New Notification and Reporting Requirements under PHIPA – What You Need to Know

New Notification and Reporting Requirements under PHIPA – What You Need to Know

Bill 119 introduced amendments to the Personal Health Information Protection Act, 2004 (PHIPA) which took effect in June 2016. Among other changes, the amendments: 

  • Introduce new reporting requirements affecting members of the Ontario College of Social Workers and Social Service Workers (College).
  • Serve to increase patient privacy through enhanced notification protocols in the event of a privacy breach.

In the context of PHIPA, a breach of privacy occurs when the personal health information of an individual is stolen, lost or collected, used or disclosed without authority. The amendments also introduce stiffer penalties for non-compliance and enhanced abilities to prosecute offences under PHIPA. Members of the College should be alert to these changes to ensure compliance with respect to their obligations to comply with applicable privacy legislation. This article highlights some of the key provisions that are relevant for College members.

Notification Requirements

In the event of a health privacy breach, a health information custodian (HIC) is required, with limited exception, to notify the individual(s) affected at “the first reasonable opportunity” of the theft or loss or of the unauthorized use or disclosure of their personal health information. The amendments create the additional requirement that HICs must advise the affected individual(s) of the right to file a complaint with the Information and Privacy Commissioner of Ontario (Privacy Commissioner).

Agents of HICs (who are those persons handling personal health information on behalf of HICs) are required to notify the HIC at “the first reasonable opportunity” if personal health information collected, used, disclosed, retained or disposed of by the agent on behalf of the HIC is lost, stolen or used or disclosed without authority.

The amendments will require HICs, in certain prescribed circumstances, to report health privacy breaches to the Privacy Commissioner, whereas previously there was no requirement that HICs do so. The government has not yet passed regulations with respect to this amendment, however, so until such time as those regulations come into force, reporting to the Privacy Commissioner is not mandatory but may be done on a voluntary basis.

New Requirements: Reporting to Regulatory Colleges

A change which is especially significant to HICs who employ social workers or social service workers is the requirement that they must now file a report with the Ontario College of Social Workers and Social Service Workers1 in certain instances, regarding health privacy breaches by social workers and social service workers. For example, if a HIC who employs a social worker or social service worker terminates, suspends or disciplines the social worker or social service worker for reasons relating to the employee’s unauthorized collection, use, disclosure, retention or disposal of personal health information, the HIC is required to file a written report to the College within 30 days of the termination, suspension or discipline. This reporting requirement also exists where an employee resigns and the HIC has reasonable grounds to believe that the resignation is related to an investigation or other action by the HIC with respect to an alleged health privacy breach by the employee.

Note: These new reporting requirements under PHIPA do not replace the current mandatory reporting obligations imposed on employers of social workers and social service workers under the Social Work and Social Service Work Act, 1998 to file a written report with the College where the employer terminates, or intends to terminate, the employment of a social worker or social worker for reasons of professional misconduct, incompetence or incapacity.

Other Changes

The amendments to PHIPA have also introduced the following changes:

  • PHIPA now creates a positive obligation on HICs to protect against the unauthorized collection of personal health information. HICs are now required to “take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority.” HICs should be alert to ensuring that policies and administrative, technical and physical safeguards (e.g. restrictions on access to the electronic health record), are revised accordingly and are up to date.
  • The maximum fines for privacy offences have doubled from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations.
  • The 6-month limitation period on commencing prosecutions for offences under PHIPA has been removed.
  • The responsibilities of HICs and agents have been clarified.
  • The definition of the term “use” in PHIPA has been revised so that “use” now means “to view, handle or otherwise deal with the information.”
  • Those provisions in PHIPA relating to the provincial electronic health record system are not yet in force.

Resources for Additional Information

College members may wish to consult these resources for additional information:

[divider line_type=”Small Line” custom_height=”25″]

1. In the case of a member of a health profession regulated under the Regulated Health Professions Act, 1991, the report must be filed with the respective health college.