Health Privacy Breach Statistical Report – FAQ

Do I have to submit a health privacy breach statistics report?

Yes, if you are both a health information custodian and a FIPPA/MFIPPA institution whether you have experienced health breaches or not.

Yes, if you are a health information custodian and have experienced health breaches.

No, if you are a health information custodian and have experienced 0 (zero) breaches.

How do I submit my health privacy breach statistics?

You must submit your report online at

How do I do it?

Use the workbook and guide posted on the statistics website. It has all the instructions for submitting your health privacy breach statistics.

What is the deadline for submitting my statistics?

All reports must be submitted by March 1, 2019.

Can I fill out the workbook and mail or fax it to the IPC?

No. Fax or mailed copies will not be accepted. The questionnaire must be filled out online at

Where do I get a login for the statistics website?

Email to request login identification, which you can then use to set your password.

I already have a login id and password for the statistics I submitted under FIPPA/MFIPPA and my PHIPA report. Do I need a separate login for submitting health privacy breach statistics?

Not necessarily.

You have three options for logging in:

  1. Use a single login id and password to submit your FIPPA/MFIPPA report, your PHIPA access report and your PHIPA privacy breach statistics report. Having a single login id and password is convenient if the same person will be submitting all three reports.
  2. One login id and password for FIPPA/MFIPPA and a second login id and password for the two PHIPA reports.
  3. Separate logins and passwords for each of the three reports.


The option you choose all depends on the structure of your institution and how you assign statistics reporting. Please indicate in your email to the IPC whether you want a single login id set or two or three separate ones.

We are only subject to PHIPA and not to FIPPA/MFIPPA. We didn’t have any breaches. Do I need to submit anything?

No. If a HIC is only subject to PHIPA and has no breaches to report, then it doesn’t need to submit a breach statistics report.

We are a HIC as well as an institution under FIPPA/MFIPPA, but we have no breaches to report. Do I need to submit a report?

Yes, however in this case you only need to complete part one of the breach statistics report.

Our institution has several health care practitioners on our staff. Do we submit a separate report for each practitioner?

That depends on who is the health information custodian. If your institution is the health information custodian, then the institution submits the report. Alternatively, if the health care practitioner is the custodian, then they would have to submit a report separately, but only if they have experienced one or more breaches.

We had a breach that fit into more than one category of reportable breaches (e.g., the personal health information was stolen, used and disclosed). Do we report once or in each category?

You would report the breach once, under the category that best fits the circumstances of the breach.

Occasionally we have incidents where an employee opens a wrong file by mistake, but quickly realizes the mistake and closes the file (e.g. pulls the wrong paper file off a shelf, or clicks on the wrong name in a list of names on the screen). We didn’t report them to the patient or the IPC. Do we submit these incidents in the annual report?

No, you do not have to report on those kinds of incidents in the annual statistics report.

What about an incident that did not meet the criteria to report to the IPC under Section 6.3 of the Regulation, at the time it happened, but where we did notify the patient?

As a rule of thumb, anything that required notice to a patient under section 12(2) of PHIPA should be included in the statistical report, even if you did not need to report it to the IPC under the Regulation.

Can institutions or HICs see the stats before they go public?

The IPC does not release a preview of its annual report to institutions or HICs before it is published.

Will the IPC include the name of my institution or HIC in health privacy breaches section of the annual report?

No. The IPC’s 2018 annual report will only include statistics related to categories of institutions and HICs and types and numbers of health privacy breaches.

Who can I contact if I need more information or have questions?

If you have any questions, please email or call 416-326-3333 (Toronto) or toll-free at 1-800-387-0073

This post is also available in: French