Risk Profile: Regulatory – Privacy

Risk Profile: Regulatory – Privacy (PDF version)

Poor information protection practices, loss/theft of personal health or sensitive information, privacy complaints and/or lack of compliance with privacy regulations/legislations pose significant risks for healthcare organizations including reputational and financial losses. The changes in legislation surrounding privacy and mandatory reporting add greater scrutiny. This document contains information entered by your peers in the Risk Register application to help you manage this risk.


  • Likelihood – average score 3.22
  • Impact – average score 3.94

The Risk Register allows for risks to be assessed on a five-point likelihood and impact scale, with five being the highest.

Key controls/mitigation strategies

  • Roles and responsibilities
    • Well established Privacy Officer role and a privacy committee to monitor and oversee all privacy activities
    • Annual employee attestation of the organization’s privacy, confidentiality, code of conduct and security policies
  • Policies/procedures/protocols/programs
    • Privacy policies/procedures/practices that cover collection, use, disclosure, retention and destruction of personal health information and other confidential information
    • Privacy policies/procedures/practices around use of “lockbox”, correction of records, mobile device, research privacy, etc.
    • Privacy incident/breach response management plan
    • Comprehensive privacy audit program
    • Periodic review and revision of all privacy policy/procedures/protocols to reflect up to date information
    • Internal and/or third party Privacy Impact Assessments (PIAs) and Threat Risk Assessment (TRAs) prior to implementing critical systemsnew or critical changes to the information systems
  • Education/training
    • Mandatory privacy training for all employees, residents, students, volunteers and contractors customized by roles and responsibilities (e.g. annual training, orientation)
  • HR practices
    • Human resources new hire protocols including sign-off of confidentiality agreement
    • Proper protocols followed when staff change roles to ensure role-based access rights are maintained
    • Stringent employment termination procedures  (e.g. terminating access rights to systems, notifications to/from agencies and contractors of terminations)
  • Information system/technology solutions
    • Information technology controls (e.g. role based access rights, password protection, encryption, anti-virus system, internet and e-mail proxy servers, patch management, and privacy warnings at system log-in)
    • Implementation of security tools and technology to protect against threats such as malware, spam, phishing e-mails, etc.
    • Access to patient information based on user role and management authorization
    • Implementation of systems that support required level of auditing
  • External relationship management
    • Partnership with associations and regulatory bodies to identify best practices and tools
    • Appropriate vendor management practices (e.g. confidentiality and non-disclosure agreements, and a review of agreements to ensure privacy language, roles and responsibilities of each party is clearly defined around privacy incidents/breaches)
    • Data sharing agreements detailing roles and responsibilities of each party


  • Privacy incidents/breaches and complaints, including the time required to achieve satisfactory resolutions
  • Unplanned system downtime
  • Confidentiality agreements, consent forms
  • Mandatory training records
  • Audits of PHI systems, privacy policies/procedures, record destruction logs
  • Completed PIAs and TRAs
  • Results of vulnerability assessment and penetration tests conducted by IT
  • Level of compliance with best practice security standards
  • Information Privacy Commissioner (IPC) or ombudsman reports, decisions and alerts
  • Appropriate level of resources with privacy knowledge and background
  • Compliance with relevant privacy regulations and legislations

[1] As of January 1, 2017

Note: information presented in this document has been taken from the shared repository of risks captured by HIROC subscribers participating in the Integrated Risk Management program.

© 2017 HIROC. For quality assurance purposes.