On December 16, 2014, the Information and Privacy Commissionner of Ontario (“IPC”) released PHIPA Order HO-013 and directed the Rouge Valley Health System (“Hospital”) to implement a number of data security measures. The Order followed a review by the IPC of the Hospital’s management of personal health information. This review was prompted by reports of the unauthorized access and disclosure of personal health information of new mothers who were patients at the hospital. The IPC found that the security measures in place at the Hospital were inadequate and issued a number of directions to address the deficiencies. Although the IPC’s Order was exclusive to the Rouge Valley Health System, all health care institutions should be aware of the IPC’s directions and review their own data security systems to ensure they meet the requirements of the Personal Health Information Protection Act, 2004 (“Act”) as discussed in Order HO-013.
The IPC’s review was initiated after the Hospital submitted two reports of breaches of patient privacy. Although the two incidents were separate and unrelated, they both involved Hospital employees in clerical positions accessing and disclosing the personal health information of mothers who had recently given birth, for the purposes of selling or marketing Registered Education Savings Plans to them. In the course of the IPC’s review, it noted that the Hospital did not have sufficient technical or administrative measures and safeguards to protect the personal health information of its patients and that the employees of the Hospital did not have sufficient privacy training and awareness. The IPC made the following directions to the Hospital:
- Ensure that the computer system, in which it stores the personal health information of its patients, can audit all instances of access to patient information.
- Ensure that user activity logs in respect of the computer system are available to the Hospital for audit purposes.
- Limit the search capabilities and functionalities of the computer system so that employees are unable to perform open-ended searches for personal health information and can only perform those searches using the following criteria:
- health number;
- medical record number;
- encounter number; or
- exact first name, last name and date of birth.
- Review and revise its privacy policies to address the findings in the Order.
- Develop and implement policies in respect of privacy training, awareness and breach management.
- Review and revise its privacy training tools and materials to address the findings in the Order.
- Conduct privacy training for all agents in the Hospital – immediately for those in clerical positions and, for all other agents, by June 16, 2015.
Most hospitals and health care organizations will have policies and measures in place to protect against privacy breaches. The risk of breaches is constant in the health care sector, and so organizations must pay particular attention to the measures which they take to protect the personal health information in their care. As we have seen in the last year, highly publicized losses and thefts of data demonstrate how important it is for these measures to address the risk of unauthorized access to personal health information from outside the organization, as well as loss of custody of such information.
Order HO-013 demonstrates how important it is that an organization take measures to address internal breaches of privacy. The consequences for Rouge Valley Health System in this case were not limited to an adverse order by the IPC. A proposed class action claim has been launched against the Rouge Valley Health System in respect of patients whose privacy was breached, and so a financial loss may be incurred as well.
Order HO-013 provides useful guidance regarding the degree and extent of measures which will be required to provide reasonable protection against internal breaches of privacy. While complying with the guidelines articulated by the IPC in Order HO-013 is no guarantee that liability will be avoided, it is a sound step along the path to effective management of risks arising from an organization’s handling of personal health information.