New notification requirements under PHIPA

Posted by:

Ontario has recently enacted a regulation under PHIPA (Personal Health Information Protection Act) with more notification requirements for “health information custodians”. (O.Reg 224/17 was published June 29, 2017). The regulation comes into force on October 1, 2017.

The new regulation provides guidance on the circumstances in which a health information custodian is required to notify the Information and Privacy Commissioner of the theft, loss or unauthorized use or disclosure of personal health information.  The notice requirement arises when the custodian has reasonable grounds to believe that personal health information was: i) used or disclosed without authority, ii) stolen, iii) or will, if after an initial loss, unauthorized use or disclosure, be further used or disclosed without authority, and/or iv) lost, used or disclosure as part of a pattern of similar losses or unauthorized uses or disclosures.

The regulation also requires health information custodians to submit a yearly electronic report to the Commission which includes the number of times personal health information was stolen, lost or used or disclosed without authority in the previous year.

For more information or advice on compliance, please contact me at:

  Related Posts
  • No related posts found.

You must be logged in to post a comment.