What Is Ontario Breach Management requirements?

A practical guide for health information custodians — covering PHIPA's breach management framework, serious breach reporting to the IPC, annual breach statistics, and patient notification obligations.

Published by nank.ai | May 25, 2026

Key Facts: PHIPA Breach Management at a Glance

Governing law: Personal Health Information Protection Act, 2004 (PHIPA), s.12; O. Reg. 329/04, ss.6.3 and 6.4 [Source 1]
Breach reporting effective date: Mandatory IPC breach reporting has been in effect since October 1, 2017 [Source 2, 7]
Annual statistics filing: Required by March 1 each year, covering all breaches from the previous calendar year (effective since March 1, 2019) [Source 3, 4]
Patient notification: Required for every breach — at the first reasonable opportunity — and must include the individual’s right to complain to the IPC [Source 1]
IPC reporting categories: 7 prescribed categories trigger mandatory reporting to the IPC [Source 2, 5]
Snooping is reportable: Unauthorized access by staff who knew or should have known their actions were not permitted must be reported to the IPC [Source 2]
Penalties: Fines of up to $200,000 for individuals and $1,000,000 for organizations under PHIPA s.72 [Source 1]
College notification: Custodians must report to a health regulatory college within 30 days when a regulated health professional is disciplined for a breach [Source 1, 6]

What Does PHIPA Require for Breach Management?

Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) establishes a multi-layered framework for breach management. The obligations are found primarily in section 12 of the Act and sections 6.3 and 6.4 of Ontario Regulation 329/04. Together, they impose three distinct duties on health information custodians.

What Is the Duty to Protect Personal Health Information?

Under PHIPA s.12(1), a health information custodian must take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is:

Protected against theft, loss, and unauthorized use or disclosure; and
Protected against unauthorized copying, modification, or disposal.

This is a proactive obligation. It requires custodians to have safeguards in place before a breach occurs — not merely to respond after the fact [Source 1].

What Is the Duty to Notify the Affected Individual?

Under PHIPA s.12(2), when personal health information is stolen, lost, or used or disclosed without authority, the custodian must notify the individual to whom the information relates at the first reasonable opportunity. The notification must include a statement that the individual is entitled to make a complaint to the Information and Privacy Commissioner of Ontario (IPC) [Source 1, 6].

This duty applies to every breach — accidental or deliberate, minor or significant. There is no threshold or materiality exception for patient notification.

What Is the Duty to Report to the IPC?

Under PHIPA s.12(3) and O. Reg. 329/04, s.6.3, custodians must notify the IPC at the first reasonable opportunity when a breach falls into one of seven prescribed categories. Additionally, under O. Reg. 329/04, s.6.4, custodians must submit annual breach statistics to the IPC by March 1 each year [Source 1, 3].

What Is the Breach Management Process Under PHIPA?

Effective breach management is a structured lifecycle — not a single act. The IPC’s guidance documents outline a four-stage process that every custodian should follow [Source 2, 5].

How Should a Breach Be Contained?

Step 1 Contain the breach. The immediate priority is to stop the breach and prevent further unauthorized access. Actions may include:

Revoking or suspending the access credentials of the individual responsible.
Recovering stolen or misdirected records (paper or electronic).
Isolating affected systems in the case of a cyberattack.
Securing physical areas where a break-in or theft occurred.
Contacting recipients of misdirected information and requesting return or destruction.

How Should a Breach Be Investigated?

Step 2 Investigate and assess. Determine the facts: what happened, who was involved, what information was compromised, how many individuals were affected, and how the breach occurred. Key questions include:

What personal health information was involved? How sensitive is it?
Was the breach deliberate or accidental?
Who committed the breach — an employee, agent, affiliated practitioner, or external party?
Did the person know or should they have known that their actions were unauthorized?
How many individuals’ records were affected?
Is there evidence of further use or disclosure of the information?
Is this breach part of a pattern of similar breaches?

How Should Affected Individuals and the IPC Be Notified?

Step 3 Notify. Based on the investigation findings, determine notification obligations:

Notify the affected individual(s) at the first reasonable opportunity — this is mandatory for all breaches (see Section 5 below).
Notify the IPC at the first reasonable opportunity if the breach falls into one of the seven prescribed categories (see Section 3 below).
Notify the relevant health regulatory college within 30 days if the breach involves a regulated health professional and disciplinary action is taken (PHIPA s.17.1).

