What is a Privacy Breach?
A privacy breach occurs when personal health information (PHI) is accessed, used, disclosed, lost, or stolen without authorization under the Personal Health Information Protection Act, 2004 (PHIPA).
Examples include:
- Viewing health records without authorization (snooping).
- Losing a USB drive or laptop containing client information.
- Having a bag or briefcase with patient files stolen.
- Sending personal health information to the wrong recipient.
Dietitians have obligations under PHIPA to respond to and report privacy breaches. The steps depend on whether the dietitian is acting as a Health Information Custodian (HIC) or as an agent of a HIC.
Who needs to be notified of a breach?
1. Notify the Health Information Custodian (HIC)
If you are an agent of a HIC, you must report the breach at the first reasonable opportunity.
Dietitians are considered agents when working in organizations such as hospitals, group practices, or clinics where another party holds custody and control of records.
Follow the organization’s policies on reporting privacy breaches and notify your manager or privacy officer.
2. Notify the individual affected
The HIC must notify the individual whose personal health information was breached as soon as reasonably possible.
The notification must also inform the individual that they may file a complaint with the Information and Privacy Commissioner of Ontario (IPC).
3. Notify the Information and Privacy Commissioner of Ontario
Since October 1, 2017, PHIPA requires health information custodians to report certain types of privacy breaches to the Information and Privacy Commissioner.
These reporting obligations are in addition to the obligation under subsection 12(2) of PHIPA. to notify individuals if their personal health information has been stolen, lost, or used or disclosed without authority.
Resources from the IPC available to support healthcare providers include:
- Report a health privacy breach.
- Responding to a Health Privacy Breach: Guidelines for the Health Sector.
The Seven Categories of Privacy Breaches
PHIPA requires reporting to the IPC when a breach falls into one of seven categories. More than one category may apply to the same incident.
1. Use or disclosure without authority
This includes snooping or intentional unauthorized access to personal health information, such as staff snooping or improper access by service providers.
Accidental disclosures, such as sending information to the wrong recipient, generally do not require reporting under this category unless another category also applies.
2. Theft of personal health information
The theft of personal health information must be reported. Examples include stolen:
- paper files
- laptops, or mobile devices
- electronic storage devices containing personal health information
Cyber incidents, such as ransomware attacks involving stolen information, must be reported. Reporting is not required if the information was properly encrypted or de-identified.
3. A breach that leads to further unauthorized use or disclosure
A breach must be reported if it results in or could reasonably lead to further misuse of personal health information.
Examples include situations involving:
- criminal activity
- identity theft
- threats to publish or distribute personal health information
4. Pattern of similar breaches
A series of breaches, even if each one appears minor or accidental, may indicate systemic issues such as:
- outdated technology
- inadequate safeguards
- insufficient staff training
Maintaining detailed records helps organizations identify patterns and address underlying issues.
5. Disciplinary action involving a College Registrant
A breach must be reported if disciplinary action is taken against a regulated health professional because of the incident. This includes:
- if employment is suspended, or terminated
- if professional privileges are restricted
- if the individual resigns before action is taken
6. Disciplinary action involving a non-College Registrant
This category applies to staff or agents who are not regulated professionals.
For example, if an administrative employee posts client information online and is suspended as a result, the breach must be reported.
7. Significant breach
A breach must be reported if it is considered significant. Factors that may determine significance include:
- the sensitivity of the information
- the volume of information involved
- the number of affected individuals
- whether multiple agents contributed to the breach
Even if there is no confirmed harm, a breach may be considered significant. For example, sending a client’s mental health assessment to a large distribution list instead of a single provider may be considered significant.
Annual Reporting to the Information and Privacy Commissioner
Since January 1, 2018, health information custodians must maintain records of privacy breaches.
HICs must submit annual statistical reports to the Information and Privacy Commissioner describing the number of times personal health information was:
- stolen
- lost
- used without authority
- disclosed without authority
Reports must include all breaches that occurred during the year, even if f they did not require immediate reporting to the Commissioner when they occurred.
Reporting to the College of Dietitians of Ontario or Other Regulators
Health information custodians must report disciplinary actions related to appropriate regulatory college.
For dietitians, this applies when:
- employment is suspended or terminated
- privileges are revoked or restricted
- a dietitian resigns before these actions occur
The report must be submitted in writing immediately and no more than 30 days after the incident. See Mandatory Reporting for more details.
Policies and Procedures
Because mandatory reporting can be complex, dietitians who are health information custodians should implement internal policies to detect, manage, and respond to privacy breaches.
The CDO provides further guidance in the Privacy of Personal Information Dietetic Practice Tool Kit.
Offences
PHIPA was amended in 2016 to remove the limitation period for prosecuting offences and to allow for administrative monetary penalties. Deliberate violations — such as unauthorized access, disclosure, or insecure disposal of personal health information — are offences under section 72 of PHIPA.
Penalties include:
- fines up to $200,000 for individuals
- fines up to $1,000,000 for organizations
- potential imprisonment for up to one year
Examples of offences include intentional snooping or discarding shredded documents containing personal health information.
References
College Standards, Guidelines, and other articles
College of Dietitians of Ontario (2019). Professional Practice Standard: Consent to treatment and for the collection, use, and disclosure of personal health information.
College of Dietitians of Ontario. (2020). Privacy of Personal Information Dietetic Practice Tool kit for Registered Dietitians in Ontario.
College of Dietitians of Ontario (2022). Mandatory Reporting.
Information and Privacy Commissioner of Ontario
Information and Privacy Commissioner of Ontario (2017). Annual reporting of privacy breach statistics to the commissioner – requirements for the health sector.
Information and Privacy Commissioner of Ontario (2018a). Report a health privacy breach.
Information and Privacy Commissioner of Ontario (2018b). Responding to a Health Privacy Breach: Guidelines for the Health Sector.
Legislation
Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A.
