September 27, 2017

PHIPA changes – in effect October 1 2017!

Amendments have been made to Ontario’s Personal Health Information & Protection Act (PHIPA), and midwives have new obligations in providing notice to the Information & Privacy Commissioner regarding privacy breaches effective October 1st, 2017.  We’ve updated our Guide to Compliance with PHIPA to add in these new changes so that members can understand what will be required.  The updated guide can be found by clicking here, and you’ll find the changes incorporated on page 15 of the guide.  

PHIPA governs the collection, use and disclosure of personal health information by midwives and other health information custodians practicing within Ontario. The purpose of this guide is to assist midwives in understanding their privacy obligations under PHIPA. While staff at the College is available to answer general inquiries, it is recommended that legal advice be sought with respect to specific issues pertaining to the collection, use and disclosure of personal health information at your place of practice. 

Notice to Commissioner
As of October 1st, 2017
A midwife is required to notify the Information & Privacy Commissioner in the following instances:

  • The midwife has reasonable grounds to believe that the personal health information in their custody or control was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority
  • The midwife has reasonable grounds to believe that the personal health information in their custody or control was stolen
  • The midwife has reasonable grounds to believe that after an initial loss or unauthorized use or disclosure of personal health information in their custody or control, the personal health information was or will be further used or disclosed without authority
  • The loss or unauthorized use or disclosure of the personal health information is part of a pattern of similar losses or unauthorized uses or disclosure of personal health information in the custody or control of the midwife
  • The midwife is required to give notice to the College in accordance with s. 17.1 of PHIPA, including the following:
    • The midwife is acting as health information custodian and a member of the College employed by them, who holds privileges with them, or who is affiliated with them has committed or is suspected of having committed an unauthorized collection, use, disclosure, retention or disposal of personal health information and if, as a result of such unauthorized action, disciplinary action is taken with respect to the member’s employment, privileges or affiliation. This also applies to cases where a member voluntarily relinquishes their privileges/affiliations or resigns.
    • The midwife is acting as health information custodian and is a medical officer of health of a board of health and circumstances similar to those described above arise involving a member of the College who is employed to provide health care for the board of health and is an agent of the health information custodian.
  • The midwife has determined that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including:
    • Whether the personal health information is sensitive
    • Whether the loss or unauthorized use or disclosure involved many individuals’ personal health information
    • Whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure

Annual Report to Commissioner
Beginning 2019, on or before March 1st of each year, a midwife is required to provide the Commissioner an electronic report that sets out the number of times in the previous calendar year that each of the following occurred:

  • Personal health information in the midwife’s custody or control was stolen
  • Personal health information in the midwife’s custody or control was lost
  • Personal health information in the midwife’s custody or control was used without authority
  • Personal health information in the midwife’s custody or control was disclosed without authority