Advice for Health Professionals: Managing Privacy Breaches

In this video, Lonny Rosen advises health professionals on the steps they need to take in preventing and managing a privacy breach. Preventative steps include implementation of effective policies and a privacy breach protocol, and conducting audits and educating all staff on privacy practices. Recommended steps following a breach including containment and investigation of the breach, notification of individuals whose privacy has been breached (and in some cases, the Information and Privacy Commissioner of Ontario), and review and analysis of how the breach occurred, to ensure it does not happen again.



Toronto Health Lawyer, Lonny Rosen, has some advice for health care providers who realize they may have breached the privacy of their patients or clients. Well Lonny, how can it happen?

Well, a health care provider or [health] practitioner who provides health care services to clients can realize that they have breached the privacy of their clients for many reasons.  It can be a simple human error, inadvertent sending of documents by fax or email, or it can be a failure to abide by policies like having information on a mobile device, like a memory stick that wasn’t encrypted.

Well, what can they do in these circumstances?

Responding to a privacy breach actually requires steps taken long before a privacy breach occurs. Heath information custodians or any health care provider should put themselves in as good as position as possible to respond to privacy breach well before the breach occurs. This includes; having a privacy policy, having an effective privacy statement and having privacy breach protocol to which they can refer in these circumstances.

Well, what are the elements of that?

A privacy breach protocol would contain a number of elements including; first containment ensuring that the breach is contained and that the harm is limited; second, [an] investigation determining how the breach occurred and what can be done in order to prevent it from happening again. Notification is a key element of a privacy breach protocol because the law requires that individuals be notified if their personal health information was lost or accessed inappropriate. Informing the Privacy Commissioner is something that would be considered as part of that notification protocol as well, and then finally taking steps to ensure that it doesn’t happen again.

Why does the Privacy Commissioner get involved?

Well, the Privacy Commissioner can be involved in several ways. First, a custodian well may be advised to report to the Privacy Commissioner when they discover a breach has occurred. Second, if the person is notified of a privacy breach, they may notify the Privacy Commissioner themselves. In those circumstances the commissioner will investigate the breach.

How can this be prevented?

Privacy breach prevention requires a number of things. First, an effective policy and statement. But more importantly, education and training of the front line staff [that] collect, use and disclose personal health information. Further, audits of privacy practices and ensuring that staff and agencies or health care providers are not accessing health care records inappropriately or dealing with records contrary to the policy.

Posted in:

Back to Top