Reminder to HICs on the Annual Reporting Requirement to the Commissioner
Every calendar year, Registered Massage Therapists (RMTs/MTs) and all other regulated health professionals and agents who are “Health Information Custodians (HICs)” must report privacy breach statistics to the Information and Privacy Commissioner of Ontario (IPC).
This annual reporting requirement is part of the Personal Health Information Protection Act, 2004 (PHIPA) in section 6.4 of Ontario Regulation 329/04. The report must summarize any occurrences of privacy breach in 2020 as it relates to HIC’s clients:
- The number of times personal health information was stolen;
- Any instances of lost personal health information (e.g., lost client records); and
- Any occurrences of misused and/or disclosed personal health information without authority (e.g., misdirected fax or emails).
For more information about these requirements, please refer to the IPC’s Frequently Asked Questions on Annual Statistical Reporting.
HICs should submit their reports through the Online Statistics Submission website. The deadline for HICs to submit their annual reporting requirements to the IPC is March 31, 2021.
Health Information Custodian (HIC)
The IPC defines an HIC as a person or organization who has custody or control of personal health information as a result of, or in connection with, performing the duties or the work of providing healthcare. The person must be a healthcare worker or a person who operates a group practice of healthcare practitioners.
You may be an HIC if you are in independent practice or work as an independent contractor within a multi-disciplinary clinic/spa. All RMTs are required to understand their obligations based on their contract or employment arrangement.
Am I an HIC or Agent?
Health professionals have different levels of responsibility depending on whether they are the HIC or an agent. If you are a regulated health professional, or you operate a group practice, and you have custody and control of personal health information in connection with your duties, then you are an HIC for purposes of PHIPA.
However, even if you fall under the definition of an HIC, if you work for or on behalf of another custodian (such as another regulated health professional, a group practice or hospital), then you are considered to be an agent of that HIC.
An HIC is ultimately responsible for the personal health information in their custody or control, but may permit an agent to collect, use, disclose, retain or dispose of the information if certain requirements are met. Please read CMTO’s Overview of PHIPA to understand your obligations under PHIPA.
 RMTs should take steps to ensure that the terms of any contract or employment agreement establish whether the RMT is an Agent or HIC for the duration of their employment. The terms of employment should also contain clear guidelines that describe how the responsibilities associated with leaving a practice will be fulfilled upon the RMT’s departure. CMTO has published guidance about these responsibilities in the Record Retention policy.