When must a health information custodian report a privacy breach to the IPC?

Under PHIPA s.12(3) and O. Reg. 329/04, s.6.3, a custodian must report a breach to the IPC at the first reasonable opportunity when it falls into any of seven prescribed categories: (1) knowing unauthorized use or disclosure; (2) stolen information; (3) further unauthorized use or disclosure after an initial breach; (4) a pattern of similar breaches; (5) disciplinary action against a college-regulated health professional; (6) disciplinary action against a non-college employee in equivalent circumstances; or (7) the breach is significant considering sensitivity, volume, number of individuals, and custodians involved.

How do you report a privacy breach to the IPC?

Breaches are reported to the IPC by submitting the Privacy Breach Report Form, available online at ipc.on.ca. The report must describe: the circumstances of the breach and how it was discovered; the nature of the personal health information involved; the number of individuals affected; whether and how affected individuals were notified; and the steps taken to contain, investigate, and remediate the breach and prevent future occurrences. Reports can be submitted online or by mail, and must be filed at the first reasonable opportunity.

Do accidental breaches need to be reported to the IPC?

Generally, a single accidental breach that is an isolated incident — such as a misdirected fax or accidentally opening the wrong patient record — does not need to be individually reported to the IPC. However, accidental breaches must be reported if they fall into other categories: if they are part of a pattern of similar breaches, if the information was stolen, if further unauthorized use or disclosure follows, or if the breach is significant considering the sensitivity or volume of information. All breaches, including accidental ones, must also be counted in the annual breach statistics report filed with the IPC by March 1 each year.

What happens after a breach is reported to the IPC?

After receiving a breach report, the IPC reviews the information provided and may request additional details. Depending on the circumstances, the IPC may: confirm that containment and notification have been addressed; interview individuals involved; obtain and review the custodian's position on the breach; request a status report on actions taken; review policies and procedures and recommend changes; or, if appropriate, conduct a formal investigation under PHIPA s.58-60. In some cases the IPC may take no further action. In others, it may issue a report, make recommendations, or issue a formal order under s.61.

Can the IPC issue orders or penalties after investigating a breach?

Yes. Under PHIPA s.61, the IPC has broad order-making powers following an investigation, including ordering a custodian to stop collecting, using, or disclosing personal health information in contravention of the Act; ordering a custodian to change its information practices; and ordering a custodian to destroy records collected in contravention of the Act. Under s.61.1, the IPC can impose administrative penalties. Under s.72, individuals face fines of up to $200,000 and organizations face fines of up to $1,000,000 for offences under the Act.

Is there a fixed deadline for reporting a breach to the IPC?

No. Unlike HIPAA's 60-day notification window, PHIPA uses the standard of 'at the first reasonable opportunity.' This requires prompt action but allows time for a reasonable investigation to establish the facts before reporting. The IPC will assess whether the custodian acted promptly in the circumstances. Unreasonable delay in reporting may itself be considered a compliance failure. Custodians should not wait until an investigation is fully complete before reporting — the report can note that investigation and remediation steps are still ongoing.

Breach Report to IPC - RiskIntelligence Patient Privacy Monitor

How and When Should Ontario Healthcare Organizations Report a Privacy Breach to the IPC?

A step-by-step guide for health information custodians — when reporting is mandatory, how to file, what to include, and what happens after the IPC receives your report.

Authored by nank.ai | May26, 2026

Key Facts: Reporting Privacy Breaches to the IPC

Legal authority: PHIPA s.12(3) and O. Reg. 329/04, s.6.3 require custodians to report certain breaches to the IPC [Source 1, 2]
Reporting standard: Reports must be filed “at the first reasonable opportunity” — no fixed calendar deadline [Source 1]
7 prescribed categories of breaches trigger mandatory IPC reporting [Source 2, 3]
Snooping is always reportable: Unauthorized access by a person who knew or should have known it was not permitted must be reported, regardless of motive [Source 3]
Patient notification is separate: Even if a breach does not require IPC reporting, the custodian must notify the affected individual under PHIPA s.12(2) [Source 1]
Annual statistics: All breaches — including those not individually reported — must be counted in the annual report filed by March 1 each year [Source 4, 5]
IPC powers: The IPC may request additional information, conduct an investigation (s.58-60), issue orders (s.61), or impose administrative penalties (s.61.1) [Source 1]
Penalties: Fines up to $200,000 for individuals and $1,000,000 for organizations under PHIPA s.72 [Source 1]

When Must a Health Information Custodian Report a Breach to the IPC?

Not every privacy breach requires a report to the Information and Privacy Commissioner of Ontario (IPC). Under PHIPA s.12(3) and O. Reg. 329/04, s.6.3, a custodian must notify the IPC at the first reasonable opportunity only when a breach falls into one or more of seven prescribed categories. The categories are not mutually exclusive — a single breach may trigger reporting under multiple categories [Source 2, 3].

What Are the Seven Reportable Categories?

#	Category	When It Applies	Example
1	Knowing unauthorized use or disclosure	A person uses or discloses PHI without authority, and knew or should have known their actions were not permitted.	A nurse views a neighbour’s medical record out of curiosity (snooping).
2	Stolen information	PHI was stolen — paper records, laptops, USB drives, or data compromised by ransomware or cyberattack. Exception: not required if data was de-identified or encrypted.	A laptop containing unencrypted patient data is stolen from a clinic.
3	Further unauthorized use or disclosure after a breach	After an initial breach, the PHI was or will be further used or disclosed without authority.	A misdirected fax recipient returns the fax but keeps a copy and threatens to publicize it.
4	Pattern of similar breaches	The breach is part of a pattern, even if each individual breach is accidental or minor.	A malfunctioning mail system repeatedly includes one patient’s information in another patient’s letter over several months.
5	Disciplinary action — college member	A regulated health professional is terminated, suspended, disciplined, or resigns in circumstances related to the breach, triggering college notification under PHIPA s.17.1 Want to automate privacy log review to reduce cost by 90%? Stop manually reviewing access logs. Start detecting breaches in real time with our AI-driven patient privacy monitor. Contact Us RiskIntelligence Your trusted risk management service partner Linkedin-in Youtube Reddit Company Privacy Monitor About Contact Privacy Policy Services Healthcare Privacy Monitor solution Privacy and Security Advisory Get In Touch sales@riskintelligence.ca Ontario, Canada Copyright © 2026 BlueImpact RiskIntelligence Ltd. (doing business as RiskIntelligence)

How and When Should Ontario Healthcare Organizations Report a Privacy Breach to the IPC?

Authored by nank.ai | May26, 2026

When Must a Health Information Custodian Report a Breach to the IPC?

What Are the Seven Reportable Categories?

Want to automate privacy log review to reduce cost by 90%?

RiskIntelligence

Company

Services

Get In Touch