New guidelines from IPC require Ontario’s healthcare organizations to start tracking privacy breaches in January 2018

The Information and Privacy Commissioner of Ontario released new guidelines that will come into effect March 2019 but require healthcare organizations to start tracking certain kinds of privacy breaches as of January 2018.

Click here for the Annual Reporting of Privacy Breach Statistics to the Commissioner guidelines.

Starting January 1st, Ontario’s healthcare organizations (all those who are health information custodians) will need to keep track of the following:

  • Number of incidents where personal health information was stolen
    • by an internal party
    • by a stranger
    • by a ransomware attack or other cyber attack
    • on an unencrypted portable electronic device
    • in paper format
  • Number of incidents where personal health information was lost
    • due to ransomware attack or other cyber attack
    • on an unencrypted portable electronic device
    • in paper format
  • Number of incidents where personal health information was used without authority
    • through electronic systems
    • though paper records
  • Number of incidents where personal health information was disclosed without authority
    • through misdirected faxes
    • through misdirected emails

There are additional details required to capture the number of individuals affected in each category.

An annual report is then due to the IPC before March 2019.

Bottom Line:  All health care organizations who are health information custodians must start to track these details starting January 1st, 2018.