STRUCTURA HEALTH
All articles

The PHIPA Duty Almost Every Ontario Clinic Forgets: The Annual Breach Statistics Report

Reporting a breach to the IPC when it happens is only half the obligation. Ontario health information custodians also have to track every reportable breach all year and file an annual statistical return by March 1 — a duty most small clinics have never heard of.

By Structura Health · Last verified

Most Ontario clinics know, in general terms, that a serious privacy breach has to be reported to the Information and Privacy Commissioner of Ontario (IPC). Far fewer know about the second, quieter obligation sitting next to it: a mandatory annual statistical return, due every year whether or not the clinic had a single reportable breach.

Where this duty comes from

Mandatory breach reporting took effect in Ontario on 1 October 2017, under PHIPA s.12(3) and O. Reg. 224/17. The regulation created two separate duties, not one:

1. Report specific breaches to the IPC as they occur, in prescribed circumstances (theft, unauthorized use or disclosure, a pattern of similar incidents, an event triggering college discipline, or any breach the custodian judges "significant"). 2. Track every reportable breach through the calendar year and file an annual statistical summary with the IPC, a duty that has run since 1 January 2018, with the first filings due starting March 2019 and every year since, by 1 March.

The second duty is easy to lose track of precisely because it does not have an obvious trigger event the way an actual breach does. There is no incident to prompt someone to remember it. It is a standing, calendar-driven obligation — the kind of thing a spreadsheet quietly stops tracking the moment the person who set it up leaves.

What the annual return actually shows

The IPC uses the aggregate statistics it collects from every custodian in the province to publish sector-wide trend data. The most recent published figures are a useful benchmark for any clinic assessing its own risk profile:

  • Misdirected faxes are the single largest reported cause of breaches — 5,093 incidents reported to the wrong recipient in the IPC's 2023 data, up roughly 10% year over year.
  • Unauthorized disclosure accounts for more than 56% of all reported breaches.
  • Snooping — staff accessing records without a legitimate reason — made up more than 34% of examined issues in 2024 and is rising. This is precisely the conduct at the centre of IPC Decision 298, Ontario's first PHIPA administrative monetary penalty.

A clinic that cannot reconstruct its own breach history for the year cannot file an accurate return — and an inaccurate or missing filing is itself a compliance gap the IPC can act on.

What counts as a "reportable" breach for the annual return

The same prescribed circumstances that trigger an individual breach report also feed the annual tally: theft of records, unauthorized use or disclosure, a pattern of similar smaller breaches that individually might not warrant a report, a breach that led to college disciplinary action, or any incident the custodian itself classifies as significant. A clinic that has zero of these in a year still owes a filing — a nil return is still a return.

Why this belongs in the same system as everything else

Treating breach tracking as a once-a-year scramble to reconstruct a year of incidents from memory, email threads, and whoever happens to remember, is exactly the "systemic" failure pattern the IPC called out in Decision 298. The fix is the same fix as everywhere else in a PHIPA compliance program: log the incident once, when it happens, in a system that timestamps it and retains it — and the annual return becomes a query, not a research project.

Does my clinic need to file the annual return even if we had zero breaches this year?

Yes. The annual statistical reporting duty applies to every Ontario health information custodian, not only those with a reportable breach in the period. A year with no incidents still requires a nil filing by the 1 March deadline.

How Structura handles this

Every incident logged in the Risk & Incident module carries the date, type, and severity fields the IPC's annual return asks for. At filing time, that becomes an export instead of a reconstruction exercise.


Sources: IPC Ontario — annual reporting of privacy breach statistics to the Commissioner · IPC 2023 Annual Report backgrounder · IPC 2024 statistical report · BLG — mandatory reporting of health-sector breaches in Ontario · IPC PHIPA Decision 298 (2025 CanLII 85580).

Keep reading: Ontario's first PHIPA fine: what the IPC found missing · The first 72 hours after a privacy breach · take the free PHIPA scorecard

Check your clinic's PHIPA gaps — free, no login

Map your current practices against the six areas the IPC identified in Decision 298. About three minutes, no account required.

Take the free PHIPA scorecard

Turn compliance into a maintained, demonstrable posture.

Documented governance is the difference between a penalty and a pass. See how Structura gets your clinic audit-ready.