Health Privacy Update: New IPC decision in health privacy released – now 70
Ding ding ding. New health privacy decisions are out!
The Information and Privacy Commissioner of Ontario just released decision 70 – we are still missing decisions 68 and 69. I will let you know when they are posted on the IPC’s site. Here’s my summary of all IPC PHIPA Decisions UPDATE: The other two have now been released.
Decision 70 involved a long-term care home. A long-term care home employee took files home and lost records relating to two prospective residents. The information included community care access centre (CCAC) files including names, addresses, medical diagnosis, medical history, contact information, treating physician names and health card numbers. The home notified the affected individuals. The home did not permit staff to take patient files home with them. The employee had done so due to workload issues and inexperience.
IPC concluded that the long-term care home had not done enough to prevent the breach. The home’s policies and confidentiality agreement should have prohibited the removal of files of identifiable health information from the facility.
IPC document “What to do when faced with a privacy breach” was identified as a source for reminders how to prevent privacy breaches.
In response to the breach, the home updated its policies to prohibit removal of identifiable health information from the facility and updated its staff training accordingly. The home met with employee and provided time management training and retraining on privacy.
Health Privacy Officers – make sure your policies specifically include a statement that identifiable health information is not to be removed from the office. You may wish to add a caveat along the lines of: “unless you have a supervisor’s approval or if required by law – like attending at court”. Add similar language to your annual confidentiality statement as well.
I get questions about taking information home all the time. There is a lot of pressure to complete assessments within “normal business hours” and when I am doing in person training I hear that sometimes clinicians take patient charts home to work on.
Heads up. If you intend to take identifiable information off site – you need to know whether the facility or office where you work allows you to do so. In most cases, you should not take paper copies or unencrypted electronic information off site. If you must work from home, you should instead remote access into your clinical environment using a virtual private network. From time to time, you may be allowed to take identifiable information off site. If you do – you must be on your privacy game!
In this scenario for Decision 70, the employee was a social worker who was fairly inexperienced and had too much to do. She didn’t ask anyone whether she could take files home to do work from home. On her way home, she stopped off to have a workout. Somewhere between leaving work and getting home, she lost the files. This is a cautionary tale. If you have identifiable health information with you – you should take it straight home and not stop off and leave it where you could lose it or it could be stolen.
Last chance! My Privacy Officer training starts May 8th – but I am closing the registration tomorrow night.