Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
Planning is an essential part of preparing for the inevitable changes in life. If you are a health care practitioner, a good succession plan can ensure that you protect the people you serve from an interruption to their health care or a breach of their privacy if you change your practice.
Every year the IPC receives complaints related to abandoned records. These complaints are distressing for those whose privacy is compromised, and time-consuming for my office to investigate and settle. The IPC recently conducted a cross-jurisdictional review of this complex issue and found the cause of abandoned records is typically an unexpected change in practice — when a health care practitioner retires or moves, becomes incapacitated or dies unexpectedly.
As a result of our review, the IPC has released a new fact sheet, Succession Planning to Prevent Abandoned Records. This document outlines some best practices for health information custodians to prevent abandoned records and their associated repercussions.
Health information custodians have obligations under Ontario’s privacy laws to protect the information in their custody. Changes happen. When they do, a succession plan can help you ensure the health information in your care is secure.
This publication replaces the guidance document, What to do When Faced With a Privacy Breach: Guidelines for the Health Sector.
This new, updated guide highlights the importance of having a detailed privacy breach protocol and explains the steps to take in responding to a breach under Ontario’s health privacy regulations. It includes advice on how to contain a breach, notify affected individuals and what information you should record for reporting breaches. The guide also describes when to report breaches to the IPC and regulatory colleges and gives some practical advice for minimizing the risk of future breaches.
A particularly rough influenza season this year has contributed to a healthy interest in statistical information related to flu outbreaks.
The public wants to know how serious the flu-threat is in their community, a risk often measured by the number of local flu-related deaths.
Recently, our office has been contacted by individuals having difficulty getting this type of non-identifying statistical information from local health authorities. Privacy is the most cited reason for withholding it.
Privacy laws do not prohibit the release of non-identifying statistical information. Health stats of this type can provide critical insights about disease trends — information the public has a right to know. If health authorities have this information, they should release it.
Our office encourages all public institutions to be as transparent as possible in releasing information that is of interest to the public. Institutions that adopt a proactive stance, one aimed at enhancing the public’s right to access information, are supporting accountability and building trust in their organization.
Access and privacy are not mutually exclusive — it is possible to achieve openness and transparency in a privacy-protective way. If you haven’t done so already, I encourage you to take a look at some of the many practical guidance materials our office has developed to help institutions achieve these goals.
Brian Beamish,
Information and Privacy Commissioner of Ontario
Just about everyone is asked at one time or another to provide photo identification. Being asked for your health card for identification purposes has raised a few questions about when it is acceptable to ask for or show a health card for this purpose. This is especially true for individuals whose health card is their only piece of photo identification.
In Ontario, only individuals or institutions that provide you with provincially funded health care services may require that you present your health card. For example, a doctor’s office, hospital, walk-in clinic or medical laboratory can ask to see your health card if they are providing you with health care.
Ontario’s health privacy law, however,does not prohibit you from volunteering your health card for identification purposes. While you are free to show your health card to organizations outside of the health care system, organizations not directly involved in the delivery of provincially funded health care are not permitted to make note of, record, collect, or use a health number for identification purposes.
Individuals and organizations rely on email for its convenience, speed and economy. Health information custodians are no exception. While email offers many benefits, it also poses risks to the privacy of individuals and to the security of personal health information. This sensitive information must be well protected as any unauthorized collection, use or disclosure may have far-reaching consequences for patients. It is important for custodians to understand these risks and take steps to mitigate them before using email to communicate personal health information.
Today the IPC published a new fact sheet that describes the risks of using email and custodians’ obligations under the Personal Health Information Protection Act. It outlines some of the technical, physical and administrative safeguards needed to protect personal health information when communicating by email and the policies, procedures and training custodians should have in place.
