A review by the Information and Privacy Commissioner of Ontario (IPC) of two significant privacy breaches involving the sale of new mothers’ personal health information for financial gain has determined that Rouge Valley Health System (hospital) failed to put in place reasonable technical and administrative safeguards to protect patient information.
In an Order issued today, Acting Commissioner Brian Beamish found the hospital was not in compliance with its obligations under the Personal Health Information Protection Act, 2004 (PHIPA) and ordered the hospital to implement changes to its electronic information systems, revise its privacy and audit policies, as well as deliver privacy training to all staff.
The full press release:
A review by the Information and Privacy Commissioner of Ontario (IPC) of two significant privacy breaches involving the sale of new mothers’ personal health information for financial gain has determined that Rouge Valley Health System (hospital) failed to put in place reasonable technical and administrative safeguards to protect patient information.
In an Order issued today, Acting Commissioner Brian Beamish found the hospital was not in compliance with its obligations under the Personal Health Information Protection Act, 2004 (PHIPA) and ordered the hospital to implement changes to its electronic information systems, revise its privacy and audit policies, as well as deliver privacy training to all staff.
Key Facts and Findings:
- Both reported breaches involved allegations of clerical employees using and/or disclosing information about new mothers for financial gain, through the selling or marketing of Registered Education Saving Plans.
- More than 14,000 patients were potentially affected.
- Auditing access to personal health information is an essential technical safeguard for deterring and detecting unauthorized access to personal health information. There were shortcomings in the audit functionality of one of the hospital’s electronic information systems that were not fully addressed before the second breach was discovered.
- The hospital’s privacy policies, training and awareness programs were insufficient.
The IPC has ordered the Hospital to:
- Implement measures to ensure the hospital is able to audit all instances where staff access personal health information.
- Review and revise the hospital’s auditing policies to require random audits on all users’ activities on all of its electronic information systems.
- Develop and implement new policies for privacy training, privacy awareness, and privacy breach management.
- Immediately review and revise all privacy training tools and materials, and deliver training for all staff at the hospital.
Given the increasing number of privacy breaches involving staff accessing personal health information of patients in an unauthorized manner, more needs to be done to address what appears to be a growing problem. To that end, the IPC has initiated discussions with the Ministry of Health and Long-Term Care and the Ministry of the Attorney General with a view to developing a procedure for commencing prosecutions in appropriate cases.
Quote:
“Over the last decade we have seen a growing number of privacy breaches involving unauthorized access to personal health information by staff within the health sector. Whether it is being done out of curiosity, or as in this case for financial gain, it is simply unacceptable. This Order should send a strong message to all health information custodians in Ontario, including hospitals, that they must implement reasonable measures and safeguards to eliminate or reduce the risks that may arise from unauthorized access. The strong message to staff is that there will be serious consequences arising from their actions.”
~ Brian Beamish, Acting Information and Privacy Commissioner of Ontario