COVID-19: Privacy Tips for the Ontario Health Sector
I am a calm and logical person. We are facing unprecedented impact in our world and that causes uncertainty and instability for everyone. I have felt a bit unsettled for a few days now. When I feel like that, I need practical, concrete information to help me make informed choices. If I am feeling like this, I know others are feeling like this too.
As leaders of the healthcare system, you have the responsibility to earn and build trust in this uncertain environment. I know that is what you do every day under usual circumstances. Now even more so.
Here are my initial thoughts about how to address the privacy issues at hand. If you need legal advice, please contact me directly.
- Mandatory reporting of communicable diseases to the Medical Officer of Health
The Health Protection and Promotion Act trumps privacy considerations. It is mandatory to report individuals tested for COVID-19, possible carriers and those diagnosed with it to your local public health unit. There is a link to finding your local public health unit by postal code or municipality: https://www.phdapps.health.gov.on.ca/phulocator/
If someone asks you not to report them to public health, you will need to explain that the report is mandatory. It is possible someone could complain to the Information and Privacy Commissioner about your mandatory report. The IPC already deals with complaints about other kinds of mandatory reports (like to a Children’s Aid Society for a child in need of protection or reports of individuals who are unfit to drive) and will support healthcare organizations that follow the public health mandatory reporting guidelines.
- Sending COVID-19 informational emails to all patients
I have been asked if it is permitted for healthcare organizations to use email addresses to send COVID-19 information to all patients. I think this is a great idea with a few considerations:
- There is a declared pandemic and concrete information from health experts is useful for people to receive.
- You are allowed to communicate with anyone you provide service to in ways in which they have given you their contact information (unless you bought those email addresses).
- Ensure the communication is not specific to any patient. Ensure the email contains general information and not identifying information and it will be a low risk communication.
- When sending batch or mass emails be very careful not to attach anything clinical to the email. For example, do not accidentally attach a PDF of a specific patient’s health information. Take extra time before sending a mass email. Do a “preview” of the email before sending it so you can see what recipients will receive.
- If you have not used email very often (or ever) such an email mail out will help you weed out old email addresses because you will get a bounce back from people who no longer work at that email address or for addresses that have expired. Given the communication will not include names – any misdirected emails will have no information (other than the person was on your mailing list).
- If you have the express consent of patients to communicate important information to them by email they will be anticipating this communication.
- Be prepared that individuals may want to start emailing you back. Be clear how recipients can receive information from you and whether you will respond to emails.
Please note: Communicating with patients by email is not totally without risk. It is possible that you will send a message to an email address that is no longer in use or is read by the wrong recipient and someone receiving will make a privacy complaint that they learned an individual is affiliated as a patient of your team. I think that is a low risk.
Exercise more caution over using email if you provide very specific health services where even your name affiliated with an individual could be providing highly sensitive health information.
- Telehealth and remote clinical meetings
Telehealth and telephone consultations can be vital strategies to assist with social distancing and reduce the negative impacts of COVID-19 on our strained healthcare organizations. If your team has the capacity to do scheduled appointments through Ontario Telehealth Network or over the phone, those options may be lifesaving. I understand the Ontario government is clarifying billing codes and options for delivering service remotely.
It is not illegal to use other digital services or platforms for communicating with patients remotely. However, there are precautions you should take before using digital communication tools:
- Not all clinical appointments are appropriate for remote consultation – exercise caution and judgment from a patient safety lens.
- If you work for an organization, you should clarify with your supervisor or Privacy Officer if you are authorized to use digital tools to communicate with patients and if so, their preferred tools.
- If your organization has never used digital tools before but are doing so because of the pandemic, be transparent about that with your participating clinicians and patients.
- Explain that the situation is in response to urgent need.
- Do not commit to using them indefinitely.
- Explain that the tool may not be secure (unless you know it is secure).
- Explain who on your team can use them, and who cannot.
- Provide alternatives for how to engage with your team in person, by phone or other means during the pandemic.
- Seek consent (oral consent is fine – you write down that you received the patient’s consent).
- If you have used the tools before, you may wish to remind your patient community that the tools are available to them as an alternative from attending in person.
- Make sure to record all clinically relevant information in your traditional health records.
- Be clear about boundaries of using the technology (such as: not for an emergency, hours of service, types of consultations, response times etc.).
- Implement as many privacy protections as you can using the technology. Read the privacy policies of the digital tools and activate all their privacy recommendations.
Snooping by staff becomes a real risk during any kind of emergency, including a pandemic. Tell your team not to read patient files unless they need to do so as part of their job and if patients are assigned to them to provide care.
Health information custodians are permitted to use identifiable patient information without patient consent in order to: plan programs, address errors or quality issues, teach staff, and for research (with research ethics board approval) among other purposes. However, individual staff members should not create self-initiated learning projects about COVID-19. Explain how staff can learn about COVID-19. You want to avoid their temptation to read files out of curiosity.
You may choose to flag the records of any patients tested for or diagnosed with COVID-19 for additional auditing by your Privacy Office to ensure you detect and deter unauthorized access to those records.
Please let me know if I can be of assistance to you.