PHIPA Breach Notification: What Ontario Clinics Must Do in the First 72 Hours

What counts as a PHIPA breach

Under the Personal Health Information Protection Act, a breach is any unauthorized collection, use, or disclosure of personal health information (PHI). That's broader than most clinic owners assume. A stolen laptop is a breach. A misdirected fax with a patient name on it is a breach. A staff member browsing a neighbour's chart out of curiosity is a breach. So is a phishing email that exposes a clinician's mailbox, even if you can't yet prove any patient data was actually opened.

The question isn't whether harm occurred. The question is whether PHI was — or could reasonably have been — accessed by someone who shouldn't have seen it. If the answer is yes, or even probably, the clock starts.

The IPC of Ontario expects you to assume access until you can prove otherwise. Treat suspicion as a breach until your investigation says otherwise; never the reverse.

The first hour: contain and assess

Stop the bleeding first. Disconnect the affected device from the network — pull the cable, kill the Wi-Fi — but don't wipe or reboot it. Forensic evidence lives in memory and logs that disappear the moment you 'fix' the machine.

Reset credentials for any account that may have been compromised. If a clinician's mailbox was phished, force a password change, revoke active sessions, and turn on MFA if it wasn't already. Notify your IT provider and your designated privacy officer — both, in writing, in that first hour.

Open a breach log. A simple shared document is fine. Date and time-stamp every action taken, every person notified, every device touched. This log is what the IPC will ask for, and what your insurer will need.

Notifying the IPC of Ontario

PHIPA requires you to notify the Information and Privacy Commissioner of Ontario when a breach meets certain thresholds — including theft or loss of PHI, use or disclosure without authority, and breaches that affect a large number of patients or trigger annual reporting. The IPC publishes the current criteria; check them at the time of the incident, not from memory.

Notification is done in writing through the IPC's breach notification process. You'll need a description of what happened, the date of discovery, the type and volume of PHI involved, the steps you've taken to contain and investigate, and what you're doing to prevent a recurrence.

There is no fixed statutory hour count for IPC notification, but 'as soon as reasonably possible' is the standard — and in practice, regulators view anything beyond 72 hours from discovery as needing a very good explanation.

"The clinics that handle breaches well aren't the ones with no incidents. They're the ones who decided what they'd do before the incident happened."

Telling affected patients

PHIPA requires you to notify affected patients at the first reasonable opportunity unless an exception applies. The notification must explain what happened, what information was involved, what you're doing about it, and that the patient has the right to complain to the IPC.

Write the notification in plain language. Patients are not reassured by legalese; they are reassured by a clear account of what happened and what you're doing. Have your privacy officer sign it personally where possible.

Sensitive cases — for example, mental health records or HIV status — warrant a phone call before the letter. Awkward, but the right thing to do, and the IPC has called this out in past investigations.

Documenting everything

Your breach file should contain: the incident log, the technical investigation report, the IPC notification (and any IPC correspondence), the patient notification template and a list of who it was sent to, the root-cause analysis, and the remediation plan with owners and target dates.

Keep the file for at least ten years. The IPC has reopened files years later when a follow-up complaint surfaces, and a clinic that can produce a complete, contemporaneous breach record is in a fundamentally stronger position than one that can't.

Once the dust settles, run a short post-mortem with your team. The goal isn't blame — it's making sure the gap that allowed this breach is closed, in writing, before the next one finds it.