IPC/Ontario – Appropriate for hospital to notify of breach because it maintained a shared EMR

The IPC/Ontario has issued a significant decision about information governance under the Personal Health Information Protection Act. Specifically, it held that a hospital that gives a physician access to an electronic medical record for use in private practice is a health information custodian together with the physician, but that it can retain a duty to notify of a breach arising out of the private practice.

Background

The hospital maintained an EMR system and gave access to its credentialed physicians and their employees for use in private practice. Employees in two such private practices accessed EMRs without authorization. The hospital notified affected patients and reported the breach to the IPC, which led the IPC to investigate.

In the course of investigation it came to light that some of the employees had shared their login credentials with others outside of the hospital, but apparently to enable health care. The employees also apparently accessed some records (for non-health care purposes) with the consent of friends of family members. Both of these actions violated hospital policy.

Decision

The IPC held that the access enabled by credential sharing and the access made with the consent of family members was made in breach of PHIPA. Although a more benign form of unauthorized access, the IPC found a breach based on section 10(2) of PHIPA, which states, “A health information custodian shall comply with its information practices.”

Regarding the identity of the custodian, the IPC held that both the hospital and the two private practice physicians were custodians in the circumstances – the physicians being custodians “when they access patient information in [the EMR] for the purpose of privatizing health care to their private practice patients.” Such access, the IPC explained, invites a disclosure by the hospital and a collection by the physicians; in this context the physicians were not the hospitals’ agents.

Despite the physicians’ custodianship, the IPC held it was appropriate for the hospital to notify in the circumstances. It said:

[122]   In the cases under review, THP and the private practice physicians also treated THP as the health information custodian responsible for notifying affected individuals of the private practice employees’ unauthorized accesses in THP’s EMR. In these circumstances, I agree that THP was the appropriate party to give notice under section 12(2) of PHIPA. As the health information custodian who maintains the EMR, THP was best placed to discover and investigate the extent of the employees’ activity in the EMR, identify all the parties whose personal health information had been accessed without authority, and initiate contact with these individuals, all of whom are THP patients, but some of whom may not have any relationship with the particular private practice physician for whom the employee worked. In these cases, notification by THP was appropriate, taking into account not only the language of section 12(2)[29] but also the interests of the affected individuals.

[123]   I also agree with THP that in some circumstances, notification by the collecting custodian may be more appropriate, and a reasonable approach to fulfilling the notice obligation in section 12(2). For example, in a case where the private practice physician has a more significant relationship with the patient whose privacy was breached, notice from that physician (rather than from the custodian who disclosed the information) may be prudent. So long as the notice is given as required upon the events described in section 12(2) (and complies with the other requirements of that section), I agree with THP that circumstances such as the patient’s interests and the relationships between the patients and the various custodians involved may be relevant factors in deciding how best to fulfil the notification obligation. I am not persuaded that applying such an approach to notification in future cases would have the consequences of discouraging hospitals from adopting EMR technologies, or from participating in broader initiatives like a provincial electronic health record system.

Implications

The kind of shared accountability invited by this decision can cause confusion and risk. It will behoove hospitals and other custodians who provide shared access to their EMR systems to be very clear and detailed in establishing who is responsible for what. The hospital in this case, for example, decided post-incident to make more clear that physicians who are given outside access are responsible for training and supervising their employees. It also expressly obligated physicians to participate in privacy investigations arising from the actions of an employee.

The IPC’s finding on who provides notification is very qualified, and rests partly on the fact that the hospital in this case voluntarily provided notification to affected individuals. While taking control of notification may be beneficial to hospitals who maintain and provide third-party access to EMR systems, providing notification may also signal responsibility for a breach and for the related risks for which hospitals have little or no ability to control. The hospital in this case dealt with this tension by stipulating to its physicians that they may be named in hospital notification letters “as being responsible for the breach.” Other hospitals, may wish to require physicians to notify themselves in certain circumstances. The IPC’s decision does not appear to preclude such alternatives.

