Part 4 – Breach of Personal Health Information
What is a privacy breach?
- A privacy breach is any unauthorized collection, use, access to or disclosure of PHI, for example a misdirected fax or email.
- See Privacy Breach of PHI Notification Procedure for further information.
Examples of breaches:
-
- misdirected information (wrong phone, email or fax)
- unauthorized access to health records (snooping)
- improper storage or destruction of records
- loss or theft of devices (laptops, USB sticks, mobile phones)
Key Point
When you suspect a privacy breach
What do you do?
- Contain
- You should take immediate steps to contain the breach. For example:
- If PHI was inadvertently disclosed to another individual, retrieve the hard copies of the PHI that was disclosed, ensure that no copies (electronic or physical) of the PHI have been made or retained by the individual and obtain the individual’s contact information in the event that follow-up is required.
- Determine whether the privacy breach would allow unauthorized access to any other PHI (e.g. an electronic information system) and take whatever necessary steps are appropriate (e.g. change passwords, identification numbers and/or temporarily shut down a system).
- You should take immediate steps to contain the breach. For example:
- Immediately inform
- Your manager, and
- Manager informs the Manager, Privacy & Records Management, at Privacy@Brocku.ca and mhansen@Brocku.ca
- Complete PHI Privacy Breach Form
-
- Staff: complete PART A of the Form and forward to your manager,
- Manager: complete PART B of the Form and forward to Manager, Privacy & Records Management,
What does Brock do?
- Contain the breach
- Assess the risks
- Determines the severity of the breach
- Investigates the cause of the breach
- Notifies affected individuals
- Implements any recommendations to prevent another breach
- Reports to the Information and Privacy Commissioner of Ontario
The University’s Privacy Breach of PHI Notification Procedure sets out when a privacy breach will be reported to the Information and Privacy Commissioner of Ontario.
A privacy breach may cause substantial personal harm to the affected individuals, may also result in financial and reputational harm to the employee and University. So when you handle any PHI remember to do so appropriately.
If information is released or accessed without consent and when the disclosure is not permitted by PHIPA, this is considered a breach.
Potential consequences of a breach under PHIPA
As of January 1, 2024, an individual found guilty of committing an offence under PHIPA can be liable for a fine of up to $50,000. An organization can be liable for a fine of up to $500,000.
Beyond PHIPA-related penalties, it could lead to:
- Loss of your reputation
- Loss of your career (administrative action up to termination of employment)
- Disciplinary action by your professional college
- A civil lawsuit with additional financial penalties
- Loss of trust between patient and health care provider
Tips to prevent a privacy breach:
-
- Adhere to the PHIPA training and Confidentiality Agreement as it outlines the privacy protection provisions of PHIPA.
- Safeguard PHI when it is physically removed from the office or facility. Ensure that all laptops and personal devices are password protected and that data is encrypted.
- Ensure that no more PHI is collected, used or disclosed than is reasonably necessary to proactively lessen the impact of any privacy breaches.
- Ensure that you do not collect, use or disclose PHI if there is other information that will serve the intended purpose.
Note: Logging and auditing is in place on electronic systems containing health records. These systems may be audited.
Learn More
- Privacy Breach of PHI Notification Procedure
- PHI Privacy Breach Form
- ITS Encryption Tools
- IPC: Responding to a Health Privacy Breach: Guidelines for the Health Sector
Click here for the next module: Part 5 – Access & Correction