How Should a Breach Be Remediated?

Step 4 Remediate and prevent. Address the root cause of the breach and implement measures to prevent recurrence. This may include:

Updating policies and procedures (e.g., access controls, fax protocols, encryption standards).
Providing additional training to staff.
Implementing or strengthening technical safeguards (e.g., audit logging, access monitoring).
Taking disciplinary action against responsible individuals.
Conducting a broader review of information practices if the breach reveals systemic issues.

When Must a Breach Be Reported to the IPC?

Under PHIPA s.12(3) and O. Reg. 329/04, s.6.3, custodians must report a breach to the IPC at the first reasonable opportunity if it falls into any of the following seven categories. The categories are not mutually exclusive — more than one may apply to a single incident [Source 2, 5].

#	Category	Description and Examples
1	Knowing unauthorized use or disclosure	PHI was used or disclosed without authority by a person who knew or should have known their actions were not permitted. Example: A nurse views a neighbour’s medical record for non-work purposes (snooping). Accidental, isolated incidents (e.g., a single misdirected fax) generally do not trigger this category on their own.
2	Stolen information	PHI was stolen — including theft of paper records, laptops, USB drives, or data compromised by ransomware or cyberattack. Exception: Reporting is not required if the stolen information was de-identified or encrypted.
3	Further unauthorized use or disclosure after initial breach	After an initial breach (even one not reported), the information was or will be further used or disclosed without authority. Example: A misdirected fax recipient returns the fax but keeps a copy and threatens to make it public.
4	Pattern of similar breaches	The breach is part of a pattern of similar breaches, even if each individual breach is accidental or minor. Example: A malfunctioning automated letter system repeatedly includes one patient’s information in another patient’s letter over several months.
5	Disciplinary action against a college member	A regulated health professional is terminated, suspended, disciplined, or resigns in circumstances related to the breach, triggering a duty to notify their regulatory college under PHIPA s.17.1.
6	Disciplinary action against a non-college member	An employee or agent who is not a member of a regulatory college is disciplined in circumstances that would have triggered college notification had they been a member. Example: A registration clerk posts patient information on social media and is suspended.
7	Significant breach	The breach is significant after considering all relevant circumstances: whether the information is sensitive, involves a large volume of information, affects many individuals, or involves more than one custodian or agent. A breach may be significant even if it causes no particular harm — e.g., it reveals systemic weaknesses in information practices.

What About Unauthorized Collection via the EHR?

Under O. Reg. 329/04, s.18.3, if personal health information is collected without authority by means of the provincial electronic health record (EHR), the custodian responsible must notify the IPC if the unauthorized collection would have been reportable had it been a use or disclosure under any of the seven categories above [Source 2, 5].

What Information Must Be Included in a Breach Report to the IPC?

The IPC’s breach report form requires custodians to describe [Source 2, 5]:

The circumstances of the breach — how the information came to be stolen, lost, or disclosed without authority; how the breach was discovered.
The nature of the personal health information involved.
The number of individuals affected.
Whether and how the custodian notified affected individuals.
The steps taken to contain, investigate, and remediate the breach and prevent future breaches (even if some steps are still ongoing).

What Is the Annual Breach Report to the IPC?

Separate from individual breach reporting, O. Reg. 329/04, s.6.4 requires every health information custodian to submit annual breach statistics to the IPC. This is a distinct obligation from reporting individual breaches under s.6.3 [Source 3, 4].

When Is the Annual Report Due?

The annual report must be submitted by March 1 each year, covering all privacy breaches that occurred or were discovered during the previous calendar year. The report must be submitted electronically through the IPC’s Online Statistics Submission Website [Source 3, 4, 6].

What Must the Annual Report Include?