Trillium Health Partners (Re), 2020 CanLII 15333 (ON IPC).

Records stored on legacy system not “records” for FOI purposes

On January 27th, the IPC/Ontario held that records stored only on a legacy backup system were not “records” accessible under Ontario’s public sector access statute.

The requester asked for all records that showed access by a named employee to their own and their spouse’s service department records at a municipality.

The institution provided a fee estimate of $130 for data going back 28 months. For older data, the institution needed to restore data from tapes from a backup system that it had discontinued. It produced estimates (of $19,000 and $13,000) that included work to purchase a new tape drive and software, but on appeal argued the backup records were not accessible because they were not capable of being produced “by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution.” The IPC agreed.

Sudbury (City of Greater) (Re), 2020 CanLII 8240 (ON IPC).

The five ways of a strong privacy officer

It has been a few years since Carswell published its Managing Personal Information text, but this morning I had cause to look up a chapter on information governance that I contributed. I had forgotten about what I had written about the qualities of a privacy officer, but liked what I read and thought I would share it here.

Acting in support of self-policing is not an easy role. With this in mind, here is a list of good behaviors for privacy officers to demonstrate:

  • Flexibility. Privacy officers should understand that few things required by privacy statutes are black and white and should be prepared to accommodate reasonable business risk.
  • Creativity. Privacy officers should be prepared to help line managers think creatively about how to manage around privacy-related constraints in a responsible manner.
  • Benign skepticism. Privacy officers should give others the benefit of the doubt, while also looking diligently for objective evidence of non-compliance.
  • Fairness and consistency. Privacy officers should take an even-handed approach to their duties, treating all departments and employees in a principled and objective manner. They should deal with similar scenarios in similar ways.
  • Empathy. Privacy officers should communicate the rules with a view to helping audience members comply and should be understanding of audience members’ business demands.

Privacy officers should strive to foster and protect their credibility with line management. This involves demonstrating unwavering commitment to the principles underlying their privacy programs, yet a willingness to apply those principles in a manner that invites respect and keeps “doors open.”

Thank you Claudiu Popa for involving me in your book project. For more about Managing Personal Information and to purchase a copy see here.

Workplace privacy panel at the #CIAJ “Privacy in the Age of Information” conference

I’m mid way through the Canadian Institute for the Administration of Justice “Privacy in the Age of Information” conference in St. John’s Newfoundland. It’s been a great conference so far, with quality presentations on tough administration of justice like issues like cyberbullying, the right to be forgotten and state surveillance.

My contribution was on the workplace privacy panel with Paul MacDonald of Cox & Palmer (as moderator), Emma Phillips of Sack Mitchell and Melanie Beuckert of the Court of Appeal of Manitoba. I started with a short “management perspectives” address and then Emma and I debated a variety issues, including computer access and monitoring, off-duty conduct and the exclusion of surveillance evidence at labour arbitration. Melanie played the “straight person” role wonderfully. It was fun, and I advanced my thinking about these issues significantly.

In preparation I worked up the speaking notes below, which capture some of the ideas I contributed to the discussion.

Cole and Tsige: Clarifying the implications in the workplace

This is the title of an OBA panel discussion I participated in today with Christopher Du Vernet, counsel to Sandra Jones in the 2012 case that created our intrusion upon seclusion tort. These are my speaking notes.

The other side of the balance: employer interests, work systems and R v Cole

Here’s a link to a essay that describes the impact of the Supreme Court of Canada’s in R v Cole – the work system privacy case. I appeared with my colleague Joseph Cohen-Lyons on behalf of the Canadian Association of Counsel to Employers, and the paper represents the intellectual end point of a great experience. Whether you agree with the position or not, I hope it sparks some ideas!

Acceptable use policies – answers to ten common employer questions

I’ve been doing substantial work on employer acceptable use policies lately and would like to publish a draft Q&A for feedback.

