une main qui tient une guitare

Perspectives

Nous sommes désolés. Le contenu de cette page n'est présentement disponible qu'en anglais.

New PHIPA Mandatory Reporting Requirement

Health information custodians are required to notify the Information and Privacy Commissioner when they have reasonable grounds to believe there has been a breach of the Personal Health Information Protection Act, 2004.

As of October 1, 2017, health information custodians are required to notify the Information and Privacy Commissioner ("IPC") when they have reasonable grounds to believe there has been a breach of the Personal Health Information Protection Act, 2004 ("PHIPA"). This represents a change from prior legislation that afforded institutions more discretion.

Under subsection 6.3(1)(1) of the regulations and 12(4) of PHIPA, a health information custodian will be required to notify the Commissioner where it has reasonable grounds to believe that personal health information in its custody or control "was used or disclosed without authority by a person who knew or ought to have known" that he or she did not have permission to do so. In particular, notification will be required in cases of snooping or reckless handling of personal health information.

Custodians are also required to notify the Commissioner where they have reasonable grounds to believe that personal health information has been stolen under subsection 6.3(1)(2), where there was or will be further disclosure of personal health information that was lost, used or disclosed without authority under subsection 6.3(1)(3), or where there has been a pattern of similar losses of personal health information or of unauthorized use or disclosure. For example, notification would be required if a custodian experienced a series of inadvertent disclosures or losses due to a fax machine error or other systemic issue.

The purpose of these regulations is to require notification to the Commissioner in nearly all situations where there is a privacy breach which required patient notification. At least initially, this will likely generate a significant increase in the number of notifications to the Commissioner.

For further information please see BLG's full summary of the requirements here.

Related Contacts & Expertise

  • Roberto Ghignone

    Roberto Ghignone

    Associé

    Ottawa
    RGhignone@blg.com
    613.369.4791

    Roberto Ghignone

    Associé

    Services
    • Cybersécurité, respect de la vie privée et protection des renseignements personnels
    • Litiges
    • Renseignements personnels sur la santé et protection de la vie privée
    • Litige commercial
    • Litiges et règlement de différends en matière d’immobilier

    • Voir la biographie
    Voir la biographie
  • Logan Crowell

    Logan Crowell

    Avocat-conseil

    Toronto
    LCrowell@blg.com
    416.367.6179

    Logan Crowell

    Avocat-conseil

    Services
    • Droit de la santé
    • Cybersécurité, respect de la vie privée et protection des renseignements personnels
    • Différends en matière de soins de santé
    • Enquêtes des organismes de réglementation en matière de protection de la vie privée
    • Réglementation en matière de santé

    • Voir la biographie
    Voir la biographie