OCP Warns about Patient Privacy in Electronic Messaging
In May 2023, the Ontario College of Pharmacists (“OCP”) noted that it has been seeing an increase in the use of unsecured electronic methods by pharmacy professionals. These include communications with other pharmacists, healthcare professionals, and patients for purposes such as information gathering, the provision of care, consultations, education, and administrative tasks. While electronic messaging (such as emailing, texting, WhatsApp etc.) can be a convenient and quick way to communicate with other pharmacists, healthcare professionals, or patients, these unsecured communication challenges pose risks whenever personal health information is shared. This blog will review best practices for protecting personal health information when using electronic communication methods to ensure that patient privacy is protected.
Personal Health Information Protection Act Obligations
The Personal Health Information Protection Act, 2004 (“PHIPA”) applies to a wide variety of persons and organizations defined as Health Information Custodians (“HICs”). PHIPA also applies to agents who are authorized to act for or on behalf of HICs. HICs are defined in PHIPA to include a person who operates a pharmacy.
Pharmacists and pharmacies are required to comply with PHIPA. PHIPA establishes rules for protecting the confidentiality of personal health information while also facilitating effective health care. Under PHIPA, HICs must ensure that personal health information in their custody or control is retained, transferred, and disposed of in a secure manner, and must also take reasonable steps to protect personal health information from theft, loss, and unauthorized use or disclosure. This includes when information is transferred by way of electronic communication.
Risks of Unsecured Electronic Messaging
Unsecured electronic messaging poses risks whenever personal health information is shared. Examples of risks include the following:
A pharmacist may accidentally send an electronic message to an unauthorized individual;
An electronic message may be shared with a third party without the pharmacist’s knowledge or consent;
An electronic message can be hacked or intercepted by a hacker. This risk is heightened when using an unsecured network, such as public internet;
An electronic message can be retained on a device. For example, the patient may indefinitely retain an electronic message containing a prescription; and
A device can be lost or stolen.
Pharmacists and patients are harmed when unauthorized individuals access electronic messages containing personal health information. The Information and Privacy Commissioner of Ontario (“IPC”) has noted that affected patients may suffer from stigmatization, discrimination and psychological harm. Affected pharmacists, on the other hand, could be investigated by the IPC, their employer, and/or the OCP. Moreover, the relationship between the pharmacist and the patient can be harmed by a privacy breach. Pharmacies therefore ought to implement privacy practices to maintain patient trust and to ensure compliance with PHIPA.
Best Practices to Maintain Patient Privacy in Electronic Messaging
The OCP and IPC have recommended some best practices when communicating personal health information via electronic messaging platforms. These include the following:
Secure the technology: A pharmacy’s technology platform should have strong passwords, two-factor authentication, firewalls and anti-malware protection, and the most privacy protecting setting. The platform should also be regularly tested and applications should be updated to incorporate the latest security patches.
Encrypt electronic messages: Emails between pharmacists, as well as between pharmacists and other healthcare professionals within the circle of care, are expected to be encrypted, excluding exceptional circumstances (e.g., emergencies that require urgent responses). In addition, emails between pharmacists and patients should be encrypted.
Seek consent for unencrypted electronic messaging: If emails between pharmacists and patients cannot be encrypted, the pharmacist should seek the patient’s express consent before emailing personal health information. Patients should be informed about the type and purpose of the electronic message, the electronic message processing, and the respective risks. In addition, consider the following information before sending an unencrypted email to a patient:
o whether the information is very sensitive;
o whether the information is administrative (e.g., booking appointments) or consultive (e.g., discussing a prescription);
o whether the patient expects email communications;
o whether other communication methods exist; and
o whether an urgent response is required.
Limit the sharing of personal health information: Electronic messages should only contain the minimum amount of personal health information necessary for the purpose of the communication.
Implement patient privacy policies: Pharmacies are expected to implement a policy regarding electronic messaging of personal health information. In addition, pharmacists are expected to practice the pharmacy’s patient privacy policy. Patients should also be informed of these policies.
Learn patient privacy practices: Pharmacists should be trained on maintaining patient privacy in electronic messaging, and this training should be updated regularly on an ongoing basis.
Retain electronic messages only as needed: Electronic messages containing personal health information should be stored on email servers or devices for only as long as is necessary to serve the intended purpose. Once the electronic message is documented in the patient’s record, the electronic message saved on email servers or devices can be deleted. Audit logs should be maintained to keep track of these activities.
Takeaways
The IPC is clear that HICs, including the owners of pharmacies, are expected to take a proactive approach to cybersecurity, and this includes ensuring that electronic communication methods are secure. While electronic messaging may be quick and easy, and is increasingly being used in healthcare settings, pharmacies and pharmacists are advised to ensure that their communication methods protect patient privacy in accordance with PHIPA before disclosing personal health information via electronic communication. This recommendation also extends to other healthcare professionals who communicate patient information electronically.
Are your privacy practices up to date? To learn more about privacy training and audits to prevent privacy breaches or mitigate their harm, click here. Please contact us for assistance in reviewing your privacy policies, or to book a privacy training workshop.