The Essentials of a Privacy Breach Management Protocol
Under Personal Health Information Protection Act, 2004 (“PHIPA”), all health care service providers are responsible for protecting the personal health information in their custody or control, and for appropriately responding to privacy breaches as soon as they arise. In addition to their PHIPA obligations, individuals and organizations that provide health care (“health information custodians”) are expected to comply with the standards set by the Information and Privacy Commissioner of Ontario (“IPC”) surrounding the collection, use and disclosure of personal health information.
The IPC published a document last year setting out best practices for preventing unauthorized access to personal health information, which we previously wrote about here on our blog. Today, we are delving further into the IPC’s recommendations regarding preventing and responding to privacy breaches and, in particular, the specific advice it provided to health information custodians regarding their obligation to develop and implement privacy breach management policies and procedures.
The IPC has identified six key steps in the breach management process – identification, reporting, containment, notification, investigation, and remediation – as the essential elements that health information custodians must address in their privacy breach management policies and procedures. What follows is a summary of the obligations associated with each step in the breach management process that the IPC recommends be outlined in privacy breach management policies and procedures.
1. Identification
Staff have an obligation to notify the health information custodian as soon as they become aware that personal health information is (or may have been) stolen, lost or accessed by unauthorized persons.
The policies and procedures should set out who should be notified and the time within which the notification must be communicated.
2. Internal Reporting
All staff should be aware of when and to whom the fact of a privacy breach should be reported. The policy and procedures should clarify the circumstances in which a privacy breach must be reported to others, including the police, health regulatory colleges and the Information and Privacy Commissioner of Ontario.
3. Containment
Health information custodians must immediately take reasonable steps to contain the privacy breach and to protect personal health information from further theft, loss or unauthorized use or disclosure, such as immediately suspending access to personal health information by the agent suspected of causing the privacy breach.
4. Notification
PHIPA requires health information custodians to notify individuals at the first reasonable opportunity if their personal health information is lost, stolen or accessed by unauthorized persons.
The policies and procedures should set out who is responsible for providing notification and the information to be provided.
The IPC recommends that the following information be included when notifying individuals that their personal health information may have been inappropriately accessed, used or disclosed:
The name of each individual who caused the privacy breach;
The date and time of the privacy breach;
A description of the nature and scope of the privacy breach;
A description of the personal health information that was subject to the privacy breach;
The measures implemented to contain the privacy breach;
Notice that, following the investigation, the health information custodian will provide the individual with a summary of the results of the investigation and the measures that have been or will be implemented to remediate the privacy breach and to prevent similar privacy breaches in the future;
The steps the individual can take to protect his or her privacy or to minimize the impact of the privacy breach;
The name and contact information for the person to whom the individual may address inquiries and concerns; and
Information concerning how to make a complaint to the Information and Privacy Commissioner of Ontario.
5. Investigation
An investigation of all privacy breaches must be conducted.
The policies and procedures should identify who is responsible for conducting the investigation, the nature and scope of the investigation, the process to be followed in conducting the investigation, and the process by which findings will be communicated and implemented.
6. Remediation
Health information custodians should keep a log of all privacy breaches.
Health information custodians should also audit and monitor the log of privacy breaches in order to identify patterns or trends in privacy breaches, and to ensure that appropriate administrative, physical or technical safeguards are implemented to remediate the privacy breaches and to prevent or minimize privacy breaches in the future.
Unfortunately, privacy breaches are not always preventable and even unintentional breaches can have significant consequences, including causing irreparable damage to your organization’s reputation. In order to minimize such harm, your organization’s immediate response to a privacy breach or to a complaint under PHIPA is critical. Now is the time to review your organization’s breach management practices and PHIPA compliance – not after a privacy breach has occurred!
Don’t Go It Alone!
The manner in which a privacy breach is managed can often make the difference between a mistake that was fixed without lasting consequences and a major error that costs the agency significantly in terms of reputational harm, loss of trust and professional fees. For that reason, we recommend that even experienced health information custodians seek help in managing breaches. We have helped many health sector clients manage privacy breaches, both minor and significant. Our goal is always to help the custodian manage the breach responsibly, professionally, and in the way that mitigates the harm done by the breach to the greatest extent possible.
Rosen Sunshine has the expertise to assist you with the development of privacy breach management policies and procedures. We can also provide privacy training workshops to educate your staff regarding their privacy obligations.
For more information on how we can place you or your organization in the best position possible to respond to a privacy breach or a complaint under PHIPA, please contact us.
