauthorized use or disclosure.[6]
- College Agent: If the HIC has given notice to a professional College as it is required to do if a college member has employed a health practitioner as his agent and that agent was terminated or resigned from the same.[7]
- Intentional Use Or Disclosure: If the custodian has reasonable grounds to believe that the personal health information was intentionally used or disclosed without authority.
- Nonetheless Significant: If none of the above apply but the custodian determines that the theft, loss or unauthorized use or disclosure is otherwise significant having regard to all relevant circumstances including,
- the nature of the compromised information;
- the number of records comprised;
- the number of individuals whose information was compromised; and
- the number of HICs or agents responsible for the theft, loss or unauthorized use or disclosure.
New Annual Reporting
And furthermore, under the new rules, an HIC would be obligated to report annually, on March 1st on the number of times, in the preceding calendar year, that the health information custodian had to notify individuals (in accordance with section 12(2) of PHIPA) of any theft, loss or unauthorized use or disclosure of personal health information. The first report would be due on March 1, 2019.[8]
And after submitting the report, an HIC may be required to provide the information contained in any notice, and any information relied on in giving the notice, if the Commissioner requests it.[9]
Health care providers are well advised to institute new methods of protecting patients’ information and of recording any theft or unauthorized use of that information when it happens.
Visit our Cybersecurity, Privacy & Data Management page and contact us with any questions or for assistance.
___
[1] Personal Health Information Act, 2004, SO 2004, c 3, Sched A. O Reg 329/04.
[2] “Home care service provider”, own language but listed in paragraph 2 of 3(1), refers to a service provider within the meaning of the Home Care and Community Services Act, 1994 who provides a community service to which that Act applies. “Health facilities”, own language but listed in paragraph 4 of 3(1), refers to enumerated health facilities, programs or services under that paragraph.
[3] A “local health integration network” is defined in section 2 of the Local Health System Integration Act, 2006. Their designation will be prescribed pursuant to section 3(8) of the amended regulations.
[4] Patients First Act, 2016 (Ontario), received Royal Assent on December 8, 2016 (not yet proclaimed in force).
[5] Any use of the word “compromise” refers to theft, loss, or unauthorized use or disclosure.
[6] See section 17.1 of PHIPA.
[7] Ibid.
[8] This will be required under a new section 6.3 of the regulations.
[9] This will be under section 6.3(2) of the amended regulations.
[i] The definition of “health information custodian can be found under section 3(1) of PHIPA.
For more information about our Firm’s Technology expertise, please see our Technology group page.
health privacy Personal Health Information Act