What is a PHIPA privacy breach?

A PHIPA privacy breach occurs when personal health information is accessed, used, or disclosed without authorization. Health information custodians must investigate the breach and take steps to contain and remediate it.

When must a PHIPA breach be reported to the IPC?

Certain privacy breaches must be reported to the Information and Privacy Commissioner of Ontario at the first reasonable opportunity, including intentional unauthorized access or disclosure of personal health information.

How can remediation affect the IPC response to a breach?

Prompt remediation, including training, policy updates, and improved privacy safeguards, can demonstrate that an organization has addressed the breach and reduced the risk of recurrence.

New PHIPA Decision Demonstrates the Power of Proactive Remediation

BlogDiscipline

Mar 4

Written By Alisha Kapur

The Information and Privacy Commissioner of Ontario’s (the “IPC’s”) January decision, PHIPA Decision 325, communicates that taking corrective and remedial action can assist hospitals, and other health information custodians, in avoiding a formal review under the Personal Health Information Protection Act (“PHIPA”).

Background

In healthcare settings, patient privacy is paramount. PHIPA lays out strict requirements for the collection, use, and disclosure of personal health information, placing responsibility on healthcare providers to protect sensitive data from unauthorized access. Where unauthorized access does occur and certain conditions are met, health information custodians must report the breach to the IPC.

PHIPA Decision 325 centred on a public hospital that identified a privacy breach involving a physician who accessed three patient health records without authorization and, in one case, disclosed personal health information relating to one of those patients to other staff members at the hospital. The facts of this case triggered the hospital’s duty to notify the IPC of the breach at the first reasonable opportunity, as the breach was considered an intentional use or disclosure of personal health information without authority.

Responding to the Breach

Upon discovering the unauthorized access, the public hospital took a number of steps to respond to the breach:

Containment: The hospital reviewed the audit findings related to the physician’s access to the electronic health records, confirming which records the physician had accessed. The hospital also confirmed that the physician did not make or retain any unauthorized copies of the affected personal health information.
Investigation: The hospital interviewed the staff members who made the complaint and the physician, reviewed relevant patient health records, and audited the physician’s electronic health records accesses. The investigation revealed that the physician believed that his access was permissible, as he believed that he was refreshing himself on prior patient encounters and their associated family relationships.
Remediation: The hospital provided coaching and education to the physician regarding privacy obligations under PHIPA. The hospital also took the following remedial steps to enhance the hospital’s privacy practices:

a. reviewed and updated relevant policies, procedures, and agreements, with a focus on enhancing privacy training, awareness, and risk management;

b. launched a new privacy e-learning module for all agents, which includes an annual confidentiality agreement called the “privacy pledge”;

c. facilitated a privacy discussion with ICU staff; and

d. incorporated annual privacy training, including the circumstances of this case, into the annual physician credentialing process.

4. Notification: Finally, the hospital also notified affected individuals.

Effect of Remedial Measures

The decision notes that, at the time of the privacy breaches, the hospital’s physicians were not required to complete annual privacy training, and the hospital’s confidentiality agreements and disciplinary policies did not fully comply with the IPC’s guidance. The Adjudicator wrote that these shortcomings were reflected in the physician’s mistaken belief about his permitted access to patient records, and limited the hospital’s ability to effectively prevent and deter unauthorized access to personal health information.

Despite this, given that the hospital took considerable corrective measures and made improvements to its privacy practices, including its privacy training and awareness for staff, the Adjudicator was satisfied that the hospital had taken reasonable steps to both address the breaches at hand and reduce the risk of similar breaches from occurring in the future. The Adjudicator therefore did not order a review under s. 58(1) of PHIPA, and the file was closed without publication of the name of the hospital or the individual physician.

Key Takeaways

This decision underscores the importance of acting quickly to contain and investigation a privacy breach. In addition, this decision communications that the IPC responds favourably to health information custodians that learn from their mistakes and implement systemic changes. Taking proactive remedial measures where necessary, such as providing privacy education and updating privacy policies, can go a long way in fostering a culture of privacy and preventing repeat incidents.

If your organization could benefit from a review of privacy practices or from privacy training, please contact us.

Alisha Kapur

New PHIPA Decision Demonstrates the Power of Proactive Remediation

Background

Responding to the Breach

Effect of Remedial Measures

Key Takeaways

Contact

Address

Follow

New PHIPA Decision Demonstrates the Power of Proactive Remediation

Background

Responding to the Breach

Effect of Remedial Measures

Key Takeaways

March 2026 Rosen Sunshine Newsletter

Contact

Address

Follow