Privacy breach protocol

The IPC strongly recommends that you develop a privacy breach protocol. As a custodian, you must take immediate action upon learning of a privacy breach. The following steps may need to be carried out simultaneously and in quick succession in the event of a privacy breach.


STEP 1: IMMEDIATELY IMPLEMENT PRIVACY BREACH PROTOCOL

  • Notify all relevant staff of the breach, including your Chief Privacy Officer or PHIPA contact person, and determine who else from within your organization should be involved in addressing the breach.
  • Develop and execute a plan designed to contain the breach and notify those affected.


STEP 2: NOTIFY THE IPC IF REQUIRED

  • Determine if you are required to report the breach to the IPC. You are required to report breaches to the IPC under the circumstances set out in the PHIPA regulation; these circumstances are described in Reporting a Privacy Breach to the IPC: Guidelines for the Health Sector.
  • If you are required to report the breach to the IPC, do so at the first reasonable opportunity, either online or by mail.

 

STEP 3: STOP AND CONTAIN THE BREACH

Identify the scope of the breach and take the necessary steps to contain it, including:

  • Retrieve and secure any personal health information that has been disclosed.
  • Ensure that no copies of the personal health information have been made or retained by the individual who was not authorized to receive the information. Their contact information should be obtained, in the event that follow-up is required.
  • Determine whether the privacy breach would allow unauthorized access to any other personal health information (e.g. an electronic information system) and take necessary steps, such as changing passwords, identification numbers and/or temporarily shutting your system down.


STEP 4: NOTIFY THOSE AFFECTED BY THE BREACH

You must take the necessary steps to notify those individuals whose privacy was breached, including:

  • Identify all affected individuals and notify them of the breach at the first reasonable opportunity. PHIPA does not specify the manner in which notification must be carried out. For example, notification can be by telephone or in writing or depending on the circumstances, a notation made in the individual’s file to be discussed at his/her next appointment. There are numerous factors that may need to be taken into consideration when deciding on the best form of notification, such as the sensitivity of the personal health information.
  • When notifying individuals affected by a breach:
    • Provide details of the breach to affected individuals, including the extent of the breach and what personal health information was involved.
    • Advise all affected individuals of the steps that you are taking to address the breach, and that they are entitled to make a complaint to the IPC. If you have reported the breach to the IPC, advise them of this fact.
    • Provide contact information for someone within your organization who can provide additional information, assistance, and answer questions.

Note: If you are a custodian who is a researcher and have received personal health information for research purposes from another custodian, you must not notify an individual to whom the personal health information relates, unless you are informed that the individual has given consent to being contacted.


STEP 5: INVESTIGATION AND REMEDIATION

You will be expected to conduct an internal investigation, including:

  • Ensure that the immediate requirements of containment and notification have been met.
  • Review the circumstances surrounding the breach.
  • Review the adequacy of your existing policies and procedures in protecting personal health information.
  • Ensure all staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of PHIPA.

For more information, refer to our guidance document, Responding to a Health Privacy Breach: Guidelines for the Health Sector.

This post is also available in: French