1. Report the breach to the Health Information Custodian (HIC).
2. Follow the privacy breach protocol and attempt to locate the lost file or contain the privacy breach.
3. The HIC must notify the patient of the privacy breach, the steps taken to contain the breach or locate the list file, and the fact that they may make a complaint to the Information and Privacy Commissioner of Ontario.
4. You and the HIC should determine whether the privacy policies and processes of the organization were followed.
5. Determine if this is a one-time occurrence or if it is part of a pattern of errors, what the impact on the patient could be, and whether the breach could happen again.
6. Document the findings of the review.
7. Notify the Information and Privacy Commissioner of Ontario if the breach meets their reporting threshold. If the loss or breach is a one-time occurrence, was not intentional and not a pattern of errors, the matter can likely be internally managed.
8. Debrief the issues with your team. Share the lessons learned so that you can build a positive culture around privacy safeguards in your workplace.