Just a reminder that as of January 1, 2018 if you are a health information custodian you need to start keeping track of certain information relating to privacy breaches.

The Information and Privacy Commissioner of Ontario released guidelines that will come into effect March 2019 but require you to start tracking certain kinds of privacy breaches now.

Click here for the Annual Reporting of Privacy Breach Statistics to the Commissioner guidelines.

Starting January 1st, Ontario’s healthcare organizations (all those who are health information custodians) will need to keep track of the following:

• Number of incidents where personal health information was stolen
  • by an internal party
  • by a stranger
  • by a ransomware attack or other cyber attack
  • on an unencrypted portable electronic device
  • in paper format
• Number of incidents where personal health information was lost
  • due to ransomware attack or other cyber attack
  • on an unencrypted portable electronic device
  • in paper format
• Number of incidents where personal health information was used without authority
  • through electronic systems
  • though paper records

• Number of incidents where personal health information was disclosed without authority
  • through misdirected faxes
  • through misdirected emails

There are additional details required to capture the number of individuals affected in each category. Check the guidelines for the categories – and just keep track of general numbers of people affected.

NOTE: Privacy breaches should be counted once even if they would otherwise fit multiple categories.

An annual report is then due to the IPC before March 2019.

Bottom Line:  All health information custodians (including individual physicians or clinicians in sole practice) must start to track these details starting January 1st, 2018. 

The IPC has an online statistics reporting form that will come available in 2019.  In the meantime, keep an excel spreadsheet with your statistics.