Personal Health Information (PHI) is considered to be among the most sensitive types of personal information, deserving of the highest protection. Yet, in Ontario, we have seen a growing number of cases of agents inappropriately accessing the Personal Health Information of individuals. The type and magnitude of these violations vary. Some involve celebrity “gawkers,” others nosey neighbours, family members or work colleagues. The circumstances of this case involve the unauthorized use and disclosure of Personal Health Information for financial gain. The message to take from all of these cases is clear. Authorized users of electronic information systems can abuse their access privileges — they pose a risk to patient privacy. Health information custodians must implement reasonable measures and safeguards to eliminate or reduce these risks and to mitigate the harms that may arise from them.
Within the span of less than a year, the Rouge Valley Health System (Hospital), reported two separate breaches of patient privacy to the Office of the Information and Privacy Commissioner of Ontario. The first reported breach was received by this office in September 2013 and the second, seven months later, in April 2014. Although separate incidents, the breaches were materially similar in that both involved allegations that Hospital employees in clerical positions used and/or disclosed the Personal Health Information of mothers who had recently given birth at the Hospital for the purposes of selling or marketing Registered Education Savings Plans (RESPs).
Given the pattern that appeared to be emerging, upon notification of the second breach, this office decided to conduct a review under the Personal Health Information Protection Act, 2004. During this review, we conducted extensive interviews. We engaged in a thorough review of the Hospital’s relevant policies, practices and procedures and received written representations from the Hospital.
As a consequence of the two reported breaches, the Hospital notified more than 14,000 current and former patients of its Rouge Valley Centenary site and Rouge Valley Ajax and Pickering site, all of whom may have been affected by the actions of the two employees. It was necessary to notify all of these individuals because the Hospital was unable to identify the individuals who were actually affected by the actions of the two employees involved in the reported breaches.
Following the first breach, the Hospital discovered that the audit functionality of its Meditech system, the electronic information system at issue in this review, was limited and it undertook to address this shortcoming. During this review, we learned that despite the actions taken and the similarity between the two breaches, the Hospital was still unable to conduct an audit of user activities relating to the second breach due to another “gap” in the Meditech system’s audit functionality.
Audits are essential technical safeguards to protect personal health information. They can be used to deter and detect collections, uses and disclosures of personal health information that contravene the Act. In this way, they help to maintain the integrity and confidentiality of personal health information stored in electronic information systems. The Hospital’s failure to implement full audit functionality in its Meditech system meant that it could not comply with its own policies and that it did not comply with the requirements of the Act.
We also learned that the Hospital’s administrative measures or safeguards such as privacy policies, procedures and practices as well as privacy training and awareness programs — which are critical in protecting Personal Health Information — were insufficient and therefore not in compliance with the Act. These types of safeguards are particularly important in relation to electronic information systems which provide agents with the ability to access a vast amount of Personal Health Information.
In this order, among other things, I find that the Hospital failed to comply with its obligations under the Act to put in place technical and administrative measures or safeguards to protect personal health information in compliance with section 12(1) of the Act and I order the Hospital to:
- In relation to all of the Hospital’s electronic information systems, implement the measures necessary to ensure that the Hospital is able to audit all instances where agents access personal health information on its electronic information systems, including the selection of patient names on the patient index of its Meditech system.
- In relation to the Hospital’s Meditech system:
a) Work with the Hospital’s Hosting Provider to review and amend the service level agreement between the Hospital and the Hosting Provider to clarify the responsibility for the creation, maintenance and archiving of user activity logs generated by the Hospital’s use of its Meditech system, and ensure that the user activity logs are available to the Hospital for audit purposes.
b) Work with Meditech or another software provider to develop a solution that will limit the search capabilities and search functionalities of the Hospital’s Meditech system so that agents are unable to perform open-ended searches for personal health information about individuals, including newborns and/or their mothers, and can only perform searches based on the following criteria: health number, medical record number, encounter number, or exact first name, last name and date of birth.
- Review and revise its Privacy Audits policy, the Pledge of Confidentiality policy and the “Pledge of Confidentiality,” and the Privacy Advisory in accordance with the comments and findings made in this Order, and take steps to ensure that it complies with the Privacy Audits policy.
- Develop and implement a Privacy Training Program policy, a Privacy Awareness Program policy, and a Privacy Breach Management policy in accordance with the comments and findings made in this Order.
- Immediately review and revise its privacy training tools and materials in accordance with the comments and findings made in this Order.
- Using the privacy training materials developed in accordance with Order provision 5:
a) immediately conduct privacy training for all agents in clerical positions in the Hospital; and
b) conduct privacy training for all other agents by June 16, 2015.
- Provide this office with proof of compliance with all of the Order provisions by September 16, 2015.