What privacy laws govern my practice?
Occupational therapists and other regulated health professionals providing “health care” for a “health-related purpose” in Ontario need to comply with the Personal Health Information Protection Act, 2004 (PHIPA).
If you engage in commercial activities involving the collection, use or disclosure of personal information outside of Ontario, or if the health services you provide are not considered “health care”, as defined in PHIPA, then you will also need to comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA defines "commercial activity" as any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
This is a very broad definition and means that activities that do not require profit-making or even a profit-making motive can be considered a commercial activity.
PIPEDA may also apply if you collect, use or disclose information that is personal, but not health information, in the course of commercial activities in Ontario (for example, if you collect a home address and credit card number to process a sale that is unrelated to your duties as a health professional).
Health professionals also need to comply with Canada’s anti-spam legislation, which requires consent to send electronic messages of a commercial nature.
What is a privacy breach?
Under PHIPA, a privacy breach is the unauthorized use, disclosure, loss, or theft of personal health information. This includes the viewing of health records by someone who is not allowed to view those records (known as “snooping”). Other examples include the loss of a USB key containing health information or a briefcase with patient files stolen from someone’s car.
Reporting privacy breaches
Occupational therapists in Ontario need to be aware of reporting obligations under the Personal Health Information Protection Act, 2004 (PHIPA).
View the legislation.
Who needs to be notified?
If a breach occurs, the health information custodian (the person responsible for custody and control of the records) needs to notify the affected individual(s) at the first reasonable opportunity. In addition, the law requires the health information custodian to also notify the individual that they can make a complaint about the breach to the Information and Privacy Commissioner of Ontario.
If you are an agent of a health information custodian (for example, if you are a regulated health professional who works for a group practice, a hospital or for another regulated health professional) you need to tell the responsible custodian about the breach at the first reasonable opportunity.
Reporting to the Information and Privacy Commissioner
Health information custodians need to report certain serious or deliberate privacy breaches directly to the Information and Privacy Commissioner following their occurrence. The full list of reportable breaches can be found in s. 6.3 of Ontario Regulation 224/17 made under PHIPA: https://www.ontario.ca/laws/regulation/040329#BK9
Additionally, since March 1, 2019, health information custodians must report details of all privacy breaches occurring in the preceding calendar year to the Information and Privacy Commissioner. To facilitate the making of this annual privacy report, a record of all privacy breaches should be maintained. Visit www.ipc.on.ca to learn more about these reporting requirements.
Reporting to regulatory Colleges
PHIPA also requires health information custodians to report certain actions taken in response to privacy breaches to the appropriate regulatory College.
This means that if a health information custodian takes any disciplinary action against an occupational therapist or other professional of a College under the Regulated Health Professions Act, 1991 or the Ontario College of Social Workers and Social Service Workers because of that professional’s unauthorized collection, use, disclosure, retention or disposal of personal health information, the custodian must report that fact to the professional’s regulatory College. This includes situations where a custodian suspends or terminates employment of an occupational therapist or other regulated health professional or revokes or restricts their privileges or business affiliation. It also includes situations where the member resigns in the face of such action.
This notice must be given within 30 days of the disciplinary action or resignation occurring and it must be in writing.
This notice requirement under PHIPA overlaps with the mandatory reporting provisions of the Regulated Health Professions Act, 1991, which require employers to report when a member has been terminated or had their privileges or partnership revoked or restricted for reasons of professional misconduct, incompetence or incapacity. Given that each College defines professional misconduct differently, the purpose of the amendments to PHIPA is to make it clear that action taken in response to privacy breaches must be reported to the appropriate regulatory College.
Fines and administrative penalties
Following amendments to PHIPA in March 2020, the maximum fines for privacy offences were again doubled from $100,000 to $200,000 for individuals, and from $500,000 to $1,000,000 for organizations. [In 2016, previous amendments to PHIPA then doubled the allowable fines from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations.] In 2016, the limitation period for prosecutions of privacy offences was removed.
Since March 2020, the Information and Privacy Commissioner is allowed to order a person to pay an administrative penalty if they contravene PHIPA. The purpose of the penalty is to encourage compliance with PHIPA and prevent a person from receiving any economic benefit by contravening PHIPA or its regulations. The amount of the administrative penalty should reflect these purposes, and is to be determined by the Information and Privacy Commissioner in accordance with the regulations under PHIPA.
Information and Privacy Commissioner is also now allowed to inspect personal health information, without consent, where the Information and Privacy Commissioner has reasonable grounds to suspect that the records have been abandoned.
Please contact Practice with any questions at 416.214.1177/1.800.890.6570 x240 or [email protected].
Legislative changes not yet in force
- A framework for a province-wide system of electronic health records was introduced in 2016, but is not yet in force.
- In March 2020, amendments were introduced that will require Health Information Custodians (HIC) who use electronic means to collect, use, disclose, modify, retain or dispose of personal health information to maintain, audit and monitor an electronic log. Section 10.1(4) of PHIPA sets out what information must be stored in the electronic audit log. Once in force, the Information and Privacy Commissioner will also have the power to order production of electronic audit logs from HICs.
- By way of amendment to O. Reg 329/04, in 2020 a new definition of "de-identify" was introduced but is not yet in force, with new de-identification standards to be set out in regulation
Additional privacy law information and resources