Decision 69 of the Information and Privacy Commissioner of Ontario was just released.

A former hospital employee (registered health professional who was employed as a Research Coordinator) removed 15 health records, 36 research files and 2 data collection sheets from the hospital’s premises without authorization. The hospital notified police – although the hospital did not believe the former employee was acting with malice.

The former employee said she didn’t remember taking the records off site – and in any event – no longer had them. This was an issue of inappropriate access and loss of health records.

There was no evidence of intentional theft. The records were lost.

The IPC concluded that the hospital took adequate steps to respond to the situation by: following its privacy breach protocol, adequately containing the situation, notifying affected individuals, conducting an investigation and updating their practices with respect to annual confidentiality agreements, privacy training, implementing tighter control over health records, anonymizing research files, implementing sign out protocols and updating its policies for departing employees.

Bottom Line: 

This case is a good reminder to implement the following privacy protocols:

1. Health records should NOT leave your premises – unless they must and if they must, only with authorization and tracking
2. Ensure any employee departing your team returns any kind of health information they may have signed out or have at home – that should be a term of their departure agreement
3. Research records can be records of personal health information – if your team does research, you must have protocols to protect those records

Here is a summary of all 70 IPC decisions.

Calling all Privacy Officers – if you want basic Privacy Officer training or Advanced Privacy Officer training our next programs start in October and November 2018 respectively.