Rouge Valley Health System (the Hospital) reported two separate breaches of patient privacy involving allegations that Hospital employees used and/or disclosed the personal health information of mothers for the purposes of selling or marketing RESPs.
This Order finds that personal health information was used and disclosed in contravention of the Act, and that the Hospital failed to comply with sections 12(1), and 10(1) and (2) of the Act. The Order requires the Hospital to:
1. In relation to all of the Hospital’s electronic information systems, implement the measures necessary to ensure that the Hospital is able to audit all instances where agents access personal health information on its electronic information systems, including the selection of patient names on the patient index of its Meditech system.
2. In relation to the Hospital’s Meditech system:
a) Work with the Hospital’s Hosting Provider to review and amend the service level agreement between the Hospital and the Hosting Provider to clarify the responsibility for the creation, maintenance and archiving of user activity logs generated by the Hospital’s use of its Meditech system, and ensure that the user activity logs are available to the Hospital for audit purposes.
b) Work with Meditech or another software provider to develop a solution that will limit the search capabilities and search functionalities of the Hospital’s Meditech system so that agents are unable to perform open-ended searches for personal health information about individuals, including newborns and/or their mothers, and can only perform searches based on the following criteria: health number, medical record number, encounter number, or exact first name, last name and date of birth.
3. Review and revise its Privacy Audits policy, the Pledge of Confidentiality policy and the Pledge of Confidentiality, and the Privacy Advisory in accordance with the comments and findings made in this Order, and take steps to ensure that it complies with the Privacy Audits policy.
4. Develop a Privacy Training Program policy, a Privacy Awareness Program policy, and a Privacy Breach Management policy in accordance with the comments and findings made in this Order.
5. Immediately review and revise its privacy training tools and materials in accordance with the comments and findings made in this Order.
6. Using the privacy training materials developed in accordance with Order provision 5:
a) immediately conduct privacy training for all agents in clerical positions in the Hospital; and
b) conduct privacy training for all other agents by June 16, 2015.
7. Provide this office with proof of compliance with all of the Order provisions by September 16, 2015.