Privacy Breach: To Whom and How to Report

Better safe than sorry is the right way for clinics to approach the new rule changes to Canada’s federal private sector privacy law that came into effect on November 1, 2018.

As the last post in this series suggested, you need to keep a record of every breach, but must report those that involve a real risk of significant harm (RROSH). Most data breaches involving medical records would fall under the RROSH guidelines, which means multiple steps to the reporting process.

Informing Privacy Commissioner

For one, any organization must notify the Office of the Privacy Commissioner of Canada (OPC) following a breach, using a PIPEDA breach report form. That includes a responsibility for personal information it has transferred to a third party for processing — including physicians who use medical transcription services.

Beyond that, individuals also have a need to be notified if affected or potentially affected by the breach. The timing is as open to interpretation as so many aspects of the guidelines, with the OPC requiring that warning be given “as soon as feasible” after a breach of security safeguards that involve a RROSH.

While the ‘when’ is a little loose, the ‘what’ is more concrete.

The individual needs enough information to truly understand the implications of the breach and be able to take any steps possible to reduce the potential impact. The expectation is that the material is easily digestible as well, avoiding legal jargon.

The regulations specifically require a description of the circumstances of the breach; the day or period during which it occurred (or approximate time); a description of the personal information that was accessed; the steps the organization has taken to reduce the risk of harm that could result; the steps affected individuals can take to lessen potential harm; and contact information the patient can use to get more information about the breach.

It must be communicated directly, which includes in person, by phone, mail or email.

Others to involve in the notification process could include the police, or a third-party service, like a provider of medical transcription, when their involvement could help reduce the risk of harm from a breach.


See the remainder of our series of articles on Privacy Breeches at:

Part 1:  Reporting

Part 2:  Real Risk of Harm

Part 3:  Record Breaches


2Ascribe Inc. is a medical transcription services agency located in Toronto, Ontario Canada, providing medical transcription services to physicians, clinics and other healthcare providers across Canada. Our medical transcriptionists take pride in the quality of your transcribed documents. WEBscribe is our client interface portal for document management. 2Ascribe continues to implement and develop technology to assist and improve the transcription process for physicians and other healthcare providers, and recently introduced AUTOfax. AUTOfax works within WEBscribe to automatically send faxes to referring physicians when a document is signed off by the healthcare professional. As a service to our clients and the healthcare industry, 2Ascribe offers articles of interest to physicians and other healthcare professionals, medical transcriptionists and office staff, as well as of general interest. Additional articles may be found at

You might also enjoy

AI Bias

The results created by an AI model can be considered