Complaint
The custodian allegedly disclosed the complainant’s personal health information (PHI) to their emergency contact.
The custodian had investigated the complainant (the parent) due to a reported child protection concern that was quickly determined to be unfounded. They intended to phone the parent to report that the file was now closed but accidentally phoned the parent’s emergency contact who has the same name. When they identified that they were calling from Family and Children’s Services about their child, the emergency contact stated that they did not have a child.
Investigation
The employee recognized that there had been a privacy breach and reported the matter to their designated privacy officer, as required by HIPMA. We also found that the custodian conducted a breach analysis and notified the complainant as required where there is a risk of significant harm to an affected person. Finally, we found that the erroneous contact information had been provided to the custodian by a third party and could not be validated in advance.
Though minimal personal information was disclosed to the emergency contact, simply knowing that the complainant was receiving a call from Family and Children’s Services about their child is sensitive personal information.
Decision
Non-compliant. The disclosure of PHI to the emergency contact was not authorized, but the custodian complied with its obligations under the HIPMA: reporting the breach to the designated privacy officer, assessing if there was risk of significant harm, notifying the affected person and providing our office with a copy of the breach report.
Privacy breaches will occur from time to time. Our role is to ensure that custodians have reasonable safeguards in place to prevent them in the future and, if they do occur, that they have appropriate policies and procedures to manage them.
Recommendations
Accepted. As the custodian complied with its obligation, our office closed the complaint file without making any recommendations. However, we will evaluate the
custodian’s breach report to assess their mitigations and we may provide recommendations.