Human Resources Legislative Update

New PHIPA Regulation Sets Out Circumstances in Which Health Information Custodians Must Notify Privacy Commissioner

Human Resources Legislative Update

New PHIPA Regulation Sets Out Circumstances in Which Health Information Custodians Must Notify Privacy Commissioner

Date: July 5, 2017

On June 29, 2017, the Ontario government filed O. Reg. 224/17 amending O. Reg. 329/04 (General) made under the Personal Health Information Protection Act, 2004 (Act).

The Act was amended in 2016 by the Health Information Protection Act, 2016, which, among other things, added a section compelling health information custodians to notify the Information and Privacy Commissioner (IPC) about the theft, loss or unauthorized use or disclosure of personal health information in certain circumstances (s. 12(3) of Act).

O. Reg. 224/17 adds a section to O. Reg. 329/04, specifying that a health information custodian must notify the IPC when:

  • the custodian has reasonable grounds to believe that:
    • personal health information in the custodian’s custody or control was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority
    • personal health information in the custodian’s custody or control was stolen
    • after an initial loss or unauthorized use or disclosure of personal health information in the custodian’s custody or control, the personal health information was or will be further used or disclosed without authority.
  • the loss or unauthorized use or disclosure of personal health information is part of a pattern of similar losses or unauthorized uses or disclosures of personal health information in the custody or control of the custodian
  • the custodian is required to give notice to a College [as defined in ss 17.1(1) of the Act] of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information
  • the custodian would be required to give notice to a College, if an agent of the health information custodian were a member of the College, of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information
  • the custodian determines that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including the following:
    • whether the relevant personal health information is sensitive
    • whether the loss or unauthorized use or disclosure involved a large volume of personal health information
    • whether the loss or unauthorized use or disclosure involved many individuals’ personal health information
    • whether more than one custodian or agent was responsible for the loss or unauthorized use or disclosure of the personal health information. [s. 6.3(1)].

O. Reg. 224/17 also requires custodians to annually provide the IPC with a report setting out the number of times in the previous calendar year that personal health information in the custody or control of the custodian was stolen, lost, used without authority or disclosed without authority. The first report must be submitted on or before March 1, 2019.

O. Reg. 224/17 comes into force on October 1, 2017.