The report must set out the number of times in the previous calendar year that each of the following occurred [Source 3]:

#	Breach Category	Required Breakdown
1	PHI stolen	Total incidents; circumstances (internal party, stranger, ransomware, other cyberattack, unencrypted device, paper records); individuals affected per incident (1, 2-10, 11-50, 51-100, >100)
2	PHI lost	Total incidents; circumstances (ransomware, other cyberattack, unencrypted device, paper records); individuals affected per incident
3	PHI used without authority	Total incidents; circumstances (via electronic records, paper records, other means); individuals affected per incident
4	PHI disclosed without authority	Total incidents; circumstances (misdirected fax, misdirected email, other means); individuals affected per incident
5	PHI collected via the EHR without authority	Total incidents; individuals affected per incident

Does the Annual Report Include All Breaches — Even Minor Ones?

Yes. The annual statistics report must include all breaches — including those that did not meet the threshold for individual reporting to the IPC under s.6.3. An accidental, isolated breach (such as a single misdirected fax) may not have been separately reported to the IPC when it occurred, but it must still be counted in the annual statistics [Source 2, 3].

Who Must File the Annual Report?

HICs that are not FIPPA/MFIPPA institutions: Must file only if one or more breaches occurred or were discovered in the previous year.
HICs that are FIPPA/MFIPPA institutions (e.g., public hospitals): Must file even if no breaches occurred — completing at minimum Section 1 of the report [Source 6].

What Are the Requirements for Notifying Affected Patients?

Patient notification is a standalone obligation under PHIPA s.12(2), separate from IPC reporting. It applies to every privacy breach, regardless of whether the breach is reportable to the IPC [Source 1, 2].

When Must Patients Be Notified?

The custodian must notify the affected individual at the first reasonable opportunity after a theft, loss, or unauthorized use or disclosure of their personal health information. There is no exception for minor or accidental breaches — the duty applies universally [Source 1].

What Must the Notification Include?

The notification must include:

Information about the nature of the breach — what happened and what information was involved.
A statement that the individual is entitled to make a complaint to the Information and Privacy Commissioner of Ontario.

How Must the Notification Be Delivered?

PHIPA does not prescribe a specific format for patient notification. The custodian may notify the individual by [Source 6]:

Telephone
Written letter
In person — for example, at the patient’s next appointment
Other means appropriate to the circumstances

The custodian should consider the sensitivity of the information that was compromised and use judgment to determine the most appropriate method. Highly sensitive breaches (e.g., mental health records, HIV status) may warrant more direct and confidential notification methods.

What About Notification When Disciplinary Action Is Taken?

When a breach leads to disciplinary action against a regulated health professional, the custodian must also report the individual to their regulatory college under PHIPA s.17.1, within 30 days. This is in addition to — not a substitute for — notifying the affected patient and (if applicable) the IPC [Source 1, 7].

How Do All the Breach Management Obligations Fit Together?

Obligation	Trigger	Timing	Authority
Notify patient	Every breach (theft, loss, unauthorized use/disclosure)	At the first reasonable opportunity	PHIPA s.12(2)
Report to IPC	Breach falls into one of 7 prescribed categories	At the first reasonable opportunity	PHIPA s.12(3); O. Reg. 329/04, s.6.3
Report to regulatory college	Disciplinary action against a regulated health professional for a breach	Within 30 days	PHIPA s.17.1
Annual statistics to IPC	All breaches in the previous calendar year	By March 1 each year	O. Reg. 329/04, s.6.4
Track all breaches	Implied by annual reporting and pattern detection obligations	Ongoing	O. Reg. 329/04, ss.6.3(4), 6.4

Frequently Asked Questions About PHIPA Breach Management

1. What does PHIPA require for breach management in Ontario?

PHIPA section 12 requires health information custodians to take reasonable steps to protect personal health information against theft, loss, and unauthorized use or disclosure. When a breach occurs, custodians must: (1) notify the affected individual at the first reasonable opportunity, informing them of their right to complain to the IPC (s.12(2)); (2) notify the IPC at the first reasonable opportunity if the breach falls into one of seven prescribed categories under O. Reg. 329/04, s.6.3; and (3) submit annual breach statistics to the IPC by March 1 each year (O. Reg. 329/04, s.6.4).

2. What are the seven categories of breaches that must be reported to the IPC?

Under O. Reg. 329/04, s.6.3, custodians must report to the IPC when: (1) PHI was used or disclosed without authority by someone who knew or should have known it was unauthorized; (2) PHI was stolen; (3) further unauthorized use or disclosure occurs after an initial breach; (4) the breach is part of a pattern of similar breaches; (5) disciplinary action is taken against a college-regulated health professional due to the breach; (6) disciplinary action is taken against a non-college employee in circumstances that would have triggered college notification; (7) the breach is significant considering sensitivity, volume, number of individuals affected, and number of custodians involved.

