On December 16th the Information and Privacy Commissioner/Ontario issued its 13th order under the Personal Health Information Protection Act. It contains very detailed prescriptions pertaining to the PHIPA data security standard in section 12. The standard is contextual – i.e., the standard of care is always based on all the “circumstances.” However, given Ontario hospitals face similar foreseeable risks, hospitals should pay very close heed to the prescriptions in HO-013.
I’ll spare you a description of the background and get to the point. Here is a bulleted summary of the data security prescriptions in HO-13. Rather than describe each in detail I will give you very short (synthesized) descriptions and page references.
- Ensure that patient information systems support audits and investigations of system misuse. Collect reliable data on all access, copying, disclosure, modification and disposal of patient records. Retain data for a reasonable period of time. Pages 23 to 29.
- Conduct periodic audits for patient information system misuse: “Audits are essential technical safeguards for electronic information systems.” Conduct random audits on all system activity. Run a special audit program for “high profile” patients. Pages 32 to 34.
- Ensure that patient information systems feature reasonable search controls. Search controls should limit the ability of agents to perform “open-ended” searches. Pages 29 to 32.
- Ensure that patient information systems feature a login notice that appears on its own screen and requires express acknowledgement. Page 22.
- Conduct regular and comprehensive privacy training pursuant to a privacy training program policy. Require pre-authorization training and annual re-training. Training materials should be detailed and contain certain information prescribed in HO-013. Pages 34 to 36.
- Communicate regularly about privacy compliance and compliance duties pursuant to a privacy awareness program policy. Page 36.
- Administer a “pledge of confidentiality” that contains certain information prescribed in HO-013. Require agents to sign pre-authorization and annually. Pages 37 and 38.
- Maintain and administer a privacy breach management policy that meets particular requirements specified in HO-013. Pages 40 and 41.
Most hospitals will already have data security programs that feature many of the elements in the list above. Regardless, there are detailed requirements in HO-013 (not included in the summary above) that invite hospitals to conduct a broad gap analysis. Some gaps are likely to be closed easily and others may require the investment of additional ongoing resources – e.g., gaps with respect to training and communication programming. The most problematic prescriptions in HO-013 are those related to the modification of patient information systems. The prescriptions regarding search controls, for example, seem problematic and may create system usability (search) problems. The responding hospital did raise concerns about usability that the IPC dismissed.