What the HIC?: Preventing and Responding to Privacy Breaches in Health Care Organizations
I recently attended an interesting and informative program put together by Osgoode Hall Law School titled “The 2020 Legal Guide to Privacy & Information Management in Healthcare”. Below are my key takeaways from the program, including best privacy practises and how to deal with a potential privacy breach in your health care organization.
What is PHIPA?
The Personal Health Information Protection Act, 2004 (“PHIPA”), legislates how an individual’s personal health information is collected, used and disclosed.
The Information and Privacy Commissioner of Ontario (“IPC”) oversees compliance with PHIPA by health information custodians (“HICs”) and investigates complaints of alleged breaches.
Who is a HIC?
The PHIPA definition of HICs is broad and includes health care practitioners (for example, doctors, nurses, midwives, dental professionals, physiotherapist, massage therapists), hospitals, pharmacies, laboratories, nursing homes and ambulance services, amongst others.
Recent proposed changes to PHIPA seek to extend the scope and application of the enshrined privacy protections to include not-for-profit organizations, charities, professional associations, trade unions and political parties.
What is Personal Health Information?
Health care providers and organizations hold some of the most sensitive information related to an individual. Broadly speaking however, personal health information relates to identifying information about an individual if the information relates to the physical or mental health of the individual.
While there are obvious examples (including name, address, date of birth), it is not always obvious what constitutes private health information that might lead one to identify an individual (for example, an identifier might be the health history of the individual’s family or a note regarding a patient’s location in a particular hospital).
What Constitutes a Privacy Breach?
Similarly, it is not always obvious what situation might lead to a breach of personal health information.
Examples we have come across in our practise are:
- a lost cellphone (which contains email or other accessible applications with personal health information);
- a stolen laptop or notebook (after having been left overnight in an unlocked car);
- records that were not properly disposed of (not secured in a secure lock-box and placed in the garbage by cleaners rather than shredded);
- records that were not properly stored (unlocked filing cabinets);
- use of an answering machine (as opposed to a voicemail system); and,
- disclosure of personal health information to health professionals outside of the service user’s immediate circle of care.
How to Respond to a Potential Privacy Breach?
In practise, and while we can assist to help develop preventative risk management and privacy policies, PHIPA most often crosses our desks where HICs are required to take remedial steps in the wake of a breach.
If you find yourself dealing with a potential privacy breach, the necessary steps in keeping with PHIPA are as follows:
- Make efforts to contain the breach;
- Identify and remedy the cause and origin of the breach and put a system in place to avoid any future re-occurrence, including remedial training of HICs and non-HICs as necessary;
- Disclose the breach to the affected individual(s); and,
- Report the breach to the IPC via its online portal or in writing;
Best Privacy Practises
1. Appoint a Privacy Officer
To ensure continuity of standards, it is best practise to appoint a privacy officer charged with, for example:
- updating privacy policies and training as necessary and in the context of the ever-evolving regulatory framework;
- conducting an annual risk assessment; and,
- testing / maintaining digital platforms to identify and mitigate vulnerabilities.
2. Identify and train those with access to personal health information
As a risk mitigation strategy, it is key to first identify and provide privacy training to those individuals in your organization who have access to personal health information, regardless of whether or not that individual is considered a HIC for the purposes of PHIPA:
- Take a practical overview of those who may have incidental access to personal health information, including administrative staff, cleaning staff, students, volunteers and/or contractors. The relatively new Ontario Health Team (“OHT”) model of care adds another layer of consideration in this regard, where the OHT will likely also include both HICs and non-HICs.
- Regardless of whether PHIPA applies or not, ensure all those with access to personal health information receive appropriate and periodic training on the privacy protocols of your organization. Helpful tools are available from the IPC and likely your health profession’s regulatory body in this regard.
3. Ensure all privacy policies and protocols are user/reader friendly and accessible to all those affected by same, including HICs, non-HICS (as identified above) and service users
Offer policies with clean and plain language about:
- the use of personal information;
- what personal information is to be collected;
- how personal information is to be collected;
- how personal information is to be used; and,
- which third parties the personal information can be shared with.
4. Consider having all those with access to personal health information execute a confidentiality agreement
5. Ensure all personal health information, whether in paper or electronic form, is stored securely
6. Develop a Work From Home policy
With the practise of virtual healthcare ever evolving in the wake of the Covid-19 pandemic, and with social distancing restrictions generally, your organization would be well advised to develop a Work From Home policy that specifically addresses privacy concerns in the health care context.
Some basic examples would be:
- Do not leave a computer unattended;
- Use only a secured wireless connection;
- Ensure you are working in a private area; and,
- Do not store or download information on your laptop.
7. Obtain consent from the service user
Obtaining the explicit, demonstrable and unambiguous consent from the service user can help avoid any number of future potential privacy concerns. For example, if providing virtual healthcare, ensure the service user consents to the virtual care tool.
If you are considering disclosing personal health information to an individual or organization outside of the immediate circle of care, consider obtaining consent even if the disclosure is permitted disclosure. This may be particularly sensible in the Covid-19 era of contact tracing and the stigma that could arise from the inadvertent disclosure of personal health information related to a diagnosis or suspected diagnosis of same.
I hope the above is helpful in considering privacy practises in health care organizations and addressing potential privacy breaches.