About the Health Sector Privacy Officer Course

As health care organizations and providers, your privacy practices are under scrutiny from your patients, residents or clients (and their families), the courts, the media and the Information and Privacy Commissioner of Ontario (IPC/O). Attorney General prosecutions are underway under the Personal Health Information Protection Act (PHIPA), and class actions have been filed in the courts. Bill 119 amended PHIPA in numerous important ways (including doubling the fines to up to $100,000 for individuals and $500,000 for organizations and requiring reports to the IPC/O of certain privacy breaches and reports to regulatory Colleges).  

This course focuses on Ontario legislation, but is of value to any health sector Privacy Officer. It will give you confidence in your role by giving you the information and skills you need to succeed as a Privacy Officer or as:  

  • A Chief Information Officer
  • A person with a Privacy Officer reporting to you, or 
  • If you advise organizations that are subject to health privacy requirements or create related health policy  

You will receive:

  • A full day session in downtown Toronto (or via webcast, the choice is yours) where we will launch the community and tackle some of the tough issues
  • An additional twice monthly webinars, resources and intensive instruction from a leading legal educator in the field, most in real time 
  • All inclusive 30+ hours (up from the previous course that was 20 hours) with flexibility to learn at a pace that works for you, and with the support of a community
  • The most current information on privacy practices and expectations for health care organizations
  • Practical and dynamic skills training for adult learners using scenarios, stories, quizzes and practical applications for your environment
  • Strategies to assist you to work through your organization’s documents
  • A report card you complete at the end of the course to share with your Board or supervisor to demonstrate your organization’s privacy compliance status and privacy priorities (or gaps, if any)
  • A letter outlining the training you have received, for your organization’s due diligence 
  • Sample tools to adapt to your organization for your everyday use, including these templates:

  • Privacy program checklist and document checklist
  • Privacy policies  
  • Annual confidentiality pledge for all staff, students, volunteers and researchers
  • Privacy communiques (to customize and circulate as evidence of your due diligence)
  • Board update on privacy
  • Privacy impact assessment resources
  • Privacy breach checklist
  • Privacy breach notification/script

A privacy library

  • The primary Ontario privacy resource – “Guide to the Ontario Personal Health Information Protection Act: A Practical Guide for Health Care Providers” (H. Perun, M. Orr, F. Dimitriadis, Irwin Law, 2005)
  • Online resources compiled for you


  • Recent developments, risk management and due diligence (Launch Day session and throughout the course as new orders and decisions of IPC/O arise)
  • The privacy basics, including general limiting principles and collection rules
  • Privacy compliance overview
  • Creating and reinforcing a culture of privacy
  • Security & safeguards, including the ins and outs of audits and increasing number of shared systems
  • Consent and capacity in the PHIPA context
  • Secondary Uses and Disclosures
  • Disclosure to third parties
  • Who is the health information custodian?
  • Privacy breach investigation & response
  • IPC/O orders and decisions – what you need to know
  • How to create and show due diligence
  • Attorney General prosecutions – what we know so far
  • Dealing with the media
  • Tips for training staff whether you are a large or small health information custodian
  • Circle of care and lockbox
  • Access & Correction
  • Special rules related to children
  • Special rules in mental health settings
  • Q&A – What keeps you up at night?

What can this course do for you?

You will confidently be able to:  

