On September 15, 2016, the Information and Privacy Commissioner of Ontario (the "IPC") released long awaited guidance on communicating personal health information ("PHI") by email.
The Fact Sheet, which can be found here, sets out a number of requirements that the IPC will expect health information custodians ("custodians") to meet if they decide to use email to communicate PHI. These include:
- Email Policy: Having a written policy on the communication of PHI by email.
- Notice and Consent: Giving notice to patients of the custodian's email policy and obtaining their consent prior to the use of unencrypted email to communicate PHI.
- Training: Comprehensive and mandatory training of employees and agents in connection with the custodian's email policy.
- Email Platform: Prohibiting the use of a personal email account to send or receive PHI.
- Encryption: The use of encrypted email, except in exceptional circumstances (see below for more).
- Retention and Disposal of PHI: The secure maintenance and disposal of emails communicating PHI (see below for more).
- Breach Protocol: Having a breach management protocol relating to emails communicating PHI.
It is important to note that patient consent is not sufficient: custodians have a duty to determine whether the use of email to communicate unencrypted PHI is appropriate in the circumstances and to limit the amount and type of PHI included in email.
The IPC has been writing about encryption for some time. In 2007, in HO-004, the IPC remarked that "to the extent that personal health information on a mobile computing device has been encrypted to protect it from unauthorized access", the theft or loss of the device would not be considered a loss or theft of PHI. The IPC has since issued other orders in relation to encryption and a Fact Sheet in 2010 on the acceptable standard of encryption for the health care environment.
According to the Fact Sheet, the IPC expects that email communication of PHI among custodians "will be secured from unauthorized access by use of encryption, barring exceptional circumstances", for example, in an "emergency or other urgent circumstances".
Where feasible, custodians are advised they should use encrypted email for communications with patients. If encryption is not feasible, the IPC suggests that custodians should determine whether email communication is reasonable considering: (1) the degree of sensitivity of the information; (2) the volume and frequency of the emails; (3) the purpose of the transmission; (4) patient expectations; and (5) the availability of alternative methods of communication.
Retention and Disposal of PHI
PHI should be stored on email servers only for as long as is necessary. It is up to each custodian to determine how long is necessary. For example, once an email has been documented in a patient's record, it may not be necessary to retain the email on the email server. The same goes for emails on a portable device.
The IPC has a Fact Sheet (2005) regarding the secure destruction of PHI. Secure destruction includes ensuring that PHI is disposed of in a permanent manner. If destruction is outsourced to a third party service provider, the IPC recommends using a provider accredited by an industrial trade association, such as the National Association for Information Destruction. It also describes provisions that should be part of the custodian's agreement with the service provider. For this Fact Sheet, please click here.