Following the discovery of a potential Breach, Chief Privacy Officer shall facilitate an investigation and conduct a risk of harm assessment. The Privacy Officer shall conduct the initial investigation, which may include:
- Identification of the persons associated with the WRHA/Health Care Facility involved;
- Identification of the Personal Health Information in question;
- The nature and extent of the alleged Privacy Breach;
- Gathering relevant documents;
- Consulting with the appropriate resources, including Regional Director, Legal, Human Resources and/or the Chief Privacy Officer prior to interviewing staff where there may be potential disciplinary consequences; maintain appropriate documentation.
If a breach is substantiated and notification is required, Chief Privacy Officer shall direct and oversee the process to notify each individual who’s PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the breach. Upon determination that notification is required, the notice must be made without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.