Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, released a joint publication in collaboration with Robert Johnson, Executive Director of the National Association for Information Destruction (NAID). The educational paper entitled, Get Rid of it Securely to Keep it Private: Best Practices for the Secure Destruction of Personal Health Information, is premiered at NAID’s 2009 Annual Conference in Toronto, Canada.
This publication was borne out of a particular Health Order (HO-006) which Commissioner Cavoukian issued this past summer regarding records containing personal health information being found scattered on the streets, in Ottawa, outside a medical centre housing a medical laboratory. Remarkably, it was the second Health Order Commissioner Cavoukian has issued involving personal health information records being found scattered in the streets. In 2005, patient health records were found blowing around downtown Toronto which resulted in Health Order No. 1 (HO-001).
“I was quite shocked to learn about those records scattered around Ottawa. It was like a déjà vu. I made it quite clear in Health Order No. 1, regarding how to dispose of personal health information in a secure manner, but after Health Order No. 6, I decided that more detailed, in-depth guidance was needed. That’s why I decided to work with Mr. Johnson, an expert in this field, in creating this publication that will reinforce the message that organizations need to get serious about how they dispose of health information records,” says the Commissioner.
By their very nature, medical records are among the most privacy-sensitive when it comes to one’s personal information. “A single medical record can reveal a great deal about an individual including recreational and lifestyle habits, or major health issues, all of which can result in potentially devastating consequences if revealed to family, friends or employers,” says Commissioner Cavoukian. She further adds, “Health-care providers need to realize that their information management practices have very real and lasting consequences for their patients. You can’t just throw medical records into a dumpster or a recycling box and forget about them.”
At the same time, Mr. Johnson recognizes that personal health information is the lifeblood of many businesses and an indispensible part of the health-care industry. “Providing much-needed health-care services while ensuring privacy is a fine balance, where the slightest misstep by a health-care provider may result in harmful consequences to their business. I believe that this publication can assist organizations in protecting the privacy of patients and make it possible for organizations to meet their business objectives – a mutually beneficial outcome for both parties,” says Mr. Johnson.
The publication itself outlines a number of Best Practices that can be employed in the secure destruction of personal health information records. These include: developing a secure destruction policy that is clear, understandable and leaves no room for interpretation; segregating and securely storing records; determining the best methods of destruction; documenting the destruction process; considerations prior to employing a third-party service provider; disposal of securely destroyed materials; and ensuring compliance.
The approach taken in developing these Best Practices comes from Commissioner Cavoukian’s concept of Privacy by Design which she first developed in the ’90s. Privacy by Design involves proactively building privacy into the design, operation and management of information processing systems. By adopting Privacy by Design, privacy can be built into secure destruction programs at the outset in a way that provides for both functionality and security.
“This can widen the path for the health-care industry to deliver functional services and ensure the security of personal health information, resulting in a win-win scenario for patients and health care providers,” adds Commissioner Cavoukian.
A copy of Get Rid of it Securely to Keep it Private: Best Practices for the Secure Destruction of Personal Health Information, can be downloaded free of charge from the IPC website at, www.ipc.on.ca.