What is a privacy breach?
Under the Personal Health Information Protection Act, 2004 (PHIPA), a privacy breach is the unauthorized use, disclosure, loss or theft of personal health information. A breach includes:
- viewing of health records by someone who is not allowed to view them (known as “snooping”)
- losing a USB key with health information on it
- having a briefcase containing client files stolen
Who needs to be notified?
Notify the health information custodian (HIC): If you are an agent of a HIC (the person with custody and control of the records), you need to report the breach to the responsible HIC at the first reasonable opportunity. You are an agent of a HIC if you work for a group practice, a hospital or for another regulated health professional who is designated as a HIC.
Notify the individual affected: When an individual’s privacy is breached, the HIC needs to notify them at the first reasonable opportunity. And, the HIC also needs to inform them that they can make a complaint about the breach to the Information and Privacy Commissioner of Ontario.
Notify the Privacy Commissioner: Once some additional regulations are passed, HICs will also have to report certain privacy breaches to the Information and Privacy Commissioner directly. Until the regulations are passed, reporting to the Commissioner is not mandatory, but may be done voluntarily.
Reporting to regulatory colleges
HICs are required to report certain actions taken in response to privacy breaches to the appropriate regulatory college. This means that if any disciplinary action is taken against a kinesiologist because of their unauthorized collection, use, disclosure, retention or disposal of personal health information, the HIC must report that fact to the College of Kinesiologists of Ontario. This includes situations where a HIC suspends or terminates a kinesiologist’s employment or revokes or restricts a kinesiologist’s privileges or business affiliation. This applies even where the kinesiologist resigns in the face of such action. The notice must be given within 30 days of the disciplinary action or resignation occurring, and it must be in writing.
The maximum fine for privacy offences is $100,000 for individuals and $500,000 for organizations. The limitation period for prosecutions of privacy offences no longer exists.