Human Resources Legislative Update
IPC Provides Important Guidance on New PHIPA Annual Reporting Obligations
Date: January 29, 2018
Organizations which provide healthcare and are governed by the Personal Health Information Protection Act (PHIPA) should note that recent amendments to PHIPA require health information custodians (HICs) to file an annual report disclosing all security incidents involving theft, loss and unauthorized use or disclosure of personal health information to the Information and Privacy Commissioner. At an Ontario Hospital Association presentation earlier this month, Commissioner Brian Beamish addressed the new amendments and provided the following guidance:
- First reports of HICs will be due March 1, 2019 and must include any security incidents occurring in the 2018 calendar year. This includes any security incidents discovered in the 2018 calendar year, regardless of when the security incident actually occurred.
- This reporting obligation extends beyond the mandatory point-in-time breach reporting obligations implemented on October 1, 2017 – annual reports must include any incident, no matter how trivial, and regardless of any prior obligation to report to the IPC at the time of the security incident.
- HICs should not count an incident more than once. If one incident includes an employee’s unauthorized access of personal health information, followed by an improper disclosure of that information, the HIC should choose the category that the incident best fits.
- In the event that a HIC has no security incident over the course of the year, only those institutions governed by the Freedom of Information and Protection of Privacy Act will need to submit an annual report outlining that no security incidents occurred.
- Where information systems are shared by multiple HICs, the reporting responsibilities of each HIC should be clearly set out in a contract or agreement to avoid duplicative reporting.
- An online portal is being developed that will allow HICs to submit their annual reports electronically.
In his concluding remarks, Commissioner Beamish recommended that organizations document security incidents, as they occur, to avoid the need to comb through records to identify past security incidents when the reports become due.