  • Understand basic privacy terminology such as: personal health information (PHI); health information custodians (HICs); agents; collection, use, and disclosure; circle of care & lockbox; privacy impact assessments (PIAs); and threat risk assessments (TRAs)
  • Explain the rights individuals have to privacy
  • Identify the basic “consent rules” of privacy and the exceptions to those rules
  • State the situations where your organization can collect, use and disclose PHI with and without consent
  • Understand the role of the IPC/O
  • State the possible consequences for privacy breaches and poor privacy practices with knowledge of current cases and referrals for prosecution
  • Identify the 7 main sources of the privacy laws, rules and best practices in Ontario
  • Use our 15 point Privacy Program Checklist to evaluate how well your organization is doing with its own privacy compliance and present an update to your Board
  • Articulate a strategy for your organization’s privacy program launch or refresh
  • Organize your privacy binder/electronic folder by using our Privacy Program Documentation Checklist
  • Launch or refresh your orientation program for new staff, students and volunteers to include: • Privacy policies (samples provided) • All staff training (in-house training is an optional extra service option we can provide to you) • Confidentiality pledge (sample provided) • Board training (customizable PowerPoint provided)
  • Launch or refresh your privacy program to include: • Timelines for updating privacy policies • Schedule for annual training • Annual confidentiality pledge (sample provided) • Email reminders/newsletters to all staff on a regular basis (subscription is an extra service option available to receive monthly emails to send to all staff) • Follow up with all staff if there is a privacy breach • Random audits (messaging to staff, frequency and scope) • Respond to common challenges in engaging staff, physicians, students and volunteers
  • Identify the 3 categories of safeguards under PHIPA: physical, administrative, and technological; and common examples of how to protect the PHI you hold 
  • Read and understand a PIA and TRA 
  • Determine when you can conduct your own and when to solicit an external PIA or TRA 
  • Conduct random audits of an electronic health record system and identify suspicious activity 
  • Identify and respond to the areas of greatest risk for health care organizations 
  • Differentiate between express consent, implied consent and no consent
  • Understand the difference between consent and notice

  • Understand who can make substitute decisions and under what circumstances (especially for young children, incapable adults or deceased persons)
  • Have a conversation about integrating “consent management” into your electronic systems 
  • Explain the circle of care to patients and staff
  • Identify the key opportunities and issues of concern with shared care models (such as HealthLinks)
  • Explain a lockbox to patients and staff (brochure and information sheet provided)
  • Identify what a lockbox looks like in an electronic health record
  • Provide sample language to your clinicians for communicating with external health care providers when there is a lockbox restricting disclosure
  • Explain to patients and staff when you need patient consent to engage in an activity and when you do not
  • Strategize within your own organization about who is authorized to engage in secondary uses and disclosures – and who is not
  • Identify the key opportunities and issues of concern when participating in large health sector quality, efficiency and reporting initiatives
  • Understand the key elements of a data sharing agreement
  • Identify a situation when you are being asked to be a health information network providers and understand the responsibilities of fulfilling that role and potential consequences of failing to meet those responsibilities
  • Process simple access and correction requests (and identify situations where you need expert advice)
  • Address individual requests for access to “family records” where there is a single record for multiple patients (e.g. in some counselling settings, or in situations where information about a newborn remains in the mother’s record)
  • Identify key situations where your organization is required by law to disclose PHI (mandatory disclosures)
  • Avoid an order for deemed refusals of access
  • Respond to common complicated situations in third party disclosure, with or without consent
  • Conduct your own privacy breach investigation
  • Determine when to ask for an external investigator to complete an investigation
  • Notify affected patients in the case of a privacy breach
  • Write a privacy breach report
  • Anticipate how to work with the IPC/O
  • Manage common questions from the media
  • Determine the level of detail to share with other staff not involved in the breach
  • Determine the appropriate disciplinary consequences for a privacy breach
  • Update your policies and privacy practices to reflect these new developments 

  Cancellations & Substitutions  

A substitute is welcome to attend in your place. Cancellations are accepted with refund (less a $60 administrative fee) up to 10 days prior to the event, otherwise no refund is available.  

 It may be necessary for us to change the date, venue, content and/or speakers with little or no notice, with no liability for course changes. We are really excited you will join us and that you will feel more confident in your role. See you there!


This form collects information we will use to send you updates about promotions, special offers, and news. We will not share or sell your personal information. You can unsubscribe at any time.
Order Summary
Privacy Officer Training ($1699.00 plus HST 13%)

If you have any questions, please contact Franca Latino at flatino@ddohealthlaw.com

  •  DDO Health Law 

1200 Bay Street, Suite 405, Toronto, ON M5R 2A5 Tel: 416-967-7100 ex 1242