Effective October 1, 2017, health information custodians (HICs) will be required to report certain privacy breaches to the Information and Privacy Commissioner (IPC). The IPC has published new guidelines to support you in complying with these new rules. Please read them here and distribute them widely to all members of your team. The new guidelines outline the situations in which you must notify the commissioner of a privacy breach, including:
- Use or disclosure of personal health information without authority
- Stolen health information
- Further unauthorized use or disclosure of health information after a breach
- Pattern of similar breaches
- Disciplinary action against an employee or agent of a custodian
- Significant breaches that do not fall into one of the above categories
Effective January 1, 2018, HICs will also be required to start tracking privacy breach statistics, and they will be required to provide the IPC with an annual report of the previous calendar year’s statistics beginning in March 2019. We will update you when the IPC releases detailed guidance on this statistical reporting requirement in the coming months. We are currently updating our privacy resources for AFHTO members, to further support you in complying with the new regulations. In the meantime, you may wish to review these two privacy tools developed for AFHTO members:
- From June 2017: Protecting Personal Health Information, presented by Fida Hindi from the Office of the Information and Privacy Commissioner.
- From February 2016: For Privacy’s Sake, presented by Kate Dewhirst, lawyer specializing in Ontario health law.
For up-to-date privacy news and resources from Kate Dewhirst, check out the FHT category on her health privacy blog.
Leave a Reply