Privacy Breach Reporting: Rule Changes up the Ante

New rule changes to Canada’s federal private sector privacy law — including physician practices — came into effect on November 1, 2018.

And while the ability of the Office of the Privacy Commissioner of Canada to assess, advise and enforce the new reporting requirements will be difficult given the number of businesses across the country that are covered by the regulations, Commissioner Daniel Therrien considers them “a step in the right direction.”


But what does this mean for you and your medical practice?

Well, the privacy issues themselves haven’t changed, but your obligations to report them have. Certain breaches of security safeguards must be reported to both the Commissioner’s office and to individuals or other groups that are affected.

For physicians who store medical records electronically, or outsource to a transcriptions service, ensuring a secure connection with their company of choice is an important detail.

Organizations subject to the Personal Information Protection and Electronic Documents Act must:

  • Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
  • Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
  • Keep records of all breaches of security safeguards that affect the personal information under their control; and
  • Keep those records for two years.

Why did these additional responsibilities come to pass, after public consultation and review of 20 submissions from various sectors on a draft version? It’s all about incentive … or rather, fear of repercussions.

“The number and frequency of significant data breaches over the past few years have proven there’s a clear need for mandatory reporting,” said Commissioner Therrien. “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”

The Office of the Privacy Commissioner of Canada has published guidance to help businesses comply with the new requirements as well as a new reporting form. But stay tuned for Parts 2, 3 and 4 in our Privacy Breach Reporting blog series for a breakdown of the important ins and outs of the changes. 

Next up:  Assessing the risk of significant harm

2Ascribe Inc. is a medical transcription services agency located in Toronto, Ontario Canada, providing medical transcription services to physicians, clinics and other healthcare providers across Canada. Our medical transcriptionists take pride in the quality of your transcribed documents. WEBscribe is our client interface portal for document management. 2Ascribe continues to implement and develop technology to assist and improve the transcription process for physicians and other healthcare providers, and recently introduced AUTOfax. AUTOfax works within WEBscribe to automatically send faxes to referring physicians when a document is signed off by the healthcare professional. As a service to our clients and the healthcare industry, 2Ascribe offers articles of interest to physicians and other healthcare professionals, medical transcriptionists and office staff, as well as of general interest. Additional articles may be found at

You might also enjoy

AI Bias

The results created by an AI model can be considered