Why is safeguarding Personal Health Information Important?
- Unauthorized access to Personal Health Information can cause harm to the individuals whose information is being improperly accessed, shared, or sold. It can lead to discrimination, stigmatization, and emotional or psychological harm at a time that they are seeking help and guidance for their health.
- It damages the trust and confidence individuals bestow onto hospitals and their staff when their Personal Health Information is being misused. This breach of trust can lead to patients not disclosing all pertinent information out of fear of discrimination.
What happens when Personal Health Information is Improperly Accessed, Shared, or Sold?
- Once unauthorized access is determined, an investigation will commence determining what information was accessed, whether it was appropriate to conduct the services it was originally collected for, and whether the person accessing the information had the authority to do so. If this access was deemed inappropriate it could result in an order by the Privacy Commissioner of Ontario.
- If unauthorized access to Personal Health Information is deemed to be malicious various recovery and punitive measures are necessary, the first of which is disciplinary action by the employer such as termination or suspension.
- Under PHIPA, persons convicted of willfully collecting or disclosing Personal Health Information beyond its intended purposes are liable to fines up $50,000 and organizations are liable to fines up to $250,000.
- Additionally, if the inappropriate access has resulted in harm to the persons whose information was accessed, the court may award them an additional $10,000 for mental anguish.
Examples of Breaches & Their Consequences
- A class-action lawsuit of $5.6 million has been filed against Peterborough Regional Health Centre and some of its employees for the inappropriate access of 280 Personal Health Information Records.
- A $412 million class action lawsuit has been filed against Rough Valley Health System and some of its former employees for the inappropriate use and disclosure of Personal Health Information for the purpose of selling and marketing RESPs to 8,3000 patients.
Preventing Unauthorized Access
- Privacy Policies and Procedures
Custodians are tasked with developing privacy policies and procedures which set up the expectations and requirements for all agents. These requirements must demonstrate how they effectively promote security through concrete and actionable practices and they must outline the responsibility of all agents in carrying out these practices.
Important things to consider when developing policies are:
- PHIPA regulations
- Recommendations of Privacy and Security Audits
- Privacy Impact Assessments
- Privacy Complaints
- Privacy and Information breaches
- Privacy Training
Custodians should ensure that all agents are provided with the knowledge required to uphold security standards through ongoing privacy training. Privacy training needs to outline the intended purposes Personal Health Information is collected, the limitations and restrictions to accessing this information, all privacy policies and practices, PHIPA regulations, and all safeguards imposed to maintain security such as audits and potential consequences for inappropriate access. Privacy training should be considered an ongoing practice, not a one-time occurrence so that it can evolve with industry standards and practices, respond to updated by the Information and Privacy Commissioner of Ontario and PHIPA as well as internal reviews.
- Privacy Notices & Warning Flags
Prior to accessing Personal Health Information on an electronic system, privacy notices act as a reminder to the regulations and practices the agent must adhere in order to access the information. They remind the agent of the appropriate purposes the information is accessible and confirm that the agent consents to privacy practices and the consequences of noncompliance.
- Confidentiality Agreements
Confidentiality Agreements are important because they explicitly explain the agents obligations and expectations to uphold privacy protocols as well as outline the consequences in failing to adhere to these obligations. When implemented at the start of employment, confidentiality agreements set the standard for privacy and establish a responsible relationship between the custodians and agents.
- End-User Agreements
End-User Agreements outlines the roles and responsibilities of all parties who use systems where Personal Health Information is stored. Custodians should ensure that all agents sign end-user agreements before accessing Personal Health Information.
All end-user agreements should include the following:
- The intended purposes the information was collected
- Acknowledgment and confirmation by custodians and agents that they understand and intend to comply with all privacy policies and regulations under PHIPA
- Confirm that all necessary safeguards both physical and technical are implemented and practiced
- Outline the consequences of a security breach including the policies and procedures to follow
- Access Management
One of the best practices to ensure Personal Health Information is not improperly accessed is through the restricted access on a need-to-know basis. In order to comply with PHIPA and privacy regulations that Personal Health Information is only used to carry out the services, it was originally collected for, restricting access to that information to only the individuals who require it to carry out these tasks is necessary. Differentiated access between staff with different roles is one method to restrict access, as are password controls and search controls.
All access to Personal Health Information must be logged, monitored and audited. When agents are made aware that their accesses of Personal Health Information are tracked and audited, this promotes an environment of security where they are cautious to uphold security standards.
Audits should monitor whose information is being accessed, what type of information, who is accessing that information and when. With this information, the custodian can determine if that information was accessed appropriately or if it constitutes inappropriate use.
- Privacy Breach Management
Custodians should develop policies and procedures in the event of a privacy breach so that all agents understand the course of action and potential disciplinary actions. Privacy Breach protocol should determine who is responsible for reporting privacy incidents and the appropriate timeframe to allow for proper identification, reporting, containment, notification, identification, and remediation. Privacy breach management protocol should also outline the steps that would be taken after a breach that is meant to prevent further spread of information such as suspending access to the agent suspected of a breach, ensuring that no copies of the information were made, and preventing the disclosure of personal health information to more parties. It should also identify the circumstances under which the breach occurred to prevent similar events in the future.
It is important to uphold disciplinary actions that are consistent, appropriate and proportional in order to promote an environment of security. By outlining the disciplinary actions possible, agents are deterred from inappropriately accessing Personal Health Information. It is important that agents understand the consequences of inappropriate information access and this can be made clear during privacy training, communications, and through the signing of confidentiality agreements.