During the course of working with this office on a privacy breach file, a Health Centre notified the Information and Privacy Commissioner of Ontario that additional possible unauthorized accesses by a number of employees had been discovered. This file was opened to address the additional unauthorized accesses and the systemic issues related to the breaches.
The Health Centre ultimately determined 28 of those accesses to be breaches of the Act. This decision concludes that at the time of the breaches the Health Centre had inconsistencies regarding staff requirements to sign confidentiality and EMR authorized user agreements, there was an inadequate privacy notice on the Health Centre’s EMR system, and a formal privacy breach policy was not in place. As such, this Decision finds that at the time of the breaches, the Health Centre had not taken reasonable steps to protect the personal health information within the meaning of section 12(1) of the Act. However, this decision also finds that the Health Centre has since remedied these issues.
This decision also finds that the Health Centre did not provide the patients affected by this breach the notification required by section 12(2) of the Act. Specifically, the Health Centre did not provide notice of the breach “at the first reasonable opportunity.”
Lastly, I decide that no review of this matter is warranted.