Report a privacy breach

Report a privacy breach
Under subsection 12(3) and clause 55.5(7)(b) of the Personal Health Information Protection Act (the act) and its related regulation, custodians must notify the Information and Privacy Commissioner of Ontario (IPC) at the first reasonable opportunity about certain privacy breaches.1

As a custodian, you must report breaches to the IPC in seven categories described in the regulation and summarized below. The categories are not mutually exclusive; more than one can apply to a single privacy breach. If at least one of the situations applies, you must report it. The following is a summary — for the complete wording of the regulation, see the Regulations webpage.

It is important to remember that even if you do not need to notify the IPC, you have a separate duty to notify individuals whose privacy has been breached under subsection 12(2) or clause 55.5(7)(a) of the act.2

Situations where you must notify the IPC of a privacy breach

Unauthorized collection by means of the EHR

Custodians may collect, use, and disclose personal health information by means of the electronic health record (EHR) according to the rules set out in Part V.1 of the act.

In the EHR context, custodians must comply with the breach notification requirements set out elsewhere in the act, as well as an additional requirement: if personal health information is collected without authority by means of the EHR, the custodian responsible for the collection must, in certain circumstances, notify the IPC. That is, if the unauthorized collection by means of the EHR had been a use or disclosure under any of the seven circumstances described on this page, the custodian must notify the IPC at the first reasonable opportunity.

For example, one of the circumstances described on this page is that the use or disclosure is part of a pattern. This means that the custodian must notify the IPC if an unauthorized collection by means of the EHR is part of a pattern.

Annual report to the commissioner

By March 1, custodians are required to provide the IPC with an annual report of the previous calendar year’s statistics.3 Note that these statistics include privacy breaches that did not meet the threshold for reporting the breach to the IPC. For more information about submitting annual statistics, please see Annual Reporting of Privacy Breach Statistics to the Commissioner.

Report a privacy breach now


1 Under subsection 18.10(1) of the regulation, a coroner to whom Ontario Health provides personal health information under subsection 55.9.1 (1) of the act must, with respect to that information, comply with a number of obligations as if the coroner were a custodian, including the obligation to notify the IPC of the breaches described here.
2 Or, for coroners, subsection 18.10(1) or clause 18.10(4)(a) of the regulation.
3 A coroner to whom Ontario Health provides personal health information under subsection 55.9.1(1) of the act must, in respect of that information, comply with this annual statistics requirement, with any necessary modification, as if the coroner were a custodian.

This post is also available in: French