The Information and Privacy Commissioner was in Hamilton, ON on Friday with one of the popular “Reaching Out to Ontario” road shows.

The Commissioner provided an update on Latest Developments at the IPC. Here are some highlights:

• The IPC received 629 health privacy complaints in 2017 – up from 269 in 2006
• The vast majority of complaints are “self-reported breaches” meaning reported by the health information custodian (51% or 324 of 629)
• Of those self-reported breaches – 60 were snooping incidents and 8 were ransomware or cyberattacks
• There have been six people prosecuted under PHIPA (the health privacy legislation) to date (although one file was dropped due to delay)
• Since mandatory reporting of privacy breaches to the IPC was introduced in October 2017, the number of reports to the IPC has more than doubled from previous years

IPC staff also presented on Protecting Personal Health Information, which covered off topics such as:

• Email communications
• Abandoned records
• Unauthorized access – including for education and quality improvement; and dealing with health professionals with privileges
• Point-in-time breach reporting
• Annual breach reporting

In that presentation, they published some interesting stats about breaches reported between October 1 – December 31, 2017:

• There were 125 self-reported breaches in a 3 month period and the breakdown of topics in those breaches was:
• 36.7% misdirected/lost health records
• 24% snooping
• 18.4% unauthorized collection, use or disclosure
• 20.9% stolen, inadequately secured

Always helpful to get a bird’s eye view of health privacy from the IPC.