According to new rules under the Personal Health Information Protection Act (PHIPA), health information custodians in Ontario are now required to report statistics relating to health privacy breaches annually to the Information and Privacy Commissioner of Ontario’s (IPC) office, which oversees compliance with PHIPA.


A Health Information Custodian (HIC) is responsible for collecting, using and disclosing personal health information on behalf of clients.  A HIC is generally the institution, facility or private practice health practitioner that provides health care to an individual.  Examples of health information custodians include health care practitioners such as doctors, nurses, pharmacists, speech-language pathologists, chiropractors, dental professionals including RDTs, dietitians, medical laboratory technologists, massage therapists, midwives, occupational therapists, opticians and physiotherapists.


What is a Privacy Breach?

Under PHIPA, a privacy breach is the unauthorized use, disclosure, loss, or theft of personal health information. This includes situations such as; the viewing of health records by someone who is not allowed to view those records, loss of health records or a USB key containing health information, a briefcase with patient files stolen from someone’s car or disclosure of health information without authority.  The full list of reportable breaches can be found in s. 6.3 of Ontario Regulation 224/17 made under PHIPA.

Statistical reports submitted will set out the number of times in 2018 that personal health information held by a health information custodian was stolen, lost, used without authority and/or disclosed without authority. The other sections of the report will focus on the cause of the breach and the number of individuals affected. The report does not ask for personal health information.

If you are a health information custodian and have experienced a privacy breach in 2018 (from January to December) you must comply with the law and submit a report by the March 1, 2019 deadline.  However, health information custodians that have zero health privacy breaches to report for 2018 should not submit a statistical report.


How to report

An online statistics submission website  is open for health information custodians across Ontario to submit their statistics for the 2018 reporting year. The deadline to submit is Friday, March 1, 2019.

To access the statistics submission website and set up your login ID, please email with your contact information.



Personal Health Information Protection Act, 2004

Annual Reporting of Privacy Breach to the Commissioner

Website of the Information and Privacy Commission of Ontario