PRACTICE PARTNER
Pattern of similar
4 breaches Even if a privacy breach is accidental or insignificant by itself , it must be reported to the Commissioner if it is part of a pattern of similar breaches . The IPC states that such a pattern may reflect systemic issues that need to be addressed , such as inadequate training or procedures . Custodians must use their judgment in deciding if a privacy breach is an isolated incident or part of a pattern ; take into account , for instance , the time between the breaches and their similarities . Keeping track of privacy breaches in a standard format will help identify patterns .
Disciplinary action against a
6 non-college member Not all employees or other agents of a custodian are members of a college . If an agent is not such a member , the Commissioner must be notified in the same circumstances that would have triggered notification to a college , had the agent been a member . An example would be a registration clerk who has an unpleasant encounter with a patient and posts information about the patient on social media . Although the clerk is not a member of a college , this privacy breach must be reported .
Disciplinary
5 action against a college member
A duty to report an employee or other agent to a health regulatory college also triggers a duty to notify the Commissioner . Where an employee is a member of a college , the Commissioner must be notified of a privacy breach if :
• The custodian terminated , suspended or disciplined them as a result of the breach
• they resigned and the custodian believes this action is related to the breach
Where a health-care practitioner with privileges or otherwise affiliated with the custodian is a member of a college , the Commissioner must be notified of a privacy breach if :
• the custodian revoked , suspended or restricted their privileges or affiliation as a result of the breach
• they relinquish or voluntarily restricted their privileges or affiliation and it is believed that this action is related to the breach
Similar requirements apply to health-care practitioners employed by a board of health .
Significant breach
7 Even if none of the above six circumstances apply , the Commissioner must be notified if
the privacy breach is significant . In deciding whether a breach is significant , the custodian must consider all the relevant circumstances , including whether : i . the information is sensitive ii . the breach involves a large volume of information iii . the breach involves many individuals ’ information iv . more than one custodian or agent was responsible for the breach The IPC provides the example of a physician who posts detailed information on a website about a group of patients receiving specialized treatment for a novel health issue . It then comes to the physician ’ s attention that others can easily identify these patients even though there were no names disclosed . This breach involves many patients , whose information has potentially been made widely available . These types of breaches should be reported to the Commissioner . Note that even breaches that cause no particular harm may still be significant . MD
ISSUE 1 , 2018 DIALOGUE 43