MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
1 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________
Responsibility
PRIVACY OFFICER/HEALTH RECORDS
This policy applies to: GBHS/SBGHC/HDH
POLICY
The Personal Health Information Protection Act, 2004 (the Act) sets out the rules that persons or organizations
defined as “health information custodians” must follow when collecting, using, disclosing, retaining and
disposing of personal health information.
The rules recognize the unique character of personal health information as one of the most sensitive types of
personal information that is frequently shared for a variety of purposes, including care and treatment, health
research, and managing our publicly funded health care system.
The Act balances individuals’ right to privacy with respect to their own personal health information with the
legitimate needs of health information custodians to collect, use and share this information. With limited
exceptions, the Act requires health information custodians to obtain consent before they collect, use or disclose
personal health information. The Act also makes health information custodians responsible for the secure
storage and destruction of personal health information. In addition, individuals have the right to access and
request correction of their own personal health information.
The purpose of this paper is to provide guidance to health information custodians when they are faced with a
“privacy breach”.
See https://privacy breach checklist (add hyperlink)
FIPPA:
1
MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
2 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________
The Freedom of Information and Protection of Privacy Act and the Municipal Freedom
of Information and Protection of Privacy Act (the Acts) establish rules for government
institutions to follow to ensure the protection of individual privacy. The Acts governs the
collection, retention, use, disclosure and security of personal information (sections 37–46
of the provincial Act and 27–35 of the municipal Act).
A privacy breach occurs when personal information is collected, retained, used or disclosed in
ways that are not in accordance with the provisions of the Acts. Among the most common
breaches of personal privacy is the unauthorized disclosure of personal information, contrary to
section 42 of the provincial Act or section 32 of the municipal Act.
For example, personal information may be lost (a file is misplaced within an institution), stolen
(laptop computers are a prime example) or inadvertently disclosed through human error (a letter
addressed to person A is actually mailed to person B).
PHIPA
GBHS/SBGHC as a Health Information Custodian under the Personal Health Information Protection Act
(PHIPA) 2004; is responsible and accountable for the privacy and security of the personal health
information (PHI) under its custody and control.
It is the responsibility of GBHS/SBGHC employees and affiliates to:





Comply with their obligations related to confidentiality and adhere to the Access to and
Disclosure of Personal Health Information Policy.
Protect and secure personal health information (PHI) to prevent a breach of a patient’s privacy
Act quickly if made aware of a privacy breach
Participate in the investigation and management of a privacy breach with appropriate
representation, as applicable.
Utilize the Privacy Breach –Leaders Guide as required.
A privacy breach occurs whenever:

Personal Health Information is lost or stolen, or
2
MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
3 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________



Personal Health Information is accessed, disclosed, copied or modified without authority, or
Disposal of PHI has occurred in an insecure manner, or
In any other situation where an employee or affiliate has violated or is about to violate the
Personal Health Information Protection Act (PHIPA) 2004 (see definitions of suspected, potential
and actual) privacy breaches for examples).
A privacy breach can occur via verbal or written communication, by phone, e-mail, fax, electronic means
or any other medium. A privacy breach can be potential, suspected, or actual.
Upon learning of a privacy breach or being alerted to a patient’s concern regarding the security of his or
her personal health information, employees and affiliates must immediately contact their
Manager/Supervisor. Whistleblowers are protected under the Whistleblowing Protocol policy and the
Personal Health Information Act (2004) from any reprisal for having made in good faith a disclosure,
and will be protected fi the employee:

Discloses the info in good faith

Believes it to be substantially true

Does not act maliciously or make false allegations; and

Does not seek any personal or financial gain
By law (PHIPA 2004), GBHS/SBGHC must notify a patient, if capable, or the Substitute Decision Maker
(hereafter referred to as patient/SDM), if the patient is not capable, if there has been a breach of their
privacy related to their Personal Health Information. The patient’s physician, Manager/Supervisor, or
the most appropriated Regulated Health Professional who has a clinical relationship with the patient,
e.g. Social
Worker, Psychologist, in collaboration with the Privacy Officer, Manager or Specialist, is responsible to
notify the patient following confirmation and investigation of a breach.
Breach of privacy may be cause for disciplinary action up to and including termination of employment or
contract or loss of appointment or affiliation with the organization.
Employees and affiliates are responsible to:
3
MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
4 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________


