Preventative audits required to minimize risk of privacy breaches
"It is absolutely advisable” for hospitals to do regularly scheduled proactive audits of their patient records to check for privacy breaches, Toronto health lawyer Elyse Sunshine tells the Toronto Star.
“In fact, it helps instill a culture of privacy in the organization,” she says.
Sunshine, partner at Rosen Sunshine LLP, advises health professionals on privacy issues and says it’s “risky behaviour” for hospitals to only conduct audits on a targeted basis.
She makes the comments in connection with an article that details how the newspaper learned at least three GTA hospitals don't proactively audit patient records to detect privacy breaches.
One hospital — Providence Healthcare — continues to use a paper-based system of patient records and has said it couldn't conduct such audits until it implements a new, electronic system, says The Star.
"In recent months, thousands of patients at hospitals across the region have had their confidential medical records accessed for no medical reason," says the article.
In addition, Ontario's privacy commissioner has released a damning report on Rouge Valley Centenary Hospital, where there was a large privacy breach involving more than 14,000 patients; that faciility still lacks the capability to track staff access to confidential files, says The Star.
"There are no specific audit requirements in the province’s Personal Health Information Protection Act, which sets out rules health-care providers must follow when collecting and disclosing personal health information. It is left up to health-care providers to determine how best to comply with privacy requirements, and what disciplinary measures should be taken if a breach has occurred," says the newspaper.
The Star contacted 24 health-care institutions, of which 22 said they do conduct some form of an audit, but "their frequency and scope varies widely among facilities," says the newspaper.
"Bridgepoint Health says it conducts audits on its system daily, and reviews the information weekly. Providence Healthcare, however, has no proactive auditing at all. Of the 22 hospitals that have auditing procedures in place, the frequency of those audits varies widely: daily (1), weekly (2), monthly (10), every two to three months (1), quarterly (1), no set frequency (6), unclear frequency (1)."
Privacy Commissioner Brian Beamish says in the article that it "would be difficult to implement a uniform policy on frequency and scope of audits because each health-care institution varies in size and resources."
