You're using an outdated browser. This website will not display correctly and some features will not work.
Learn more about the browsers we support for a faster and safer online experience.

Français

ontario regulation 224/17

made under the

Personal Health Information Protection Act, 2004

Made: June 28, 2017
Filed: June 29, 2017
Published on e-Laws: June 29, 2017
Printed in The Ontario Gazette: July 15, 2017

Amending O. Reg. 329/04

(GENERAL)

1. Ontario Regulation 329/04 is amended by adding the following sections:

Notice to Commissioner, subs. 12 (3) of the Act

6.3 (1) The following are the circumstances in which a health information custodian is required to notify the Commissioner for the purposes of subsection 12 (3) of the Act:

1. The health information custodian has reasonable grounds to believe that personal health information in the custodian’s custody or control was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority.

2. The health information custodian has reasonable grounds to believe that personal health information in the custodian’s custody or control was stolen.

3. The health information custodian has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of personal health information in the custodian’s custody or control, the personal health information was or will be further used or disclosed without authority.

4. The loss or unauthorized use or disclosure of personal health information is part of a pattern of similar losses or unauthorized uses or disclosures of personal health information in the custody or control of the health information custodian.

5. The health information custodian is required to give notice to a College of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information.

6. The health information custodian would be required to give notice to a College, if an agent of the health information custodian were a member of the College, of an event described in section 17.1 of the Act that relates to a loss or unauthorized use or disclosure of personal health information.

7. The health information custodian determines that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including the following:

i. Whether the personal health information that was lost or used or disclosed without authority is sensitive.

ii. Whether the loss or unauthorized use or disclosure involved a large volume of personal health information.

iii. Whether the loss or unauthorized use or disclosure involved many individuals’ personal health information.

iv. Whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure of the personal health information.

(2) In this section,

“College” means a College as defined in subsection 17.1 (1) of the Act.

Annual report re: theft, loss, etc.

6.4 (1) On or before March 1 in each year starting in 2019, a health information custodian shall provide the Commissioner with a report setting out the number of times in the previous calendar year that each of the following occurred:

1. Personal health information in the custodian’s custody or control was stolen.

2. Personal health information in the custodian’s custody or control was lost.

3. Personal health information in the custodian’s custody or control was used without authority.

4. Personal health information in the custodian’s custody or control was disclosed without authority.

(2) The report shall be transmitted to the Commissioner by the electronic means and format determined by the Commissioner.

Commencement

2. This Regulation comes into force on the later of October 1, 2017 and the day it is filed.

 

Français