- A staff member downloads patient records from the office electronic medical record (EMR) to an unsecured memory stick to work on them at home, but then misplaces the memory stick.
- While on the office computer, you accidentally open an email attachment you don’t recognize. The attachment turns out to be a virus allowing a hacker to remotely access your computer’s hard drive, including patient files.
- While paying the barista for your coffee, you momentarily set down your briefcase containing billing records. In that split second, the briefcase is snatched and disappears with the thief.
In any one of these situations, do you know whether you need to notify anyone of the incident, and if so, who? Coordinating notification and reporting of privacy breaches can be challenging when you are the legal custodian of the information and when you’re not, such as when you work in a clinic or hospital.
Provincial and territorial privacy legislation may specify when custodians must report the loss, theft, or unauthorized access to personal health information, that is, a privacy breach. Depending on where you are, it may be necessary to report a privacy breach to the affected individuals, the privacy commissioner, your regulatory authority (College), or possibly all three.
Your first action after discovering a possible privacy breach is to contact the CMPA as soon as possible.
Notification and reporting obligations
Most jurisdictions in Canada require that custodians notify individuals who are affected by a breach of their personal health information. Custodians must also report the breach to specified parties, such as the privacy commissioner, or their College, or both. The jurisdiction you’re in and the nature of the breach will determine what notification and reporting is required, what parties must receive the notice or report, and the information that must be conveyed. Such notification may be required when, for example, a cyberattack (e.g. ransomware) results in personal health information likely being accessed by unauthorized users.
Custodianship
Privacy legislation identifies the individuals and entities who have custody and control of personal health information and who are ultimately responsible for ensuring compliance with notification and reporting requirements. These individuals and entities are most often referred to as custodians or trustees, but the terminology can vary.
Notification to affected individuals
When identifiable personal health information is inappropriately accessed, lost, or stolen, it is necessary to consider whether patients or other affected individuals should be notified.
In the Northwest Territories and Ontario, notification is required in every case where personal health information is inappropriately accessed, lost, or stolen. Notification is also required in New Brunswick, Nova Scotia, Newfoundland and Labrador, Prince Edward Island, the Yukon, Manitoba, Québec and Alberta, but only when the breach poses a reasonable risk of harm to the affected individual(s).
Federal legislation imposes a similar notification requirement on custodians practising in private clinics and offices in Alberta, Saskatchewan, Manitoba, Prince Edward Island, and all three territories.1 These obligations under federal legislation may overlap with some provincial requirements.
Reporting to privacy commissioner and ministry of health
Custodians in some provinces and territories are required to report privacy breaches to their provincial or territorial privacy commissioner. Federal legislation also requires custodians in some provinces and territories to report significant privacy breaches to the Privacy Commissioner of Canada. A report to the provincial ministry of health is also required in Alberta and in Québec, to the Minister of Cybersecurity and Digital Technology.
In New Brunswick, Nova Scotia, Newfoundland and Labrador, Prince Edward Island, Ontario, Northwest Territories, the Yukon, Manitoba, Québec and Alberta, it is mandatory to notify the provincial or territorial privacy commissioner of a privacy breach in specified circumstances. In New Brunswick and Prince Edward Island, for example, a report is required unless the breach will not adversely affect individuals or lead to their identification. In Alberta and Québec, it is mandatory to notify the provincial privacy commissioner (in addition to the Ministry of Health in Alberta and Ministry of Cybersecurity and Digital Technology in Québec) when there is a real risk of harm to an individual.
In addition to any applicable provincial or territorial requirements, the Privacy Commissioner of Canada must also be notified when there is a "real risk of significant harm to an individual"2 arising from a privacy breach of information held by a custodian practising in Alberta, Saskatchewan, Manitoba, Prince Edward Island, and all three territories. Significant harm is defined in the legislation to include bodily harm or property damage, humiliation, damage to reputation or relationships, loss of business or professional opportunities, financial loss, identity theft, and negative effects on the individual’s credit record. 3 Custodians in these jurisdictions must maintain a record of every privacy breach for 24 months.
Annual reporting
Custodians must report annually (before March 1) to the Information and Privacy Commissioner of Ontario. The report must specify the number of times personal health information in their custody and control was stolen, lost, or used or disclosed without authority.
Physicians in Ontario acting as custodians of personal health information should be tracking any such privacy breaches and submitting these annual reports.4
In Québec, while there is no obligation to report annually, custodians are required to maintain a registry of privacy breach incidents that must be provided to the Commission d’accès à l’information upon request.
Reporting to the medical regulatory authority (College)
It may also be necessary in some cases to report a privacy breach to a College, though this obligation is currently limited to Ontario only. Ontario’s privacy legislation requires notification to the applicable College where a custodian takes disciplinary action against a regulated healthcare professional as the result of a privacy breach. Physicians outside of Ontario do not currently have the same obligation to notify a College.5
Notifying police and other organizations
Custodians in the Northwest Territories must notify law enforcement where patient information is lost or stolen, or where information is disclosed, altered, destroyed, or disposed through fraud or identity theft.
Custodians in Alberta, Saskatchewan, Manitoba, Prince Edward Island, and all three territories must notify any other organization that will help to reduce the risk of harm to affected individuals from the breach or to mitigate that harm. Such organizations could include, for example, a law enforcement agency or the children’s aid society, depending on the circumstances.
Even in the absence of a legal requirement, if property has been stolen or systems have been subject to a cybersecurity attack, physicians will want to consider whether to notify the police.
Non-custodian physicians
Notification and reporting obligations generally apply to custodians. If you are not the legal custodian of the information under the applicable legislation, someone else may need to know and take action. You should promptly notify the custodian (e.g. hospital, health authority, clinic) as soon as you discover a possible privacy breach. In Alberta, individuals working for a custodian are required to notify the custodian of a breach. In British Columbia, physicians working in a health authority/hospital must immediately notify the head of the health authority/hospital about an unauthorized disclosure of personal information in the custody or control of the health authority/hospital.
You are encouraged to co-operate and work with the custodian on the appropriate notification or report following a privacy breach. When there is a disagreement with the custodian about whether notification or a report is required, the scope of any notification or report, or the information to be included, you are encouraged to make reasonable efforts to find a mutually acceptable solution and to contact the CMPA for advice.
The bottom line
- Custodians in most provinces and territories are required to notify or report a privacy breach to specified individuals and entities.
- The specific requirements vary between jurisdictions and continue to evolve. Stay up-to-date and seek advice from your privacy officer, local privacy commissioner’s office, College, ministry of health, and the CMPA about the current obligations that apply to you. These obligations could include notifying affected individuals; reporting to the privacy commissioner, the College, or both; keeping records, and reporting annually.
- If you are not the custodian, promptly advise the custodian of any possible privacy breach of personal health information.
References
- These rules apply to physicians in jurisdictions where existing provincial/territorial privacy legislation has not (to date) been deemed substantially similar to the federal Personal Information Protection and Electronic Documents Act.
- Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s. 10.1(1)
- Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s. 10.1(7)
- Further information regarding the contents of the annual report is available on the IPC website.
- Although other jurisdictions do not have an express requirement to report a privacy breach to the College, physicians may have broader obligations to report unprofessional conduct or disciplinary action, depending on the jurisdiction. Please contact the CMPA for more information.