Privacy Breach Reporting : Changes Now in Effect
As of June 2016 , OTs working in Ontario need to be aware of new reporting obligations under the Personal Health Information Protection Act , 2004 ( PHIPA ).
If a privacy breach occurs , the health information custodian ( the person with custody and control of the records ) not only must notify the affected individual at the first reasonable opportunity but now , must also notify the individual that she or he can make a complaint about the breach to the Information and Privacy Commissioner of Ontario .
If you are an agent of a health information custodian ( for example , if you are an OT working for a group practice , a hospital or for another regulated health professional ) you need to tell the responsible custodian of the breach at the first reasonable opportunity .
Although you are not currently mandated by law to report any privacy breach directly to the Information and Privacy Commissioner of Ontario , you may decide to do so voluntarily .
The changes to PHIPA now also require health information custodians
Under PHIPA , a privacy breach is considered to be the unauthorized use or disclosure of personal information or the loss or theft of personal health information .
This includes the viewing of health records by someone who is not allowed to view those records ( known as “ snooping ”).
to report certain actions taken in response to privacy breaches to the appropriate regulatory College .
This means that if a health information custodian takes any disciplinary action against an OT or other professional of a College under the Regulated Health Professions Act , 1991 or the Ontario College of Social Workers and Social Service Workers because of that professional ’ s unauthorized collection , use , disclosure , retention or disposal of personal health information , the custodian must report that fact to the professional ’ s regulatory College .
This includes situations where a custodian suspends or terminates an OT ’ s or other regulated health professional ’ s employment or revokes or restricts their privileges or business affiliation . It also includes situations where the member resigns in the face of such action .
This notice must be given within 30 days of the disciplinary action or resignation occurring and it must be in writing . This new notice requirement under PHIPA overlaps with the mandatory reporting provisions of the Regulated Health Professions Act , 1991 , which require employers to report when a member has been
17 College of Occupational Therapists of Ontario ON THE RECORD 2016