The IPC strongly recommends that you develop a privacy breach protocol. As a custodian, you must take immediate action upon learning of a privacy breach. The following steps may need to be carried out simultaneously and in quick succession in the event of a privacy breach.
STEP 1: IMMEDIATELY IMPLEMENT PRIVACY BREACH PROTOCOL
- Notify all relevant staff of the breach, including your Chief Privacy Officer or PHIPA contact person, and determine who else from within your organization should be involved in addressing the breach.
- Develop and execute a plan designed to contain the breach and notify those affected.
- It is also highly recommended that you contact the IPC and provide our office with details of what happened.
STEP 2: STOP AND CONTAIN THE BREACH
Identify the scope of the breach and take the necessary steps to contain it, including:
- Retrieve and secure any personal health information that has been disclosed.
- Ensure that no copies of the personal health information have been made or retained by the individual who was not authorized to receive the information. Their contact information should be obtained, in the event that follow-up is required.
- Determine whether the privacy breach would allow unauthorized access to any other personal health information (e.g. an electronic information system) and take necessary steps, such as changing passwords, identification numbers and/or temporarily shutting your system down.
STEP 3: NOTIFY THOSE AFFECTED BY THE BREACH
You must take the necessary steps to notify those individuals whose privacy was breached, including:
- Identify all affected individuals and notify them of the breach at the first reasonable opportunity. PHIPA does not specify the manner in which notification must be carried out. For example, notification can be by telephone or in writing, or depending on the circumstances, a notation made in the individual’s file to be discussed at his/her next appointment. There are numerous factors that may need to be taken into consideration when deciding on the best form of notification, such as the sensitivity of the personal health information.
- When notifying individuals affected by a breach:
- Provide details of the breach to affected individuals, including the extent of the breach and what personal health information was involved.
- Advise all affected individuals of the steps that you are taking to address the breach, and that they are entitled to make a complaint to the IPC. If you have reported the breach to the IPC, advise them of this fact.
- Provide contact information for someone within your organization who can provide additional information, assistance and answer questions.
Note: If you are a custodian who is a researcher and have received personal health information for research purposes from another custodian, you must not notify an individual about whom the personal health information relates, unless you are informed that the individual has given consent to being contacted.
STEP 4: INVESTIGATION AND REMEDIATION
You will be expected to conduct an internal investigation, including:
- Ensure that the immediate requirements of containment and notification have been met.
- Review the circumstances surrounding the breach.
- Review the adequacy of your existing policies and procedures in protecting personal health information.
- Ensure all staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of PHIPA.
For more information, refer to our guidance document, Responding to a Health Privacy Breach: Guidelines for the Health Sector.
WHAT HAPPENS WHEN THE IPC INVESTIGATES A BREACH?
When investigating a privacy breach, the IPC may, depending on the circumstances:
- Ensure any issues surrounding containment and notification have been addressed.
- Interview individuals involved with the privacy breach or individuals who can provide relevant information.
- Receive representations from individuals whose privacy has been breached.
- Obtain and review your position on the privacy breach.
- Ask for a status report of any actions that you have taken.
- Review and provide input and advice on your current information management policies and procedures.
- Issue a PHIPA Decision that may contain recommendations and/or orders that require proof of compliance.