TORONTO, ON (September 28, 2017) – Ontario’s Information and Privacy Commissioner (IPC) has released a guidance document called “Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector” to support recent amendments to the Personal Health Information Protection Act (PHIPA).  Under section 12(3) of PHIPA and its related regulation, effective October 1, 2017, health information custodians (such as hospitals, medical offices, and others who deal with patient health information) will be required to report certain privacy breaches to the IPC.

The new guidance document will assist healthcare organizations and professional to understand the new amendments and when to notify the IPC of a privacy breach.

The guidelines are available on the IPC website in both HTML and PDF format at:

The new amendments to PHIPA will also require health information custodians to track privacy breach statistics starting January 1, 2018, and provide the IPC with an annual report of the previous calendar year’s statistics, starting in March 2019. Further guidance on these statistical reporting requirements will be released later this fall.


“Patients deserve to know that their health information is not being accessed inappropriately and that their privacy is being protected, so I’m pleased to see this amendment come into effect. The guidance document developed by my office will help people who work with health information to understand their duties and responsibilities to ensure that sensitive information is protected, as well as to improve accountability and transparency in Ontario’s health care system.”
– Brian Beamish, Commissioner

Additional Resources

Media Inquiries