If you have feedback please comment or send me an e-mail.

Dan

1. What should employers do today to ensure their acceptable use policies effectively manage the implications of personal use?

In light of recent developments, employers should ensure that their acceptable use policies (1) articulate all the purposes for which management may access and use information stored on its system and (2) make clear that engaging in personal use is a choice employees make that involves the sacrifice of personal privacy.

2. What are the most common purposes for employer access?

Consider the following list: (a) to engage in technical maintenance, repair and management; (b) to meet a legal requirement to produce records, including by engaging in e-discovery; (c) to ensure continuity of work processes (e.g., employee departs, employee gets sick, work stoppage occurs); (d) to improve business processes and manage productivity; and (e) to prevent misconduct and ensure compliance with the law.

3. How should employers describe the scope of application of an acceptable use policy?

Acceptable use policies usually apply to “users” (employees and others) and a “system” or “network.” To effectively manage employee privacy expectations, policies should make clear that devices (laptops, handhelds…) that are company owned and issued for work purposes are part of the system or network even though they may periodically be used as stand alone devices.

4. Should employers have controls that limit access to information created by employees even though they don’t want to acknowledge that employees can expect privacy in their personal use?

Access controls are an important part of corporate information security. Rules that control who can access information created by employees (e.g., in an e-mail account or stored in a space reserved for an employee on a hard drive) are, first and foremost, for the company’s benefit. Access controls should be clearly framed as being created for the company’s benefit and not for the purpose of protecting employee privacy.

5. How should passwords be addressed in an acceptable use policy?

Password sharing should be prohibited by policy. Employees should have a positive duty to keep passwords reasonably secure. An acceptable use policy should also make clear that the primary purpose of a password is to ensure that people who use the company system can be reliably identified. Conversely, an acceptable use policy should make clear that the purpose of a password is not to preclude employer access.

6. Does access to forensic information raise special issues?

Yes. Acceptable use policies often advise employees that their use of a work system may generate information about system use that cannot readily be seen – e.g., information stored in log files and “deleted” information. It is a good practice to use an acceptable use policy to warn employees that this kind of information exists and may be accessed and used by an employer in the course of an investigation (or otherwise).

7. How should an employer address the use of personal devices on its network?

Ensuring work information stays on company owned devices has always been the safest policy, though cost and user pressures are causing a large number of organizations to open up to a “bring your own device” policy. Employers who accept “BYOD” should use technical and legal means to ensure adequate network security and adequate control of corporate information stored on employee-owned devices. For example, employers may require employees to agree to remotely manage their own devices as a condition of use and with an understanding that they will sacrifice a good degree of personal privacy.

8. Should an acceptable use policy govern the use of social media?

Only indirectly. An acceptable use policy governs the use of a corporate network. A social media policy governs the publication of information on the internet from any computer at any time. In managing social media risks, employers should stress that publications made from home are not necessarily “private” or beyond reproach, so putting internet publication rules in an acceptable use policy sends a counter-productive message.

9. Should employers utilize annual acknowledgements?

Annual acknowledgements are not a strict requirement for enforcing the terms of an acceptable use policy but are helpful. The basic requirement is to give notice of all applicable terms in a manner that allows knowledge to be readily inferred in the event of a dispute. “Login script” with appropriate warning language is also common and helpful. Nowadays, a good login script will say something like, “If you need a confidential means of sending and receiving personal communications and storing personal files you should use a personal device unconnected to our system.”

10. Are there special concerns for public sector employers?

Most public sector employers in Canada are bound by the Canadian Charter of Rights and Freedoms and by freedom of information legislation. Many have workforces that are predominantly unionized. The guidance to public sector employers on their acceptable use policies is no different than to employers in general, but the need to manage expectations that employees may derive from personal use is particularly strong for public sector employers given the legal context in which they operate.