Trust in Digital Health

In this special retrospective episode of Info Matters, Commissioner, Patricia Kosseim revisits season four’s standout conversations. Highlights include junior high students' views on privacy, Cynthia Khoo on facial recognition, and Robert Fabes on how people experiencing homelessness perceive privacy. Dr. Devin Singh explores AI in health care, while Priya Shastri from WomanAct discusses information sharing in safety planning for survivors of intimate partner violence. The episode also covers the use of digital educational tools in the classroom, mediation in access appeals at the IPC, conversations about the IPC’s Transparency Showcase, and IPC health privacy cases involving cyber attacks and abandoned records.

Case of Note: PHIPA Decision 266

Background

A complaint was brought to the Information and Privacy Commissioner of Ontario (IPC) alleging that a health clinic had failed to securely dispose of records of personal health information (PHI). To support the allegations, photographs of patient records found discarded in an unsecured recycling bin were provided.

The IPC wrote to the clinic to inquire into the allegations. The clinic provided a report to the IPC which raised additional concerns and the IPC initiated an investigation into the matter.

The IPC investigator took custody of the records retrieved from the recycling bin. Despite many of the records being shredded or torn by hand, the investigator was able to recover some sensitive information. This included dates of patient visits, a self-reported health history, a patient’s date of birth, and six other complete patient names associated with the clinic.

During the investigation, the clinic explained that staff began disposing of records to make more space. Some records were shredded, others were hand torn to avoid noise from the shredding machine that might disturb patients during appointments. The discarded records were picked up by cleaners biweekly and placed in a dumpster in a locked garage area of the plaza where the clinic is located. From there, the garbage would be picked up weekly by the local garbage collector.

The clinic acknowledged that the cleaners would have had access to the insecurely destroyed material. It recognized that further steps should have been taken to ensure secure disposal of this information. The clinic also advised that it lacked written policies or procedures for record retention and secure record destruction or disposal. Instead, staff relied on verbal instructions, which the clinic admitted were insufficient.

The clinic notified affected patients of the breach by sending an initial notification letter to affected individuals. Subsequently, the clinic sent another notification letter to nearly 500 patients who may have also been affected.

Findings

The investigator found that at the time of the breach, the clinic was not in compliance with several sections of the Personal Health Information Protection Act (PHIPA). These include legal requirements for health information custodians to:

• take reasonable safeguards to protect personal health information (s. 12(1)),
• securely handle and dispose of records (s. 13(1)),
• have proper information practices in place (s. 10(1)), and,
• follow those practices (s. 10(2)).

The investigator concluded that the clinic’s lack of measures and safeguards resulted in its failure to ensure that records of PHI in its custody or under its control were retained and disposed of in a secure manner.

To address the investigator’s concerns, the clinic created and put in place policies and training. This included a new privacy policy to address how the clinic routinely collects, uses, modifies, discloses, retains or disposes of PHI. The clinic also created a client records policy outlining specific measures to be taken to safeguard and securely dispose of client records.

All staff were required to review the new policies and submit a written acknowledgement of their understanding and willingness to comply with them. Two training sessions were also held to familiarize staff with the updated privacy practices and the clinic committed to conducting biannual training going forward. The clinic also updated its employee handbook with additional resources related to its obligations under PHIPA, including a PHIPA training video and links to the entire statute and other resources.

The investigator concluded that these remedial steps brought the clinic into compliance with PHIPA.

Lastly, the investigator found that the unsecured disposal of PHI constituted a loss of PHI, triggering the obligation to notify all affected individuals. While the clinic did provide notice, the investigator found a deficiency with the initial notification letter (which was remedied) and found that notice should have been provided more quickly. However, overall, the investigator was satisfied that the clinic provided the notification required by section 12(2) of PHIPA.  

Key takeaways

1. Health information custodians (HICs) must ensure that PHI of their patients is secure at all times, including during the record disposal process.
2. HICs must have privacy policies in place that address how they collect, use, modify, disclose, retain or dispose of PHI. These policies should specifically address measures to be taken to protect the security of patient records and the secure disposal of these records.
3. Procedures for secure record disposal depend in part on the storage media used. If dealing with paper, as in this case, records should not simply be torn by hand. They should be properly shredded using a cross-shred or micro-cut shredder to ensure that the records cannot later be reconstructed. This can be done on-site, or, if using an outside agency, a formally signed contract or agreement should be in place. The agreement should address the need to ensure security and confidentiality of records during the disposal process and indicate the specific disposal method to be used.
4. HICs should provide all staff with regular training on privacy policies and practices and the secure disposal of client records. Staff should receive training annually and be required to submit signed attestations acknowledging that they have read and understand the privacy policies.
5. HICs must notify affected individuals when personal health information in its custody or control is stolen or lost or used or disclosed without authority. Unsecured disposal of PHI constitutes a loss of PHI, triggering the obligation to notify affected individuals.

Additional Resources

• Responding to a Health Privacy Breach: Guidelines for the Health Sector
• Detecting and Deterring Unauthorized Access to Personal Health Information
• Reporting a Privacy Breach to the IPC: Guidelines for the Health Sector
• Annual Reporting of Privacy Breach Statistics to the Commissioner - Requirements for the Health Sector

IPC comments on proposed amendments to Ontario Regulation 329/04 to support the transfer of the Critical Care Information System from Hamilton Health Sciences Corporation to Ornge, and to maintain the practices and procedures to ensure continued protection of personal health information during the transfer.

Schedule 6 of Bill 231, the More Convenient Care Act introduces a complex initiative to enable Ontarians' use of a digital health identity tool with the intent that Ontarians will use it to access their health records. It contains significant changes to Ontario’s health privacy law that put Ontarians' health privacy at risk and limits rather than enables their access rights.

The joint investigation report concerning the 2019 cyberattack on LifeLabs’ computer systems was completed in June 2020. The Ontario Court of Appeal recently dismissed LifeLabs’ bid to block public release of the report.

In her letter, Commissioner Kosseim recommends that the ministry reconsider its proposal to better facilitate Ontarians’ easy and meaningful access to their records in the provincial Electronic Health Record. The commissioner also recommends that the ministry carefully consider transparency and accountability of the proposed digital ecosystem to access those records.

Letter to the Ministry of Health responding to the changes proposed under the PHIPA regulation mandating contribution of personal health information to the electronic health record, and reiterating the need to ensure that personal health information is protected in systems used to assist in providing health care.

The Office of the Information and Privacy Commissioner of Ontario (IPC) is committed to protecting personal health information using a flexible and balanced approach that addresses privacy violations while encouraging accountability, learning, and continuous improvement.

As of January 1, 2024, the IPC has the discretion to issue administrative monetary penalties (AMPs) as part of its enforcement powers for violations of the Personal HealthInformation Protection Act (PHIPA).

Penalties are up to a maximum of $50,000 for individuals and $500,000 for organizations. AMPs may be issued for the purposes of encouraging compliance with PHIPA or preventing a person from deriving — directly or indirectly — any economic benefit from contravening the law.

Learn more about the criteria for AMPs and how the IPC will determine penalty amounts in our guidance.

If you have additional questions about AMPs, email us at @email.

As of January 1, 2024, the IPC has the discretion to issue administrative monetary penalties as part of its enforcement powers for violations of the Personal Health Information Protection Act (PHIPA). Download the guidance document to learn more.

In this letter to Brian Riddell, Chair of the Standing Committee on Social Policy, the IPC makes recommendations in relation to proposed amendments to the Connecting Care Act, 2019.