As of January 1st 2018, numerous changes have been made to Ontario’s Personal Health Information Protection Act (PHIPA). If you are a health information custodian working in a hospital or medical office, it is important to understand how this new set of rules will affect your organization. One of the most critical changes requires health organizations to keep track of privacy and data breaches. While the Information and Privacy Commissioner of Ontario will be releasing tracking guidelines in March of 2019, custodians are expected to record breaches now. Here is what you need to know to uphold your reputation and ensure your patient information remains secure.
The Personal Health Information Protection Act was established in Ontario in 2004. This legislation governs the collection, use and disclosure of personal health information. Personal health information is confidential data regarding a patient’s mental and physical health. Health information custodians (HICs) are authorized individuals such as doctors, nurses and psychologists or organizations such as hospitals, pharmacies and long-term care homes.
The role of PHIPA is to provide a set of rules for:
- Maintaining confidentiality and security
- Accessing and updating information
- Sharing rights
- Rules for fundraising and marketing with personal health information
- Accountability and complaints regarding inaccurate information
- Breaches to the legislation
These privacy principles enforce that information is handled appropriately and updated accurately. This legislation assures patients that their personal information will be kept safe.
What You Must Record and Report
It is now the responsibility of all HICs to report all privacy breaches that occur each year. A report must be submitted to the Privacy Commissioner by March 1st, 2019 detailing all 2018 security incidents – starting now.
How does an organization identify a breach?
If a HIC has reason to believe that any personal health information has been lost, stolen, used or disclosed without authority, the incident is classified as a breach. If previously stolen or unlawfully disclosed information continues to be used without authority, this is also considered a breach.
Incidents that are accidental do not have to be reported. For example, an email that is sent to the wrong recipient is not considered a breach and would not be included in an annual report.
What are the common causes of a breach?
Breaches can occur in different ways. The improper disposal of a hard drive or the theft of an unencrypted USB key could leave sensitive information vulnerable. Unauthorized persons can gain access to data and ‘snoop’ through private files.
One of the biggest threats to health organizations is the installation of malware. Malicious software (known as malware) infects computers and encrypts files. An extremely widespread form of malware is known as ‘ransomware’. Ransomware viruses hold files hostage and only release them when a sum of money (the ransom) is paid to the hacker by the victim. This can be a devastating situation for any business.
When the news of a breach reaches patients, the reputation of a healthcare organization can quickly disintegrate. If you begin to notice breaches happening frequently within your organization, it may be time to examine your IT infrastructure more closely and seek a new provider.
Start With Your Choice of Infrastructure
Do you know where your data is? When healthcare providers choose a third party for their IT infrastructure, data storage and backup solutions, they may not always ask the right questions. It is imperative to know where and how your data being is stored in order to make the most informed choice.
What Qualities Should You Look For in an IT Provider?
Your IT provider should be implementing a proven infrastructure for your data storage needs. Security is clearly of the utmost importance. The system should provide a host of security measures that ensure information can always be recovered.
Another factor to look for in an IT infrastructure is ease-of-use. The system needs to be easy to work with and understand, as this will increase the success of its application.
Finally, the provider must offer excellent support following the infrastructure’s installment. Will they be readily available if trouble arises? Will you be able to contact them by email, telephone or live chat? Great technology must be complimented by great technical support!
Data Centre Location
The location of the data centre is an important factor for diversifying risk. If 100% of your data is being stored on Canadian soil, it is protected from external legislation. However, data that is moved across the border either in transit or at rest is susceptible to laws such as the US Patriot Act which allows it to be accessed at any time by the American government.
IT providers who store data within Canada must be well versed in the federal and provincial privacy laws that govern their region.
Data Centre Certification
A SOC 2 data centre can provide a healthcare organizations assurance that data is protected by a facility that follows a set of pre-defined benchmarks for privacy, security, availability and more. A SOC 2 report confirms that a data centre operator has all of the following controls in place:
Physical and logical protection against unauthorized access.
The system is operationally available for use as committed or agreed.
- Processing Integrity
System processing is complete, accurate, timely and authorized.
All information is classified and protected as committed or agreed.
Personal information is collected, used, retained and transferred as committed or agreed.
These trust services principles are critical for healthcare companies that need to meet strict compliance requirements,
Our Recommendation for Best Results
There is so much at stake for healthcare organizations when a breach occurs. The most logical preventive step for HICs is the implementation of a secure IT infrastructure by a trusted provider. Keeping track of where data is stored and who is authorized to access it is key to preventing potential breaches. Communicating with the provider to ensure they are respecting privacy laws and delivering a secure, reliable and straightforward service will guarantee the system runs smoothly for years to come.