Frequently Asked Questions
A privacy breach occurs when personal health information is stolen, lost or used/disclosed without authority. Examples might include lost or stolen charts, or patient health information erroneously sent to people not involved in their care.
When a privacy breach happens, whether intentional or not, physiotherapists should follow these steps – even if it’s just a single occurrence:
1. Contain the breach and, if you are the agent of the health information custodian (HIC), notify your organization’s HIC and report the breach to them.
2. Health Information Custodians must notify the affected person at the first reasonable opportunity and include mention that a complaint may be made to the Information and Privacy Commissioner of Ontario (IPC).
3. You (PT) and the HIC should determine whether your organization’s privacy policies and processes were followed.
4. Next, the HIC must determine:
- If this is a one-time occurrence or if it is part of a pattern of errors
- What the impact on the patient could be
- Whether the breach could happen again
Make note of the findings of the review.
5. The HIC must report the breach to the Information and Privacy Commissioner of Ontario (IPC) if it falls within one of the following seven categories. The categories are not mutually exclusive; more than one can apply to a single privacy breach. If at least one of the situations applies, you must report it. The following is a summary, for complete information see the regulation.
1. Use or disclosure without authority
2. Stolen information
3. Further use or disclosure without authority after a breach
4. Pattern of similar breaches
5. Disciplinary action against a college member
6. Disciplinary action against a non-college member
7. Significant breach
Note: Not all privacy breaches need to be reported to IPC. For example, if a lost chart was a one-time occurrence, not intentional and not part of a pattern, the matter can be managed internally.
6. Debrief the issues with your team. Share the lessons learned so you can build a positive culture around privacy safeguards in your workplace.