Key Questions: What is a privacy breach? How should my organization proceed when faced with a privacy breach? How can we prevent future breaches?
The Personal Health Information Protection Act, 2004 (the Act) sets out the rules that persons or organizations defined as “health information custodians” must follow when collecting, using, disclosing, retaining and disposing of personal health information.
The rules recognize the unique character of personal health information as one of the most sensitive types of personal information that is frequently shared for a variety of purposes, including care and treatment, health research, and managing our publicly funded health care system.
The Act balances individuals’ right to privacy with respect to their own personal health information with the legitimate needs of health information custodians to collect, use and share this information. With limited exceptions, the Act requires health information custodians to obtain consent before they collect, use or disclose personal health information. The Act also makes health information custodians responsible for the secure storage and destruction of personal health information. In addition, individuals have the right to access and request correction of their own personal health information.
The purpose of this paper is to provide guidance to health information custodians when they are faced with a “privacy breach.”