Ontario’s Personal Health Information Protection Act (“PHIPA”) came into force on November 1, 2004.
The Information and Privacy Commissioner of Ontario (“IPC”) is given authority to enforce PHIPA. This update will review the IPC orders issued to date. These orders have dealt with situations where personal health information (“PHI”) has been inappropriately disclosed. The resulting orders set out the IPC’s expectations on what health information custodians (“HIC”s) must do to comply with PHIPA.
Order HO-001 – October 31, 2005
In this situation, the IPC was alerted by a newspaper that health records were strewn across a Toronto street as part of a film shoot. Investigation revealed that the records came from a radiology clinic. The clinic provided records to a disposal company for shredding. In error, some boxes were marked for recycling instead of shredding, and were passed on to a recycling company. The recycling company then sold the records to a film company for use as scrap paper as a prop on a film set.
The IPC’s order highlights the requirements for secure disposal of PHI:
“I further Order the Toronto Clinic to put in place a written contractual agreement with any agent it retains to dispose of personal health information records. The agreement must set out the obligation for secure disposal and require the agent to provide written confirmation through an attestation once secure disposal has been conducted. Secure disposal must consist of permanently destroying paper records by irreversible shredding or pulverizing, thus making them unreadable. Further, steps must be taken to ensure that no unauthorized person will have access to the personal health information between the time the records leave the health information custodian’s custody until their actual destruction” (p.24).
Order HO-002 – July 31, 2006
The second order followed a complaint by a patient that her health information had been accessed by a hospital employee, who was the girlfriend of the patient’s exhusband, and then disclosed to him. Prior to receiving treatment, the patient advised that she did not wish her ex-husband or his girlfriend to know that she was in hospital or to access her information, but the hospital had not taken any additional steps to protect her information until after the patient complained that her records had been inappropriately accessed. Investigation revealed that, even after the complaint, the records were still accessed inappropriately on three further occasions.
The IPC’s order emphasizes the “culture of privacy” necessary in health care – “Unless policies are inter-woven into the fabric of a hospital’s day-to-day operations, they will not work. Hospitals must ensure that they not only educate their staff about PHIPA and information policies and practices implemented by the hospital, but must also ensure that privacy becomes embedded into their institutional culture” (p.19). Access to PHI needs to be limited to those who need to know it in the performance of their duties. It is unacceptable for unauthorised parties to be looking at a patient’s information.
The IPC found that the hospital did not take reasonable steps to protect the information. It should have taken steps upon first being advised of the patient’s concerns and further immediate steps once the patient complained.
Order HO-003 – December 11, 2006
In this case, the IPC was notified that a medical clinic had closed, abandoned its offices and left behind boxes of medical records.
The IPC was very critical of the company that operated the centre:
“In the present case, unbelievably, records of personal health information were simply abandoned when the practice in question ceased its operations. This situation is both regrettable and unacceptable; worse, it could easily have been avoided. The custodian’s failure to adequately notify individuals when the practice ceased operation and to ensure that all records of personal health information were retained, transferred or disposed of in a secure manner demonstrated a flagrant disregard for the privacy rights of the individuals to whom the records related.” (p.15)
The company was ordered to retain, transfer or dispose of the records in question in a secure manner.
Order HO-004 – March 9, 2007
This decision relates to the theft of a laptop containing PHI for 2,900 patients. A researcher had taken the laptop home to analyze research data there. His van was broken into and the laptop stolen. The only security measure on the laptop was a login password.
The IPC ordered the hospital to develop and implement “a comprehensive corporate policy that, to the extent possible and without hindering the provision of health care, prohibits the removal of identifiable personal health information in electronic form from the hospital premises. To the extent that personal health information in identifiable form must be removed in electronic form, it must be encrypted” (p.18).
The decision speaks in strong terms about the security concerns associated with the use of mobile computing devices and requires a “multi-layered approach to guard against unauthorised access” (p.19). Custodians should avoid storing identifiable data on mobile devices or store only the minimum amount for the minimum time. Whenever possible, data on mobile devices should be de-identified. There should be strong password protection on the device and, in addition, any identifiable PHI should be encrypted.
Order HO-005 – June 7, 2007
In this unfortunate case, the detailed video image of a patient using the washroom at a methadone clinic was inadvertently accessed by a wireless mobile camera in a car parked near the clinic. Wireless surveillance cameras had been installed in the clinic’s washroom for the patients’ own safety; patients were informed of the practice and provided their consent to the clinic to being monitored. However, these images should not have been accessible outside of the clinic, and the clinic was not aware that this was possible. Upon learning of this issue, the clinic immediately replaced the wireless surveillance system with a wired system incapable of interception outside of the clinic.
The IPC praised the clinic for its immediate attention to this privacy breach, but cautioned:
“I […] expect custodians to acknowledge their lack of [technological] expertise and regularly confer with the appropriate experts to ensure that the systems they use continue to be privacy protective. Had the Custodian implemented such a review, in this case, it is likely that it would have become aware of the increased risks posed by emerging wireless technologies, and taken steps to modify its monitoring systems. Such a privacy and security review need not be an elaborate process. Depending on the circumstances, it may be as simple as a brief meeting with the custodian’s security provider, on an annual basis. In my view, a custodian that fails to conduct such regular reviews is likely to fall short of the reasonableness standard in section 12(1) of the Act.” (p. 11)
Accordingly, the IPC ordered the clinic to conduct an annual review to ensure continued compliance with PHIPA.
While there are few orders to date under PHIPA, the decisions provide some clear guidance into how the legislation will be interpreted by the IPC and the obligations on HICs under PHIPA.
The most important lesson from the orders is the IPC’s emphasis on the need for a “culture of privacy” in health care and the steps that HICs must take to ensure that their staff properly respect their patients’/clients’ privacy. Even though privacy has long been part of the health care environment, and has been addressed in legislation prior to PHIPA, the new statute requires health care providers to re-think and re-evaluate their practices to comply with the new standards. On-going education and training is necessary, to remind staff of their obligations and assist them in understanding the new rules.
Each of these orders have focussed on security concerns relating to PHI. The factual circumstances of each situation were different, but they can serve as useful examples of how a HIC’s practices and procedures can lead to privacy breaches. Each order emphasizes the high level of care that the IPC will expect from HICs in safeguarding information under their control. Stringent requirements are set out in each decision.
In all of the decisions, there was a focus on the policies, procedures and agreements by which PHI is handled. The IPC required each institution to have clear written PHI practices; unwritten policies or informal agreements were not enough. Direct lessons can be taken from each individual decision as to the nature of the required written standards.
Each institution was also required by the order to review its written procedures and agreements respecting the handling of PHI, and to provide proof of compliance to the IPC within a short time. This seems to be the IPC’s way to ensure that its orders are followed.
You can access PHIPA at: http://www.e-laws.gov.on.ca
You can access the IPC’s Orders at: http://www.ipc.on.ca