• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Information Technology / IPC orders data security measures for hospital following breach of private health information

By Occasional Contributors | 3 Minutes Read July 8, 2015

IPC orders data security measures for hospital following breach of private health information

hipaaOn December 16, 2014, the Information and Privacy Commissionner of Ontario (“IPC”) released PHIPA Order HO-013 and directed the Rouge Valley Health System (“Hospital”) to implement a number of data security measures. The Order followed a review by the IPC of the Hospital’s management of personal health information. This review was prompted by reports of the unauthorized access and disclosure of personal health information of new mothers who were patients at the hospital. The IPC found that the security measures in place at the Hospital were inadequate and issued a number of directions to address the deficiencies. Although the IPC’s Order was exclusive to the Rouge Valley Health System, all health care institutions should be aware of the IPC’s directions and review their own data security systems to ensure they meet the requirements of the Personal Health Information Protection Act, 2004 (“Act”) as discussed in Order HO-013.
The IPC’s review was initiated after the Hospital submitted two reports of breaches of patient privacy. Although the two incidents were separate and unrelated, they both involved Hospital employees in clerical positions accessing and disclosing the personal health information of mothers who had recently given birth, for the purposes of selling or marketing Registered Education Savings Plans to them. In the course of the IPC’s review, it noted that the Hospital did not have sufficient technical or administrative measures and safeguards to protect the personal health information of its patients and that the employees of the Hospital did not have sufficient privacy training and awareness. The IPC made the following directions to the Hospital:

  • Ensure that the computer system, in which it stores the personal health information of its patients, can audit all instances of access to patient information.
  • Ensure that user activity logs in respect of the computer system are available to the Hospital for audit purposes.
  • Limit the search capabilities and functionalities of the computer system so that employees are unable to perform open-ended searches for personal health information and can only perform those searches using the following criteria:
    • health number;
    • medical record number;
    • encounter number; or
    • exact first name, last name and date of birth.
  • Review and revise its privacy policies to address the findings in the Order;
  • Develop and implement policies in respect of privacy training, awareness and breach management;
  • Review and revise its privacy training tools and materials to address the findings in the Order;
  • Conduct privacy training for all agents in the Hospital – immediately for those in clerical positions and, for all other agents, by June 16, 2015.

Most hospitals and health care organizations will have policies and measures in place to protect against privacy breaches. The risk of breaches is constant in the health care sector, and so organizations must pay particular attention to the measures which they take to protect the personal health information in their care. As we have seen in the last year, highly publicized losses and thefts of data demonstrate how important it is for these measures to address the risk of unauthorized access to personal health information from outside the organization, as well as loss of custody of such information.
Order HO-013 demonstrates how important it is that an organization take measures to address internal breaches of privacy. The consequences for Rouge Valley Health System in this case were not limited to an adverse order by the IPC. A proposed class action claim has been launched against the Rouge Valley Health System in respect of patients whose privacy was breached, and so a financial loss may be incurred as well.
Order HO-013 provides useful guidance regarding the degree and extent of measures which will be required to provide reasonable protection against internal breaches of privacy. While complying with the guidelines articulated by the IPC in Order HO-013 is no guarantee that liability will be avoided, it is a sound step along the path to effective management of risks arising from an organization’s handling of personal health information.
For any questions about Order HO-013, or to discuss measures which your organization might take to protect personal information in its custody and manage the risk of a breach, please contact Porter Heffernan, Emond Harnden LLP, at (613) 940-2764.

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022
  • How much should a Canadian registered charity spend on administration? - November 30, 2022
  • Finance proposes changes to disbursement quota for charities and some increased transparency - November 11, 2022

Article by Occasional Contributors / Information Technology, Privacy / breach of private health information, breaches of patient privacy, data security measures for hospital, Personal Health Information Protection Act, privacy breaches, risk of a breach, technical or administrative measures and safeguards, unauthorized access and disclosure of personal health information

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy