- Report a Privacy Breach
- Collection, Use and Disclosure of Personal Health Information
- Responding to a Privacy Breach
- Unauthorized Access
- Access and Correction
- PHIPA Complaint Process
- Safeguarding Personal Health Information
Our PHIPA Processes
TYPES OF PHIPA FILES
The IPC handles four types of files under the Personal Health Information Protection Act (PHIPA).
Access and correction complaint files
We receive and resolve complaints from individuals who have been denied access to, or the correction of, their records of personal health information.
We receive and resolve complaints about PHIPA contraventions, such as unauthorized disclosures of personal health information.
Custodian-reported privacy breaches
We investigate privacy breaches that are reported to us by health information custodians (custodian) to remedy or contain the breach and prevent future occurrences.
We have the authority to initiate our own investigation of potential PHIPA contraventions. For example, we may initiate an investigation if we learn about a privacy breach, such as the discovery of abandoned medical records, even where we learn about it from an unaffected party. Investigations are also conducted when there are large-scale or systemic contraventions of PHIPA, and it would not be practical to address each complaint separately.
STAGES OF OUR PHIPA PROCESS
There are three stages to the IPC’s PHIPA process:
All new files begin at the intake stage, where we:
- collect and clarify the preliminary facts;
- screen the file, for example to ensure it falls within our jurisdiction and determine if it has a reasonable chance of succeeding;
- try to informally and quickly resolve the complaint; and
- close custodian-reported privacy breaches and IPC-initiated files, if we are satisfied with the response to the breach.
After intake, a file either moves on to investigation/mediation or it is closed. If a file is closed, a letter is sent to the parties explaining our decision to close it. We do not publish this letter.
In some cases, urgent files are either adjudicated (decided) at the intake stage or proceed directly to the adjudication stage.
If we receive a complaint, a mediator is assigned to the file to help resolve the issues under dispute. If we initiate our own investigation or receive a breach report from a custodian, an investigator determines whether we are satisfied with the response to the breach. In both circumstances, the investigator/mediator gathers relevant facts.
At the end of the investigation/mediation stage, a file can be:
- consensually resolved, with the terms of resolution confirmed with the parties in a letter that is not published by the IPC;
- transferred to adjudication and accompanied by a report that sets out the facts gathered and issues under dispute; or
- in the case of IPC-initiated files and custodian-reported privacy breaches, closed if we are satisfied with the response of the custodian. This decision is published but generally does not include the names of any of the parties involved.
At this stage, we adjudicate the issues under dispute.
During the adjudication stage:
- The adjudicator decides whether there are reasonable grounds to commence a “review” under PHIPA. If there are none, the adjudicator closes the file and prepares a decision to be published by the IPC (but generally does not name any of the parties).
- If there are reasonable grounds to start a review, the adjudicator issues a Notice of Review, seeking representations—or submissions—on the facts and issues under dispute. After reviewing this information, and any additional facts, the adjudicator decides whether or not to issue an order. The adjudicator’s decision is published and usually names the custodian and any other persons who were party to the review, but generally does not name complainants or other individuals whose personal health information was at issue.
This post is also available in: French