Privacy Breaches Obligations for Dietitians

WHAT IS A PRIVACY BREACH?

(revised September 2020)
 

Under the Personal Health Information Protection Act, 2004 (PHIPA), a privacy breach is the unauthorized use, disclosure, loss or theft of personal health information. A breach includes the viewing of health records by someone who is not allowed to view them (known as “snooping”), losing a USB key with health information on it or having a briefcase containing client files stolen. There are responding and reporting obligations applicable to dietitians regarding privacy breaches under PHIPA.

WHO NEEDS TO BE NOTIFIED of a breach

1. Notify the health information custodian (HIC)

If you are an agent of a HIC (the person with custody and control of the records), you need to report the breach to the responsible HIC at the first reasonable opportunity. You are an agent of a HIC if you work for a group practice, a hospital or for another regulated health professional who is designated as a HIC.

2. Notify the Individual Affected

When an individual’s privacy is breached, the HIC needs to notify them at the first reasonable opportunity. And, the HIC also needs to inform them that they can make a complaint about the breach to the Information and Privacy Commissioner of Ontario.

3. Notify the Information and Privacy Commissioner of Ontario

As of October 1, 2017, the Ontario government implemented privacy breach reporting obligations under the Personal Health Information Protection Act, 2004 (PHIPA). These require dietitians who act as Health Information Custodians (HICs) to report on seven categories of privacy breaches to the Information & Privacy Commissioner of Ontario (Commissioner).
The reporting obligations are separate from the duty of HICs to notify individuals of the theft, loss or unauthorized use or disclosure of their personal health information under subsection 12(2) of PHIPA.

Refer to these resources for guidance: 

THE SEVEN CATEGORIES OF PRIVACY BREACHES

More than one category can apply to a single privacy breach. If at least one of the situations listed below applies, dietitians who act at HICs must report it to the Commissioner.
 
1. Use or Disclosure Without Authority 

Report snooping by an organization's personnel, heath care provider or other third party (e.g. contracted external service provider). If the breach was accidental, for example, if information is inadvertently sent by email or courier to the wrong person or if a person with authority accidentally accesses the wrong client record, reporting is not generally required. This exception for accidental use or disclosure does not apply to other types of breaches noted below in the other six categories.

2. Theft of Personal Health Information 

Report stolen paper records, laptops and other stolen electronic devices containing personal health information. Also report ransomware or other malware attacks whereby personal health information of individuals was stolen. A notice to the Commissioner is not required if the stolen information was de-identified or properly encrypted. HICs are encouraged to adopt de-identification and encryption measures to prevent privacy breaches. For more information, refer to Health-Care requirement for Strong encryption (Ann Cavoukian, Ph.D., Information & Privacy Commissioner of Ontario, 2010).

3. A Breach Causes Further Use or Disclosure Without Authority 

The privacy breach must be reported if it is compounded by further breaches. For example, if unauthorized access to personal information could potentially lead to or has led to commercial or criminal exploitation of the information or if there is a threat to publish the information.

4. Pattern of Similar Breaches 

HICs must exercise judgement to decide if a privacy breach is an isolated incident or a pattern. A series of accidental or insignificant breaches may indicate systemic problems such as malfunctioning equipment or systems, gaps in safeguards or training. Keeping a record of privacy breaches in a standard format will help HICs identify any patterns.

5. Disciplinary Action (Against a College Member) 

If a member of a college is terminated, suspended or disciplined, or they resign as a result of a privacy breach, or their privileges are revoked, suspended or restricted, or are relinquished or voluntarily restricted as a result of a breach, the incident must be reported to the Commissioner.

6. Disciplinary Action Against a Non-College Member 

This is similar to number 5 above, but applies to employees or agents of a HIC who are not members of health regulatory colleges. The Commissioner’s Guideline provides the following scenario: "One of your registration clerks has an unpleasant encounter with a client and posts information about the client on social media. You suspend the clerk for a month.” although the clerk is not a member of a health regulatory college, HICs must report this privacy breach to the Commissioner.

7. Significant Breach 

All significant breaches must be reported to the Commissioner, regardless of whether they fall into any of the above six categories. Determining whether a breach is "significant" will require careful consideration and should be made in consultation with legal counsel for the HIC to ensure that breaches are reported in appropriate cases. In assessing whether a breach is "significant", HICs can ask the following questions:

  • Is the information sensitive?

  • Does the breach involve a large volume of information?

  • Does the breach involve many affected individuals?

  • Was more than one HIC or agent responsible for the breach?

Even where there is no particular harm, a breach may be deemed significant and require a report to the Commissioner. For example, the accidental disclosure of a client's mental health assessment to other health care providers on a group email distribution list, rather than to just the client's physician, is an instance that the Commissioner considers to be a significant breach. Other examples are included in the Commissioner’s Guideline.

ANNUAL REPORTING TO THE IPC

As of January 1, 2018, HICs must begin compiling privacy breach statistics and as of January 2019, they must provide the Commissioner with an annual report of the previous calendar year's privacy breach statistics. The report is to include the number of times that personal information was stolen, lost, used without authority, or disclosed without authority (with the report indicating specific numbers for each type of breach).

REPORTING TO REGULATORY COLLEGES

HICs are required to report certain actions taken in response to privacy breaches to the appropriate regulatory College. This means that if any disciplinary action is taken against a dietitian because of their unauthorized collection, use, disclosure, retention, or disposal of personal health information, the HIC must report that fact to the College of Dietitians of Ontario. This includes situations where a HIC suspends or terminates a member’s employment or revokes or restricts a member’s privileges or business affiliation. This applies even where the member resigns in the face of such action. The notice must be given within 30 days of the disciplinary action or resignation occurring, and it must be in writing.

POLICIES AND PROCEDURES

The privacy breach reporting requirements may present challenges for health care providers. It is advisable that dietitians who act as HICs develop internal policies and procedures to adequately detect, manage and appropriately respond to privacy breaches and their mandatory reporting obligations.

See the College’s Privacy of Personal Information Dietetic Practice Tool Kit for Registered Dietitians in Ontario.

Offences

Amendments were made to PHIPA in 2016 to facilitate the prosecution of offences by removing the limitation period.  In addition, PHIPA will enable the Information and Privacy Commissioner to impose administrative monetary penalties, analogous to parking tickets, except that the amount of the monetary penalty will likely be much higher.

PHIPA also creates many offences for deliberately breaching the Act (s. 72). For example, deliberately collecting, using (which includes viewing) or disclosing personal health information contrary to the Act is an offence. So is the deliberate disposal of such information in an insecure manner (e.g., throwing documents in the blue box without first shredding them).  An individual who is found guilty of an offence can face a fine of up to $200,000 and an organization can face a fine of up to $1,000,000.  An individual can also be imprisoned for up to one year upon conviction of an offence.

References