3. When must a health information custodian notify patients of a privacy breach?

Under PHIPA s.12(2), a health information custodian must notify the affected individual at the first reasonable opportunity after a theft, loss, or unauthorized use or disclosure of personal health information. The notification must include a statement that the individual is entitled to make a complaint to the IPC. PHIPA does not prescribe the format — notification may be by telephone, letter, or in person. This duty applies to every breach, with no exception for minor or accidental incidents.

4. What must be included in the annual breach report to the IPC?

Under O. Reg. 329/04, s.6.4, every health information custodian must submit to the IPC by March 1 each year a report covering all privacy breaches from the previous calendar year. The report must include the number of incidents across five categories: PHI stolen, PHI lost, PHI used without authority, PHI disclosed without authority, and PHI collected without authority via the EHR. For each category, custodians must report the circumstances and the number of individuals affected per incident. All breaches must be counted, including those that did not meet the threshold for individual reporting to the IPC.

5. Does the IPC need to be notified of accidental privacy breaches?

Generally, accidental or inadvertent breaches that are isolated incidents — such as a single misdirected fax or accidentally opening the wrong patient record — do not need to be individually reported to the IPC. However, accidental breaches must be reported if they fall into other categories: for example, if they are part of a pattern of similar breaches, involve stolen information, lead to further unauthorized use or disclosure, or are significant. Additionally, all breaches — including accidental ones — must be counted in the annual breach statistics report to the IPC.

6. What happens if a healthcare organization fails to report a breach under PHIPA?

Failure to comply with PHIPA’s breach reporting and notification obligations can result in enforcement action by the IPC, including orders under s.61 and administrative penalties under s.61.1. Under s.72 of PHIPA, individuals face fines of up to $200,000, and organizations face fines of up to $1,000,000. Beyond regulatory penalties, failure to report can result in loss of patient trust, reputational damage, and potential civil liability under s.65 (damages for breach of privacy). The IPC may also initiate a review or investigation in response to unreported breaches that come to its attention through complaints or other means.

Sources and References

[Source 1] Government of Ontario. Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A, ss. 12, 17.1, 61, 61.1, 65, 72. Ontario e-Laws. https://www.ontario.ca/laws/statute/04p03
[Source 2] Information and Privacy Commissioner of Ontario (IPC). Reporting a Privacy Breach to the IPC: Guidelines for the Health Sector (March 2021). https://www.ipc.on.ca/sites/default/files/legacy/2019/09/2019-health-privacy-breach-notification-guidelines.pdf
[Source 3] Information and Privacy Commissioner of Ontario (IPC). Annual Reporting of Privacy Breach Statistics to the Commissioner: Requirements for the Health Sector (March 2021). https://www.ipc.on.ca/sites/default/files/legacy/2017/11/annual-breach-statistics-rptg.pdf
[Source 4] Government of Ontario. Ontario Regulation 329/04 under the Personal Health Information Protection Act, 2004, ss. 6.3, 6.4, 18.3. Ontario e-Laws. https://www.ontario.ca/laws/regulation/040329
[Source 5] Information and Privacy Commissioner of Ontario (IPC). Report a Health Privacy Breach. IPC website. https://www.ipc.on.ca/en/health-organizations/report-a-privacy-breach
[Source 6] Ontario Medical Association (OMA). Privacy Breach Reporting Requirements (May 2024). https://www.oma.org/practice-professional-support/running-your-practice/operations-and-practice-management/cybersecurity/privacy-and-secure-electronic-communication/privacy-breach-reporting-requirements/
[Source 7] David Young Law. New Ontario Breach Reporting Rules Respond to Snooping and Cybersecurity Concerns (February 2018). Compliance Bulletin. https://davidyounglaw.ca/compliance-bulletins/803-2/
[Source 8] Information and Privacy Commissioner of Ontario (IPC). Responding to a Health Privacy Breach: Guidelines for the Health Sector. https://www.ipc.on.ca/