Keeping records is nothing new for clinics, hospitals and physicians, who store all kinds of data either electronically or in paper files. But never before has it been more important for a clinic to keep records of any breaches in security safeguards where that personal patient information may be accessed by outsiders.

New rule changes to Canada’s federal private sector privacy law — including physician practices — came into effect on November 1, 2018. Under the new guidelines, records of breach are to be kept for two years for all those subject to the Personal Information Protection and Electronic Documents Act in Canada.

Guidance for Privacy Record Breaches

Keeping and maintaining a record of every breach of security safeguards involving personal information under its control is part of the new privacy law — even in the event that it is determined that there is not a real risk of significant harm or not (a rather arbitrary definition in most cases but can safely be applied to anything health related under PIPEDA).

But what does that mean?

The Office of the Privacy Commissioner of Canada broadly suggests that the record must include any information that would help them verify compliance.

That means, as a starting point, things like the date or estimated date of breach; a general description of the circumstances of the breach; the nature of the information involved in the breach; and whether or not the breach was reported (as required) to the Privacy Commissioner of Canada and the individuals whose information was compromised.

They also ask for details that would help them assess whether you have correctly applied the real risk of significant harm standard (RROSH), and otherwise met its obligations to report and notify in those cases.

Although the records should be detailed enough to describe the type of information involved in the breach, it does not need to include personal details unless absolutely necessary to explain the nature and sensitivity of the information.

Next up: How and who to report to, “Informing Privacy Commissioner and Affected Parties”.  See our full series on privacy breaches at:

Part 1:  Reporting Privacy Breaches

Part 2:  Assessing the Real Risk of Significant Harm (RROSH)

Part 4:  Informing the Privacy Commissioner and Affected Parties



2Ascribe Inc. is a medical transcription services agency located in Toronto, Ontario Canada, providing medical transcription services to physicians, clinics and other healthcare providers across Canada. Our medical transcriptionists take pride in the quality of your transcribed documents. WEBscribe is our client interface portal for document management. 2Ascribe continues to implement and develop technology to assist and improve the transcription process for physicians and other healthcare providers, and recently introduced AUTOfax. AUTOfax works within WEBscribe to automatically send faxes to referring physicians when a document is signed off by the healthcare professional. As a service to our clients and the healthcare industry, 2Ascribe offers articles of interest to physicians and other healthcare professionals, medical transcriptionists and office staff, as well as of general interest. Additional articles may be found at