Building Trust in Digital Healthcare

According to a recent blog by the province’s Information and Privacy Commissioner (IPC), Patricia Kosseim, Ontarians are demanding improvements to health care, and this will require innovative approaches and digital solutions. For Privacy Day 2023, the IPC hosted an event on the theme of  Building Trust in Digital Health Care. Trust in Digital Healthcare is one of the IPC’s Strategic Priorities for 2021 – 2025, and achieving this requires guiding custodians to respect the privacy and access rights of Ontarians, and supporting the use of personal health information for research and analytics to the extent it serves the public good. The Commissioner pointed to four fundamental conditions for earning trust in digital health care: eliminating fax machines, stopping employee snooping, defending against cyberattacks, and building a transparent and privacy-respectful culture. 

Axing the Fax

As noted in our recent blog about the alarming number of privacy breaches linked to fax machines, in 2021, almost 5,000 reported health information privacy breaches were due to misdirected faxes. In fact, misdirected faxes are the leading cause of unauthorized disclosure of personal health information in Ontario and so, perhaps not surprisingly, greater penalties for those who don’t take meaningful preventative measures could be on the way.  

In late January, the IPC announced that it had concluded its review of the high number of privacy breaches at St. Joseph’s Healthcare Hamilton. In 2020, the hospital submitted its annual statistical report revealing 1,006 unauthorized disclosures of PHI with 981 disclosures due to misdirected faxes. The hospital claimed that over-reporting and an increased use of fax transmissions during the COVID-19 pandemic contributed to the high numbers.

After working collaboratively with the hospital, the IPC reports that great strides were made towards reducing the risk of sending faxes to wrong individuals by implementing an “e-referral first” policy for referrals for primary care providers. The hospital is working with regional healthcare system partners to replace fax usage with more secure electronic solutions. In the meantime, if a fax must be used to communicate with those who have not adopted such solutions, hospital staff ask patients to re-confirm information on their file for their primary health care provider when they visit the hospital. Other safety measures, such as checking to ensure a physician’s fax number is correct before sending a document, are also being implemented.

The Commissioner reiterated the IPC’s standing offer to help to work with governments, regulatory colleges, health institutions, providers and others to put an end to fax machines that unnecessarily expose Ontarians to potentially harmful privacy risks and undermine trust in our healthcare system.

Snuffing Out Snooping

Employee snooping was also addressed as another persistent issue that erodes public trust. In 2022, a disconcerting 29 per cent of self-reported health privacy breaches were attributed to snooping – be it out of malice, personal gain, curiosity or well-meaning concern. Amendments to the Personal Health Information Protection Act in 2020 gave the IPC the power to impose administrative monetary penalties (AMPs) to those who break this law.

While the regulations that permit AMPs have not yet taken affect, they are coming, and custodians are advised to take preventative measures now. The Commissioner suggests awareness training to prevent inappropriate access, no matter how well-meaning.

Preventing Cyberattacks

A third area of focus in the Commissioner’s blog was the prevention of cyberattacks. Noting that the number of health privacy breaches due to cyberattacks reported to the IPC in 2021 was double that of 2020, and that this is part of a rising global trend in cyberattacks worldwide, the Commissioner warned that cyberattacks have become a dangerous and pervasive threat to the security of personal information in all sectors, including the health sector. 

The clear advice from the Commissioner was that custodians must take steps to protect themselves in terms of cybersecurity, including questions of insurance. These tips are outlined in the IPC’s recently updated fact sheet on protecting against ransomware attacks.

A Culture of Privacy

Summarizing advice from speakers at the IPC’s Privacy Day program, the Commissioner reiterated some of the key elements in building a culture of transparency and privacy:

• Privacy and security starts from the top, with the directors and leaders of the organization making privacy protection a priority

• Privacy and IT security should be integrated cross-functionally and as part of a broader enterprise risk management framework

• In a culture of privacy, staff at all levels of the organization recognize and take pride in their role of protecting patient privacy

• Education of clients and patients as well as staff on privacy can help instill a culture of privacy and accountability

Looking Ahead

The Commissioner was looking to the Federal-Provincial funding transfer agreement, then in the works, to support the implementation of changes that would improve the way personal health information is managed and support the building of trust in digital health care.  According to the Agreement in Principle reached between the Governments of Canada and Ontario last month, federal funding will help provide Ontarians with improvements in health care that includes access to their own electronic health information that is shared between the health professionals they consult.

In the meantime, health care providers should use the tools they have to instill a culture of privacy within their organizations. If you have questions or concerns about reducing the risk of privacy breaches within your organization, please contact us.