[BreachExchange] Mandatory Notice Requirements under PHIPA and Public Consultation on Proposed Regulation Regarding Notices to the Commissioner

Inga Goddijn inga at riskbasedsecurity.com
Thu Apr 13 17:09:54 EDT 2017 

http://www.lexology.com/library/detail.aspx?g=70b1f5de-ba13-4187-ae6a-9214e6fa52d7

The Information and Privacy Commissioner (IPC) has always strongly
encouraged health information custodians (HICs) to report privacy breaches
to its office, particularly where they may have broader implications.
Although the *Personal Health Information Protection Act, 2004* (PHIPA)
prescribes mandatory notification of privacy breaches to affected
individuals, until recently, reporting to the IPC has been voluntary.

Bill 119, the *Health Information Protection Act, 2016 *(HIPA), which came
into force on June 3, 2016, introduced a number of amendments to the notice
requirements under PHIPA. These include mandatory:

   1. *Notice to the individual* (i.e. patient/resident/client or
   substitute decision-maker) where personal health information (PHI) that is
   in the custody or control of the HIC is *“stolen or lost or if it is
   used or disclosed without authority”*. In this instance, the HIC must
   notify the individual at the first reasonable opportunity and include in
   the notice a statement that the individual is entitled to make a complaint
   to the IPC.Under the previous provision, notification was triggered by PHI
   being lost, stolen or *“accessed by unauthorized persons”*, which was
   somewhat ambiguous and subject to interpretation. The amendments tighten up
   the language and also require a statement advising the individual of their
   right to make a complaint.
   2. *Notice to Commissioner* if the circumstances surrounding a theft,
   loss or unauthorized use or disclosure *“meet the prescribed
   requirements”*. Although the provisions are in force, they are not
   operational without a corresponding regulation setting out the “prescribed
   requirements”.Regulatory amendments to Regulation 329/04 made under PHIPA
   have been proposed to address when notice must be provided to the IPC, as
   detailed below.
   3. *Notice to Governing College* where an agent of a HIC who is a member
   of a regulated health profession has been terminated, suspended or subject
   to disciplinary action or whose privileges or affiliation have been
   revoked, suspended or restricted as a result of the unauthorized
   collection, use, disclosure, retention or disposal of PHI by the agent.
   This requirement also applies if the HIC has reasonable grounds to believe
   that the agent has resigned or voluntarily restricted their privileges or
   affiliation as a result of an investigation or other action into such an
   alleged breach.

*Proposed Amendment to Regulation 329/04 Regarding Notices to the
Commissioner *

The Ministry of Health and Long Term Care (MOHLTC) has circulated a
consultation draft of the proposed regulatory amendments prescribing the
circumstances when a HIC must notify the IPC. If approved, the notification
requirements would take effect on July 1, 2017.

*Prescribed Circumstances to Notify the IPC*

1. The HIC has reasonable grounds to believe that the PHI that was stolen,
lost or used or disclosed without authority has been or will be
subsequently used or disclosed without authority.

2. The theft, loss or unauthorized use or disclosure is part of a pattern
of similar thefts, losses or unauthorized uses or disclosures of personal
PHI under the custody or control of the HIC.

3. The HIC has given notice to a College in accordance with PHIPA in
respect of a theft, loss or unauthorized use or disclosure of PHI.

4. The HIC would have been required to give notice to a College in
accordance with PHIPA in respect of the theft, loss or unauthorized use or
disclosure of PHI by the HIC’s agent if the agent were a member of a
College.

5. The HIC has reasonable grounds to believe that the PHI was intentionally
used or disclosed without authority.

6. The circumstances do not meet the requirements in any of the preceding
paragraphs, and the HIC determines that the theft, loss or unauthorized use
or disclosure is significant, having regard to all relevant circumstances
including,

i. the nature of the PHI that was stolen, lost or used or disclosed without
authority;

ii. the number of records of PHI that were stolen, lost or used or
disclosed without authority;

iii. the number of individuals whose PHI was contained in the record or
records that were stolen, lost or used or disclosed without authority; and

iv. the number of HICs or agents responsible for the theft, loss or
unauthorized use or disclosure.

The prescribed circumstances are very broad reaching. If a circumstance
does not meet the requirements of paragraphs 1 to 5, the final
“circumstance” is meant to capture all other situations that the HIC
considers “significant”.

Based on the proposed wording of the regulation, notice requirements to a
Governing College in respect of a member are broader than reporting
requirements to the IPC. Specifically, while instances of unauthorized
retention or disposal of PHI must be reported to the Governing College, as
currently worded, this would not necessarily trigger reporting to the IPC.

*Annual Reporting to the IPC*

In addition to incident-specific reporting to the IPC, the proposed
amendments would also require a HIC to inform the IPC of the total number
of times that notices were provided to individuals under subsection 12(2)
of PHIPA, in respect of their PHI being stolen, lost or used or disclosed
without authority. If this amendment is approved, the first report would be
due on or before March 1, 2019 (and every year thereafter) in respect of
notices given in the previous calendar year.

The proposed amendments also give the IPC discretion to request and require
a HIC to provide:

   1. Information contained in any notice given to an individual; and
   2. Information the HIC relied on in deciding to notify the individual.

While IPC requests would not cover notifications issued in 2017, it would
be prudent for organizations that do not currently formally record the
reasons or facts considered when deciding to issue a notice to begin doing
so in anticipation and as preparation for the proposed regulatory change.

The MOHLTC is currently seeking public comment on the proposed
regulations. *The
deadline to provide feedback is May 8, 2017*.

Complete versions of the proposed amendments and information on how to
provide feedback can be found on Ontario’s Regulatory Registry
<http://www.ontariocanada.com/registry/view.do?postingId=23883>. You may
also inquire with us if you have any questions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170413/80771204/attachment.html>

More information about the BreachExchange mailing list