I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Start keeping track of all privacy breaches – Report due March 2019

Posted by

Just a reminder that as of January 1, 2018 if you are a health information custodian you need to start keeping track of certain information relating to privacy breaches.

The Information and Privacy Commissioner of Ontario released guidelines that will come into effect March 2019 but require you to start tracking certain kinds of privacy breaches now.

Click here for the Annual Reporting of Privacy Breach Statistics to the Commissioner guidelines.

Starting January 1st, Ontario’s healthcare organizations (all those who are health information custodians) will need to keep track of the following:

  • Number of incidents where personal health information was stolen
    • by an internal party
    • by a stranger
    • by a ransomware attack or other cyber attack
    • on an unencrypted portable electronic device
    • in paper format
  • Number of incidents where personal health information was lost
    • due to ransomware attack or other cyber attack
    • on an unencrypted portable electronic device
    • in paper format
  • Number of incidents where personal health information was used without authority
    • through electronic systems
    • though paper records
  • Number of incidents where personal health information was disclosed without authority
    • through misdirected faxes
    • through misdirected emails

There are additional details required to capture the number of individuals affected in each category. Check the guidelines for the categories – and just keep track of general numbers of people affected.

NOTE: Privacy breaches should be counted once even if they would otherwise fit multiple categories.

An annual report is then due to the IPC before March 2019.

Bottom Line:  All health information custodians (including individual physicians or clinicians in sole practice) must start to track these details starting January 1st, 2018. 

The IPC has an online statistics reporting form that will come available in 2019.  In the meantime, keep an excel spreadsheet with your statistics. 


If you enjoyed this article please share it:

Previous and next posts from Kate:

Kate’s Upcoming events

Health privacy ask-me-anything webinar

March 21 2018, 12 noon

Free event for members of my Privacy Officer community

Do you have privacy questions you want to ask me? this is an opportunity to touch base and ask questions. Registration by invitation.

Team Privacy Training Events

March 22, March 23, April 19, June 13

For Primary Care clinics and FHTs

Kate trains health professionals from another five primary care organizations how being privacy-respectful can improve therapeutic relationships. more details...

Where immigration and health law issues collide

April 25, 2018

Presentation to invited Community Health Centre clients

In collaboration with immigration lawyer Jacqueline Swaisland.

2018 Privacy Officer Training

May 8 to June 12, 2018

16 hours live and online training

for Privacy Officers and Privacy Officers-to-be. Live sessions held in Toronto. details and booking...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

Have a look on your intranet. Do you have Rules and Regulations that are still on the books but have not been updated in awhile? #HealthLaw

about 8 hours ago

Have you looked at your hospital’s Professional Staff Rules and Regulations lately? #HealthLaw #hospitals https://t.co/190t6iPNzN

about 20 hours ago

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557