Notify their Manager/Supervisor, or the Privacy Officer, if made aware of a potential, suspected
or actual privacy breach.
Contain information about the breach, until confirmation, investigation and/or notification has
been completed.
Managers/Supervisors are responsible to:





Notify the Privacy Officer if made aware of a potential, suspected or actual privacy breach
Collaborate with the Privacy Officer in the investigation and management of a breach
Notify the appropriate employees, affiliates and/or departments as directed by the Privacy
Officer
After confirmation of a breach and completion of the investigation and in collaboration with the
Privacy Officer, notify the affected patient(s)
In collaboration with the Privacy Officer, review the breach and information obtained as part of
the investigation with an aim to take measures to reduce the risk of reoccurrence.
What steps can all GBHS/SBGHS take to avoid a privacy breach?
GBHS/SBGHS governed by the Acts would be well served by adopting proactive measures to
prevent a privacy breach from occurring. These measures should include:
• educating
staff about the privacy rules governing the collection, retention, use and disclosure of
personal information set out in Part III of the provincial Act and Part II of the municipal Act;
• educating staff about the regulations under the Acts governing the safe and secure disposal of
personal information and the security of records;
• ensuring policies and procedures are in place that comply with the privacy protection revisions
of the Acts and that staff are properly trained in this respect;
• conducting a privacy impact assessment (PIA), where appropriate. The PIA is a process that
helps determine whether new technologies, information systems and proposed programs or
policies meet basic privacy requirements;
4
MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
5 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________
• when in-doubt, obtaining advice from your organization’s legal department and Freedom of
Information Co-ordinator. The Ministry of Government Services’ Office of the Chief
Information and Privacy Officer is also a useful resource for Co-ordinators;
And • consulting with the IPC’s Policy Department in appropriate situations.
Privacy Officers are responsible to:
Notify the Manager/Supervisor if made aware of a potential, suspected or actual privacy breach
Ensure appropriate staff within your organization are immediately notified of the breach, including the
Freedom of Information and Privacy Co-ordinator, the head and/or delegatework in collaboration of the
breach.



Depending on the severity of the breach notify Human Resources, Risk Management and the
Office of the Information Privacy Commissioner where applicable approved by the CIO.
Submit a report outlining the breach, the investigation, patient notification and outcome to CIO
/designate and the Office of the Information Privacy Commissioner where applicable and
approved by CIO.
Inform the IPC registrar of the Privacy breach and work constructively with the IPC office
In the event that a Privacy Officer identifies an actual, suspected or potential breach that may involve a
patient, or a staff/affiliate of another organization, the Privacy Officer will, as soon as reasonably
possible, notify the Privacy Officer, Designate or Administrator-on-Call of the HIC(s) that are impacted by
the breach. This may include the HIC of the PHI compromised or the HIC with whom the staff and/or
affiliate under investigation has an employment/affiliation/contractual relationship. Primary
responsibility to investigate the breach lies with the Privacy Officer where the breach occurred. Privacy
Officer from all organizations involved in the breach will work collaboratively, as necessary, to
investigate the extent and risks associated with the breach, contain the breach and reduce the risk of
reoccurrence.
5
MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
6 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________
DEFINITIONS
Affiliate-individuals who are not employed by the corporation but perform specific tasks at or for the
corporation, including appointed professionals (e.g., physicians/midwives/dentists), students,
volunteers, researchers, contractors, or contractor employees who may be members of a third-party
contract or under direct contract to the corporation, and individuals working at the corporation, but
funded though an external source.
Personal health information-is personal information with respect to an individual, whether living or
deceased and includes:
 Information concerning the physical or mental health of the individual;
 Information concerning any health service provided to the individual;
 Information concerning the donation by the individual of any body part of any bodily substance
of the individual;
 Information derived from the testing or examination of a body part of bodily substance of the
individual;
 Information that is collected in the course of providing health services to the individual, or
 Information that is collected incidentally to the provision of health services to the individual
Privacy Breach-Actual-includes, but is not limited to:
Accessing patient personal health information when it is not required to provide or maintain
care to a patient or in the performance of duties, for example



