Amendments to O. Reg. 329/04 Regarding Notices to the Commissioner
Bill or Act:
Personal Health Information Protection Act, 2004
Summary of Proposal:
The following is a summary of the proposed amendments to O. Reg. 329/04:
Notice to Commissioner re: theft, loss, etc.
• A Health information custodian would be obligated to report annually to the Commissioner the number of times, in the calendar year, the health information custodian had to notify individuals (in accordance with section 12(2) of PHIPA) of theft(s),loss(es) or of unauthorized use(s) or disclosure(s) of personal health information.
• It would be necessary for the report to be submitted to the Commissioner by March 1 of the following calendar year.
• The first report would be due in 2019.
• After submitting the report to the Commissioner, at the Commissioner's request, a health information custodian would be required to provide the Commissioner with information contained in the notice that was issued to the affected individual(s), and/or any information the custodian relied on in deciding to notify the individual.
Notice to Commissioner, prescribed circumstances
• If approved, the following would be prescribed for purposes of subsection 12(3) as circumstances where health information custodians would be required to notify the Commissioner of a given theft, loss or unauthorized use or disclosure of personal health information:
The custodian has reasonable grounds to believe that the personal health information that was stolen, lost or used or disclosed without authority has been or will be subsequently used or disclosed without authority.
The theft, loss or unauthorized use or disclosure is part of a pattern of similar thefts, losses or unauthorized uses or disclosures of personal health information under the custody or control of the custodian.
The custodian has given notice to a College in accordance with subsection 17.1 (2), (4) or (5) of the Act in respect of a theft, loss or unauthorized use or disclosure of personal health information.
The custodian would have been required to give notice to a College in accordance with subsection 17.1 (2) or (4) of the Act in respect of the theft, loss or unauthorized use or disclosure of personal health information by the custodian's agent if the agent were a member of a College.
The custodian has reasonable grounds to believe that the personal health information was intentionally used or disclosed without authority.
The circumstances do not meet the requirements in any of the preceding paragraphs, and the custodian determines that the theft, loss or unauthorized use or disclosure is significant having regard to all relevant circumstances including,
i. the nature of the personal health information that was stolen, lost or used or disclosed without authority;
ii. the number of records of personal health information that were stolen, lost or used or disclosed without authority;
iii. the number of individuals whose personal health information was contained in the record or records that were stolen, lost or used or disclosed without authority; and
iv. the number of health information custodians or agents responsible for the theft, loss or unauthorized use or disclosure.
• The requirement would take effect on July 1, 2017.
March 10, 2017
Comments Due Date:
May 8, 2017
Eric Sutherland, Director/A
Information Management Strategy and Policy Branch
Health System Information Management Division
1075 Bay Street, 13th floor
Toronto, ON M5S 2B1