Privacy Incident & Breach Management Policy Change Summaries

Effective Date: February 27, 2026


This summary describes revisions made to the Privacy Incident & Breach Management Policy between the prior version dated May 8, 2024 and the updated version dated February 27, 2026.


1. Terminology and Definitions


A. Introduction of “Privacy Event” Framework


The updated policy formally introduces and consistently uses the defined term “Privacy Event” to describe deviations involving Protected Health Information (PHI) or Personal Information (PI), and clarifies that Privacy Events include both Privacy Incidents and Privacy Breaches.


B. Inclusion of Personal Information (PI)


The updated policy explicitly includes Personal Information (PI) alongside Protected Health Information (PHI) throughout the document, including in definitions and breach descriptions.


C. Cross-Reference to Privacy Policy and Jurisdictional Terminology


The Definitions section now:

  • References the Caredove Privacy Policy for related definitions.
  • Clarifies Canadian and U.S. terminology (e.g., HICs / HINPs / Agents; Business Associate / Covered Entity).
  • States that “Health Information Custodian (HIC)” under PHIPA may be interpreted equivalently to “Covered Entity” under HIPAA where applicable.


D. Revised Exclusions Section


The exclusions section has been reorganized and reformatted:

  • Exclusions are now presented as structured bullet points.
  • Illustrative examples have been added to clarify scenarios such as accidental access and incidental disclosures.
  • The language now references assessment under applicable privacy laws and confirmation of compliance with the Caredove Privacy Policy.


2. Clarifications to Breach Definitions and Risk Assessment


A. Expanded Description of Breach Events


The definition of a Privacy Breach now expressly includes loss or theft of PHI/PI in addition to unauthorized acquisition, access, use, or disclosure.


B. Presumption of Breach Language


The presumption-of-breach section has been revised to:

  • Refer to a documented risk assessment.
  • Clarify that breach determinations may involve Caredove Inc. or external stakeholders.
  • Refine and reorganize risk assessment factors, including probability of misuse and ongoing risk.

C. Risk Assessment Language Updates


The updated policy:

  • Applies the “reasoned judgment” standard to “Privacy Events.”
  • Clarifies that recommendations relate to notification to a Health Information Custodian (HIC) (or Covered Entity).
  • Maintains the enumerated risk assessment factors with minor wording adjustments for clarity.


3. Reporting and Notification Revisions


A. Reporting Obligations


The Reporting section has been updated to:

  • Clarify that timely notification applies to Privacy Breaches involving Caredove that Caredove becomes aware of.
  • Require reporting of suspected Privacy Incidents and Privacy Breaches.
  • Add a provision requiring organizations using Caredove to notify Caredove if they identify a potential security event or determine they are the source of a Privacy Breach.
  • Note that certain breaches involving a real risk of significant harm may require reporting to privacy regulators, depending on jurisdiction.

B. Notification Terminology


References to “Covered Entity” have been revised to refer to Health Information Custodian (HIC) (or Covered Entity), aligning with the clarified jurisdictional terminology.


C. Content of Notification


Minor wording updates were made to reflect “Privacy Breach discovery” and to align terminology consistently with defined terms.


4. Investigation and Procedure Updates


A. Investigation Activities


The Investigation section now expressly includes:

  • Interviewing Caredove user organizations (as needed).
  • Clarified language around conducting forensic investigations depending on the nature of the Privacy Event.

B. Consistent Terminology


The updated policy standardizes references to:

  • “Privacy Incident” and “Privacy Breach”
  • “Privacy Event”
  • “Privacy Breach Management Report”

C. Formatting and Structural Revisions


The document has been reformatted and reorganized for clarity, including:

  • Standardized headings and bullet formatting.
  • Clearer separation of phases (Identification & Containment; Investigation & Risk Assessment; Communication & Notification).
  • Alignment of terminology across sections.


5. No Fundamental Changes


The core structure of the policy remains the same, including:

  • The three-phase response framework (Identification & Containment; Investigation & Risk Assessment; Communication & Notification).
  • The role and authority of the Chief Privacy Officer.
  • Notification timelines (“without unreasonable delay” and no later than 60 days, as required by law).
  • Logging and document retention requirements (minimum six years).
  • Jurisdictional compliance statements (HIPAA, PIPEDA, PHIPA).


No fundamental changes were made to the overall privacy incident and breach management framework.


For questions regarding this policy update, please contact the Caredove Privacy Officer as identified in the current policy.