Prevention of Privacy Breaches: Guidance from the Commissioner

Health ProfessionalsPhysiciansPrivacy LawBlog
Written By Rosen Sunshine LLP

The Information and Privacy Commissioner of Ontario (“IPC”) recently released a new resource document, “Detecting and Deterring Unauthorized Access to Personal Health Information”, which provides direction on how to minimize the risk of unauthorized access to personal health information (“PHI”). This is an essential document for all individuals and organizations that have custody or control of PHI for the purpose of delivering health care (“health information custodians”).

Unauthorized access occurs where an agent of a health information custodian, such as an employee, independent contractor, physician with privileges or volunteer, uses or discloses PHI, without consent, for purposes that are not permitted or required by the Personal Health Information Protection Act, 2004 (“PHIPA”).

In its new resource document, the IPC explains that unauthorized access is a growing problem in Ontario with significant consequences for individuals, health care organizations and their agents, and the entire health sector.  In order to combat this issue, the IPC recommends that health information custodians take the following steps to minimize the risk of privacy breaches caused by unauthorized access to PHI:

  • Develop and implement comprehensive privacy policies and procedures that set out the expectations and obligations of all agents and review these policies on an annual basis.

  • Provide mandatory initial and ongoing annual privacy training to all agents.

  • Use privacy notices and privacy warning flags on electronic information systems to remind individuals of their obligations and of the consequences of unauthorized access to PHI.

  • Ensure that agents sign confidentiality agreements prior to the start of their employment, contractual or other relationship with the health information custodian and every year thereafter.

  • Require users of the health information custodian’s electronic information system to sign end-user agreements prior to obtaining access to electronic PHI.

  • Develop and implement policies and procedures to restrict access to PHI on a need-to-know basis.

  • Log, audit and monitor access to electronic PHI on an ongoing, targeted and random basis.

  • Develop and implement a privacy breach management protocol to address the identification, reporting, containment, notification, investigation and remediation of suspected or actual privacy breaches.

  • Impose consistent, appropriate and proportionate discipline and corrective action for privacy breaches.

It is important that health information custodians review their existing privacy policies and procedures in light of the IPC’s recommendations.

Rosen Sunshine has extensive experience assisting health care professionals and organizations to meet their obligations under PHIPA and to prevent and manage privacy breaches.  Our privacy services include assistance in the development of privacy policies and procedures; privacy impact assessments; compliance audits; and in-person and web-based privacy training workshops for staff who deal with health records.

Please contact us to assist you in ensuring that your organization has appropriate privacy policies, procedures and training in place to comply with your legal obligations and to minimize the risk of a privacy breach.

Rosen Sunshine LLP
Previous

The Push for Transparency: More Information about Health Professionals to Become Public in 2015
Next

Court of Appeal holds that patients can sue hospitals for privacy breach