On October 30, 2019, the Information and Privacy Commissioner of Ontario (“IPC”) released a decision (the “IPC Decision”) that highlights some of the risks inherent in shared electronic patient records systems (“shared systems”) and provides guidance to Health Information Custodians (HICs) using such systems. The IPC Decision relates to an investigation by the IPC into reports from three hospitals of unauthorized access by six agents to information stored in their shared system. In four of these cases, agents (employees, staff and volunteers of HICs who collect, use or disclose PHI for the HIC’s purposes and on behalf of the HIC) from one HIC accessing the records of other HICs without authorization. In its investigation of the six breaches, the IPC identified several systemic issues related to the hospital’s shared system. While the IPC ultimately determined that a review was not required in this matter, their investigation of the breaches provides several helpful takeaways for HICs who are already part of, or looking to implement, a shared system.
In compliance with the Personal Health Information Protection Act, 2004 (“PHIPA”), HICs are required to take steps that are reasonable in the circumstances to safeguard personal health information from theft, loss, or unauthorized access or disclosure; HICs using shared systems face additional challenges in safeguarding patient records. In a shared system there are increased opportunities for unauthorized access and therefore, ensuring appropriate safeguards requires coordination across the shared system. Whenever there are developments in operations, technology or legislation, HICs need to review their safeguards, including privacy policies, procedures and practices, audit functionality and training, to ensure that these all continue to be reasonable in the circumstances. The IPC states in the Decision that “[t]he need to keep abreast of these developments is particularly important in a shared system with multiple custodians and widely shared access.”
Below are some important takeaways from the Decision regarding best practices for shared systems:
- Ensure that all responsibilities under PHIPA are clearly assigned in a formal agreement between the HICs and the health information network provider (HINP).
- Implement a unified privacy breach management policy that includes procedures addressing identification, reporting, containment, notification, investigation and remediation of suspected and actual privacy breaches in the shared system with clearly identified roles and responsibilities.
- Where there are technological barriers to implementing a lock-box (the ability of a patient to limit access to certain records or portions of records) in a shared system, the HIC remains responsible for preventing unauthorized access to a patient’s file. The lock-box provisions of PHIPA should be raised with any patients with privacy concerns so that they can explore the options available within the shared system.
- Privacy training should be provided to all agents. Such training should be comprehensive and frequent, and meet consistent minimum training standards across the HICs with access to the shared system. Training should be tracked and provided annually and prior to agents gaining access to the shared system for the first time.
- Establish minimum standards across the shared system requiring that agents sign confidentiality agreements on an annual basis.
- Include privacy notices reminding agents of their obligations and the consequences of unauthorized access. Such notices should be displayed when accessing the shared system and when accessing a record created by another HIC.
- Implement consistent auditing policies requiring random and targeted audits.
- Audits should display the length of time a user accesses the various screens of a patient’s record.
For questions about the IPC Decision, best practices for shared systems, or about the training that all participant in a shared system should provide to their agents, please contact us .
Posted in: Blog