Preventing health privacy breaches: Why training, policies, and confidentiality agreements matter

Case of Note: PHIPA Decision 260

Background

A public hospital was alerted to suspicious activity on a patient chart, and initiated an investigation, which included a targeted audit. The audit revealed that nearly 4,000 patient charts had been accessed by a physician without authorization, from a remote workstation outside of work hours. None of these patients were under the physician’s care.

The physician admitted to accessing the electronic health records for educational purposes. The physician thought accessing the electronic health records of patients remotely for this purpose was permitted. The hospital reported there was no evidence of inappropriate disclosure or unauthorized access after this issue was raised with the physician. In response to the breach, the physician had to undergo privacy training, which was completed in 2023 and 2024.  

At the time of the breach, the hospital did not have a specific policy on the use of personal health information for education purposes. The hospital’s physicians, including the physician in question, were not provided privacy training or training on the use of personal health information for education purposes. The hospital advised that it did provide privacy training during onboarding and annually for its non-physician agents. However, the hospital discovered that only 50.4 per cent of its non-physician agents had completed the required privacy training in 2023.

The hospital’s policy required all agents, including physicians, to sign confidentiality agreements upon hire and on an annual basis. During the investigation, it was revealed that the physician signed a confidentiality agreement when hired, but not annually. The hospital explained that at the time of the breach, it had no formal process for the signing of confidentiality agreements and tracking the completion of this by its physicians. Similar to the lack of compliance with privacy training requirements, the hospital discovered that here too, only 50.4 per cent of its non-physician agents had signed a confidentiality agreement in 2023.  

Findings

The hospital reported the breach to the Information and Privacy Commissioner of Ontario (IPC). The IPC investigator found that, at the time of the breach, the hospital was in violation of PHIPA due to:

• its lack of privacy training for physicians
• failure to ensure annual confidentiality agreements were signed by physicians
• failure to ensure that non-physician agents also completed the required training and signed the annual confidentiality agreements
• the absence of a policy or guidance about the use of personal health information for education purposes  

The hospital addressed these deficiencies by putting in place an electronic credentialing system. A privacy officer was assigned to track the completion of initial, and annual, mandatory privacy training for all agents, including physicians.  

The hospital also required the physician to re-sign a confidentiality agreement. Additionally, all physicians were required to re-sign their confidentiality agreements in 2024 through the online credentialing and tracking system. Similar to the tracking of privacy training, the signing of confidentiality agreements is included with privacy training, which is tracked by the privacy officer.

In addition, the hospital took steps to update and strengthen the content of its privacy policies and confidentiality agreements to provide clear direction for all agents, including physicians, on the use of personal health information for education purposes.

As a result of these efforts, 100 per cent of all physicians (including the physician involved in the breach) had completed their privacy training and signed their annual confidentiality agreements in 2024. Similarly, all full-time and part-time non-physician agents had also completed these requirements in 2024.  

Given that the hospital took action to address the privacy issues identified, the investigator was satisfied that the hospital now had adequate measures in place to comply with sections 10 and 12(1) of PHIPA. The investigator concluded that a formal review under PHIPA was not necessary, and the matter was closed. 

Key takeaways

1. Health information custodians (HICs) must provide privacy training for all agents, including physicians, upon hire and on an annual basis. This training must include guidance on the use of personal health information for education purposes, in accordance with the HICs’ policies. Such privacy training should be updated on a regular basis to provide all agents with clear and up-to-date guidance on authorized uses of personal health information.  
2. HICs must have comprehensive privacy policies in place, including explicit reference to the use of personal health information for education purposes. These policies must also ensure that agents, including physicians, are given clear guidance on the expectations and requirements for privacy training and confidentiality agreements. In addition, the privacy policies should be reviewed on a regular basis to ensure they are up-to-date with current privacy laws and regulations.  
3. HICs must ensure that all agents, including physicians, sign and renew confidentiality agreements on an annual basis, requiring acknowledgment that they have read and understood the agreement.
4. HICs should implement a tracking system to monitor compliance by ensuring that all agents, including physicians, have completed privacy training and signed confidentiality agreements, as required by their policies.  
5. For more information, see the IPC’s publication Detecting and Deterring Unauthorized Access to Personal Health Information.