Privacy breach notification – is it mandatory?

Vulnerability Assessment

We have been receiving a number of questions about the new federal privacy Breach Notification requirements coming on November 1st, and whether it applies to medical clinics in British Columbia.

The reason is that, as of this date, notification will be mandatory for those private sector businesses that must comply with PIPEDA, the Personal Information Protection and Electronic Documents Act.  Businesses that must be compliant to PIPEDA, and knowingly violate its new breach notification requirements, may be fined up to CA$100,000 per violation.

What are the implications for private medical clinics in British Columbia? 

In general, if your medical clinic is located in BC, and operates internally within this province, you must comply with BC’s Personal Information Protection Act (PIPA). Assuming this is exclusively the case for your clinic, compliance to PIPEDA, including its new mandatory breach reporting requirements, is not required.  However, this does not mean that PIPEDA is not relevant in British Columbia. There are cases where some businesses must, in fact, comply with PIPEDA mandatory breach requirements.  If you are wondering whether this applies to you, seek legal advice.

If I know that my clinic only has to be compliant with PIPA, do I need to report a breach?

Essentially, it is your judgement call. But consider the risks of failing to report very carefully.  When you make this decision, consider the potential impact to your patients and any other affected individuals. For example,

  • How sensitive was the personal information disclosed or lost to the breach?
  • Was the information was fully recovered, without further disclosure?
  • How many people were affected?
  • Could the personal information be used to commit fraud or identity theft? Consider that even partial information is helpful for these purposes, as information from other sources can be merged by the attacker to build a convincing identity profile.
  • Is there is a reasonable risk of physical, psychological or financial harm?
  • Is there is a risk of harm to the relationship your clinic has with your patients, or to the public?

Consider also the potential for litigation through failure to comply with PIPA, contractual obligations, or other applicable legislation.

Regardless of whether breach notification is mandatory or not, it is important to know what you should do, to protect your patients, and your clinic.

Fortunately there are lots of resources available that can help.

Here is a new resource that has been designed especially for medical clinics in British Columbia:  Guidelines for Responding to a Privacy Breach, from the Doctors of BC Privacy Toolkit.

Some key advice from this document is that:

  • Individuals who are affected by a privacy breach should be notified immediately if it is necessary to avoid or mitigate harms that they could experience as a result of the breach.
  • The determination of whether or not to report the breach to BC’s Office of the Information and Privacy Commissioner (OIPC) should generally be made within two days of the breach.

While PIPA does not currently include an explicit requirement for organizations to report breaches to the OIPC, doing so will assist the practice to demonstrate that it has taken reasonable steps to respond to the privacy breach. It may also be helpful towards resolving a complaint made to the OIPC by someone who may have been affected.

Additional help can be found in an excellent toolkit called Privacy Breaches Tools and Resources, written by the OIPC. It has helpful details on on how to respond to a breach, including a breach policy template you can adapt for your clinic, and a procedure checklist that can be printed out and placed in a “policy and procedures binder”, ready to use, in case you need it.

The Doctors Technology Office, at Doctors of BC, is constantly adding new resources, and conducts workshops and webinars to help clinicians protect their offices. We will be writing about some of them in future posts. In the meantime, check their website, or contact them for specific help.

See also our previous post on how to respond to a Privacy Breach, posted last year.

Legal note to all of the above: This is intended for general information only.  It is not intended to provide legal or other advice.  The key message here is: make sure you have policies and procedures in place, before a privacy breach occurs, that will help you to appropriately notify those who need to be informed.

If you need more information, contact us.