Reporting a Privacy Incident
What is a Privacy Breach?
A privacy breach occurs when personal information or personal health information is accessed, used, or disclosed without proper authorization, violating the right to confidentiality. This can be accidental or deliberate and include the theft, loss, alteration, or destruction of information. This can happen through various means such as unauthorized access by employees, hacking, or the improper sharing of personal information or personal health information. Such breaches can result in significant consequences for both patients and healthcare organizations, including identity theft, legal liabilities, and loss of trust in the healthcare system. Protecting health care privacy is crucial to maintaining patient rights and ensuring the integrity of medical data.
For all information incidents, it’s important to take action as soon as possible. In the event of an information incident, follow these steps:
|
Steps: |
Description: |
|
1. Contain the Privacy Breach |
Team members who witness or come across a potential or actual privacy incident must contain the privacy incident (e.g., stopping the unauthorized practice, gathering loose papers) where possible. Immediate notification should be given to the team member’s manager to manage the issue. |
|
2. Report the Privacy Incident |
Team members and the manager report a privacy incident using the Privacy Incident Report Form.
|
|
3. Evaluate the Risks |
How many individuals are affected by the breach? Who was affected by the breach (e.g. employees, customers, patients, clients, contractors, service providers or other organizations)? Evaluate what information was compromised, how it was accessed, and whether any harm was caused (e.g. name, Health Services Number, demographics, etc.). The level of formality of an investigation will depend on the seriousness of the incident. |
|
4. Internal and External Notifications |
Privacy and the manager will determine who may need to be aware of the incident:
|
|
5. Notification to Affected Individuals |
How notification is provided will largely depend on the circumstances of the breach. Work with the Privacy Officer assigned to the investigation. When providing individual notice, direct contact (ideally through mail and/or phone) is the suggested approach. The same details should be provided consistently to every individual when multiple parties are being informed. The option of having written information provided should be made available to affected parties. Notes of phone calls, copies of written correspondence and information on any follow-up should be documented and included in the investigation file. |
|
6. Preventing Similar Incidents |
Based on the findings and recommendations of the investigation, changes may need to be implemented to:
|