Dialogue Volume 14 Issue 1 2018 - Page 42

PRACTICE PARTNER New rules for reporting a privacy breach to the IPC In our last issue of Dialogue, we wrote about amend- ments now in force that create new instances for health information custodians to report privacy breaches to health colleges, and the Information and Privacy Com- missioner (IPC). These amendments also create new provisions with respect to notifying affected individuals of privacy breaches and double the maximum fines for privacy offences. The IPC has released a guidance document to assist physicians and other health information custodians (HICs) to comply with the recent amendments to the Personal Health Information Protection Act (PHIPA). The IPC docu- ment is called “Reporting a Privacy Breach to the Commis- sioner: Guidelines for the Health Sector.” Physicians are also urged to be familiar with the expec- tations in the College’s Confidentiality of Personal Health Information policy. Below are the new instances for health information custodians to report privacy breaches to the Information and Privacy Commissioner. Use or disclosure without authority This category addresses those “medical snooping” situations – where the person committing the breach knew or ought to have known that their actions are not permitted either by PHIPA or the responsible custodian. An example would be where a person looks at an ex-spouse’s or perhaps a local celebrity’s medical his- tory for no work-related purpose. This includes situations where the unauthorized use or disclosure is not done for a personal or malicious motive. Generally, the IPC states that its Commissioner does not need to be notified when the breach is accidental, for example, when information is inadvertently sent by email or couriered to the wrong person, or a letter is placed in the wrong envelope. Also, the Com- missioner does not need to be notified when a person who is permitted to access patient information accidentally accesses the wrong patient record. However, even accidental privacy breaches must be reported if they fall into one of the following categories. 1 2 42 DIALOGUE ISSUE 1, 2018 Further use or disclosure without authority after a breach Following an initial privacy breach, the custodian may become aware that the information was or will be further used or disclosed without author- ity; this must be reported to the Commissioner. For example, a medical office employee inadvertently sends a fax containing patient information to the wrong person. Although the person returned the fax to the office, it is learned that he kept a copy and is threatening to make the information public. Even if the initial incident was not reported, the Com- missioner must be notified of this situation. 3 Stolen information A typical example of this would be where someone has stolen paper records, or a laptop or other electronic device. Another example would be where patient information is subject to a ransomware or other malware attack, or where the information has been seized through use of a portable storage device. The Commissioner does not need to be notified if the stolen information was de-identified or properly encrypted.