Ontario’s IPC launches new resources to guard against snooping and other unauthorized access to personal health information

The Information and Privacy Commissioner of Ontario launched a new campaign yesterday called “Is snooping on patients worth It?” See video and other resources.

Also included in this campaign is a new resource document for health care organizations called “Detecting and Deterring Unauthorized Access to Personal Health Information”.  This is a must read for all health care Privacy Officers.

The IPC/O’s tips for preventing or reducing the risk of unauthorized access include:

  • Develop and implement comprehensive privacy policies and review those policies on an annual basis
  • Provide mandatory privacy training for all staff – which includes initial orientation as well as ongoing privacy training and maintain a log of attendance
  • Prominently display privacy notices reminding staff of their privacy obligations
  • Include privacy warning flags in electronic health records to remind staff of their privacy obligations
  • Require all staff and other agents to sign confidentiality agreements on a regular basis
  • Have end-user agreements for anyone using your electronic information systems
  • Develop and implement a policy to restrict access to health information on a need-to-know basis only
  • Log, audit and monitor all accesses to electronic health records
  • Follow the IPC’s guidelines on privacy breach management with respect to patient notification and maintain a log of privacy breaches
  • Impose consistent, appropriate and proportionate disciplinary action for privacy breaches

DDO provides privacy coaching, breach management advice and on-site privacy training for health care organizations. If you haven’t reviewed your privacy policies lately or engaged your staff in formal privacy training in a number of years, call us to assist you. Mary Jane Dykeman mjdykeman@ddohealthlaw.com  416-967-7100 x 225


Bill 21: Legislation safeguarding health care integrity receives Royal Assent

On July 22, 2014, the Ontario government introduced Bill 21, the Safeguarding Health Care Integrity Act, 2014. Bill 21 received Royal Assent on December 11, 2014.

Blood Donations:

This legislation intends to safeguard health care integrity by enacting the Voluntary Blood Donations Act, 2014In relation to Ontario’s voluntary blood donor model, the legislation prohibits payments or offers of payment to individuals for their blood, including any forms of compensation or reimbursement of expenses. Inspection and enforcement provisions are also provided for, including compliance orders.


The Drug and Pharmacies Regulation Act will be mended to give the Ontario College of Pharmacists the authority to regulate hospital pharmacies in the same way it currently regulates community pharmacies. This change has not yet been proclaimed. We will let you know when it is in force.

Mandatory Reports to Regulatory Colleges for Restrictions of Practice:

In addition, the Regulated Health Professions Act, 1991 and the Public Hospitals Act will be amended, intending to enhance communication among health system partners and enable health regulatory colleges to more readily share information with hospitals and public health authorities. Existing mandatory reporting requirements will be strengthened in order to respond more quickly and effectively to issues regarding a health professional’s practice. In particular, when they come into force, the amendments to the Public Hospitals Act will make it mandatory for hospital administrators to report to the College of Physicians and Surgeons where a physician restricts his or her practice and there is reason to believe the restriction is related to the physician’s competence, negligence or conduct, or if the restriction takes place during the course of, or as a result of, an investigation into the physician’s behaviour. This is an important change for hospital Chiefs of Staff and Medical Advisory Committees to know. We are waiting for these changes to be proclaimed before they come into effect – we will let you know.