The Information and Privacy Commissioner of Ontario launched a new campaign yesterday called “Is snooping on patients worth It?” See video and other resources.

Also included in this campaign is a new resource document for health care organizations called “Detecting and Deterring Unauthorized Access to Personal Health Information”.  This is a must read for all health care Privacy Officers.

The IPC/O’s tips for preventing or reducing the risk of unauthorized access include:

  • Develop and implement comprehensive privacy policies and review those policies on an annual basis
  • Provide mandatory privacy training for all staff – which includes initial orientation as well as ongoing privacy training and maintain a log of attendance
  • Prominently display privacy notices reminding staff of their privacy obligations
  • Include privacy warning flags in electronic health records to remind staff of their privacy obligations
  • Require all staff and other agents to sign confidentiality agreements on a regular basis
  • Have end-user agreements for anyone using your electronic information systems
  • Develop and implement a policy to restrict access to health information on a need-to-know basis only
  • Log, audit and monitor all accesses to electronic health records
  • Follow the IPC’s guidelines on privacy breach management with respect to patient notification and maintain a log of privacy breaches
  • Impose consistent, appropriate and proportionate disciplinary action for privacy breaches

DDO provides privacy coaching, breach management advice and on-site privacy training for health care organizations. If you haven’t reviewed your privacy policies lately or engaged your staff in formal privacy training in a number of years, call us to assist you. Mary Jane Dykeman mjdykeman@ddohealthlaw.com  416-967-7100 x 225