A staff member reports a misdirected fax, a lost laptop, or a suspicious login. The next 72 hours matter — but what has to happen in them depends entirely on which province your clinic operates in. Treating every breach as if the same clock is running everywhere is itself a compliance gap.
The one true 72-hour deadline: Quebec's Law 25
Quebec is the only province with a fixed-hour statutory clock. Since Law 25's Phase 2 obligations came into force on 22 September 2023, any confidentiality incident presenting a "risk of serious injury" must be reported to the Commission d'accès à l'information (CAI) and to the affected individuals within a window regulators treat as effectively 72 hours from discovery. Quebec clinics must also maintain a running incident register, whether or not a given event clears the notification threshold.
Ontario PHIPA: no fixed hour, but no slack either
Ontario has no statutory "72 hours." What PHIPA requires instead, since mandatory breach reporting took effect 1 October 2017 (s.12(3) + O. Reg. 224/17), is notification to the Information and Privacy Commissioner of Ontario (IPC) "at the first reasonable opportunity" once a breach falls into a prescribed category: theft, unauthorized use or disclosure, a pattern of similar breaches, an event that triggers college disciplinary action, or any breach the custodian judges "significant." Ontario custodians also carry a separate, easy-to-miss obligation: tracking every reportable breach for an annual statistical return, due to the IPC by 1 March each year, a duty that has been in force since January 2018.
Alberta, Manitoba, Nova Scotia, Newfoundland & Labrador
Each of these provinces layers its own health-specific statute on top of PIPEDA, and each mandates notification on a harm-based trigger rather than a fixed clock:
- Alberta (HIA): notify the OIPC, the Minister of Health, and the affected individual on a "risk of harm" test.
- Manitoba (PHIA): notify the Ombudsman and the individual on a "real risk of significant harm" (RROSH) test — mandatory since 1 January 2022.
- Nova Scotia (PHIA): notify the individual directly; notify the Review Officer only if the custodian decides not to notify the individual.
- Newfoundland & Labrador (PHIA): a two-tier duty — individuals must be notified "at first reasonable opportunity," and the Commissioner only on a "material breach."
British Columbia and Saskatchewan: still voluntary
Private clinics in BC (under PIPA) and Saskatchewan (under HIPA) are not under a statutory duty to report a breach to their provincial regulator at all — it is documented as best practice, not law. That does not remove the underlying PIPEDA obligation for any cross-border or cross-provincial flow of personal information, which still carries its own duty to report to the federal Office of the Privacy Commissioner on a "real risk of significant harm" basis.
What the same breach requires, by province
| Province / law | Statutory clock | Who gets notified | |---|---|---| | Quebec — Law 25 | ~72 hours (risk of serious injury) | CAI + individuals | | Ontario — PHIPA | No fixed hours; "first reasonable opportunity" | IPC + individuals + annual statistics | | Alberta — HIA | No fixed hours; risk-of-harm trigger | OIPC + Minister + individuals | | Manitoba — PHIA | No fixed hours; RROSH trigger | Ombudsman + individuals | | Nova Scotia — PHIA | No fixed hours | Individuals (Review Officer if not notifying them) | | Newfoundland & Labrador — PHIA | No fixed hours | Individuals + Commissioner (material breach) | | BC — PIPA / Saskatchewan — HIPA | Voluntary | Best practice only |
Why "we'll figure it out when it happens" is the wrong plan
A written breach-response protocol only works if it is tested before it is needed. The IPC's own guidance describes the expected shape as Contain, Notify, Investigate, Prevent — but who contains, who decides whether a breach is "significant" or clears the risk-of-serious-injury bar, and who actually files the notification are decisions that should never be made for the first time during an actual incident. Structura Health's Risk & Incident module walks a designated privacy contact through exactly this sequence, logs every step with a timestamp, and keeps the record the regulator will ask to see.
What clock applies if my clinic serves patients in more than one province?
Use the strictest applicable deadline. If your clinic has any Quebec-resident patients, treat every incident as if the 72-hour Law 25 clock is running, even if your head office is in Ontario — Law 25 explicitly reaches out-of-province entities offering services to, or monitoring, Quebec residents.
Sources: CAI Québec — Principaux changements (Loi 25) · IPC Ontario — mandatory breach reporting guidance (O. Reg. 224/17) · IPC — annual reporting of breach statistics · Alberta Health Information Act · Manitoba PHIA · Nova Scotia PHIA · Newfoundland & Labrador PHIA · Saskatchewan OIPC breach guidelines.
Keep reading: Ontario's first PHIPA fine: what the IPC found missing · Quebec Law 25 for healthcare — the compliance overview · take the free PHIPA scorecard