Accessing one’s own electronic health record directly, rather than by contacting Health
Record Services to make arrangements to view the record
Accessing the health record of an employee, family member, friend, or any other person
for whom you do not have requirement to view the information in order to provide
health care or perform work duties
Accessing any patient information (e.g. address, date of birth, next of kin, etc.) of an
employee, family member, friend, or any other person for whom you do not have a
6
MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
7 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________
requirement to view the information in order to provide health care or perform work
duties
Disclosing patient information:




Without the appropriate consent, e.g. to a lawyer or insurance company
To another employee or affiliate who does not require access to the information to
perform his or her job functions
By discussing within hearing range of other people who do not require access to the
information to perform his or her job functions
By faxing or mailing to the wrong recipient in a private home or business
Leaving patient information in unattended or unsecured locations where it may be accessed by
unauthorised persons. For example:





Leaving patient reports, charts, or worksheets that contain patient-identifying
information in a public area
Leaving access to electronic patient information unattended on an open log in,
Storing electronic patient-identifying information on portable information devices or
unsecure drives, e.g. hard drives, that have not been encrypted
Theft of electronic devices that contain patient-identifying information
Loss of hard copy records or other patient-identifying information
Privacy Breach-Potential-occurs when an individual’s personal health information is at high risk of being
accessed, used or disclosed inappropriately. A potential privacy breach includes, but is not limited to
situations in which:
7
MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
8 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________


A patient alerts a care provider or the Privacy Officer that an employee or affiliate may have
accessed information about him/her inappropriately
A patient requests additional security measures for his or her personal health information.
Privacy Breach-Suspected-occurs when there has been an allegation of a privacy breach, but the
allegations have not yet been substantiated or refuted by investigation.
REFERENCES
Policies/Guidelines:
Acceptable Use of Information Technology Resources
Access to Personal Health Information for Research, Education and Quality Assurance
Confidentiality Policy
Privacy Policy
Security of Confidential Information Policy
Legislation, other resources:
Personal Health Information Protection Act, 2004 (link to http://www.elaws.gov.on.ca/DBLaws/Statutes/English/04p03 e.htm)
Public Hospitals Act, 1990 (as amended) (link to http://www.elaws.gov.on.ca/DBLaws/Statutes/English/90p40 e.htm)
Regulated Health Professisons Act 1990 (as amended) (link to http://www.elaws.gov.on.ca/html/statues/english/elaws statutes 91r18 e.htm)
Professional Standards:
College of Medical Laboratory Technologists of Ontario (link to http://www.cmlto.com/whats new/key
issues/default.asp?articleID=966)
College of Nurses of Ontario, Standards of Practice-Confidentiality and Privacy-Personal Health
Information (link to http://www.cno.org/docs/prac/41069 privacy.pdf)
8
MANUAL:
PRIVACY and CONFIDENTIALITY
NUMBER:
PRC-05
CATEGORY:
GENERAL
PAGE:
9 of 9
TITLE:
BREACH OF PATIENT PRIVACY
DATE:
07/01/09
REVISED:
2013, July 01
FIPPA AND PHIPA
ISSUED BY:
EXECUTIVE COMMITTEE
REFERENCE:
____________________________________________________________________________________
College of Occupational Therapists (select practice standards/Guidelines/Position Statements, Practice
Guideline: Client Records) (link to www.coto.org/resource/default.asp)
College of Pharmacists of Ontario (link to
http://www.ocpinfo.com/client/ocp/ocphome.nsf/web/Privacy)
College of Physicians and Surgeons of Ontario-Confidentiality and Access to Patient Information (link to
http://www.cpso.on.ca/Policies/confidentiality.htm)
College of Physiotherapists of Ontario-Privacy Code (link to
http://www.collegept.org/college/content/pdf/en/Privacy_Code.pdf)
College of Psychologists of Ontario (link to http://www.cpo.on.ca/members-of-thecollege/index.aspx?id-1206)
College of Social Workers and Social Service Workers-Privacy Toolkit (link to
http://www.ocswssw.org/sections/pdf/PHIPA Toolkit Final Web.pdf)
Approved by:
Original Effective Date:
Revised Date:
Reviewed Date:
9