Regulatory – Privacy

Category
Regulatory
Topic
Privacy
Type
Risk Profiles

Inadequate security practices for both paper and electronic information, loss/theft of personal health or personal information, privacy confidentiality complaints and/or lack of compliance with evolving privacy regulations/legislations pose significant risks for healthcare organizations. This document contains information entered by HIROC subscriber healthcare organizations (acute and non-acute) in the Risk Register application to help you in your assessment of this risk.

Ranking / Ratings

  • Likelihood – average score 3.00
  • Impact – average score 3.44

The Risk Register allows for risks to be assessed on a five-point likelihood and impact scale, with five being the highest.

Key Controls / Mitigation Strategies

  • Roles and responsibilities
    • Well established Privacy Officer role and a privacy committee to monitor and oversee privacy activities in compliance with regulations/legislations
    • Annual employee attestation of the organization’s privacy, confidentiality, code of conduct and security policies
  • Policies/procedures/protocols/programs
    • Privacy policies/procedures/practices that cover the collection, use, disclosure, correction, retention and destruction of personal health information (PHI) and other confidential information (e.g. photos/videos for use in publications) including the use of “lockboxes”, mobile devices, research privacy, etc.
    • Consent forms developed for the collection, use, and disclosure of PHI and other confidential information (e.g. photos/videos for use in publications)
    • Periodic review and revision of all privacy policy/procedures/protocols/consents to reflect up to date information
    • Privacy incident/breach response management plan
    • All privacy breaches and near misses reviewed by Privacy Officer and privacy committee for additional recommendations and oversight
    • Occurrence analysis and reporting for learning opportunities
    • Comprehensive privacy audit program
    • Internal and/or third party Privacy Impact Assessments (PIAs) and Threat Risk Assessment (TRAs) performed prior to implementing new or critical changes to the information systems
    • Privacy review of contracts and research study protocols
  • Education/training
    • Ongoing mandatory privacy training for all employees, residents, students, volunteers and contractors customized by roles and responsibilities (e.g. annual training, orientation), including education regarding:
      • Use of social media;
      • Shared systems including privacy component;
      • Consent for photos/videos used in publications (e.g. website, newsletter);
      • Privacy and security of PHI and health records in outpatient clinics, etc.
    • Education/knowledge sharing in the form of:
      • PHI training modules;
      • Newsletter articles;
      • E-mails;
      • Team meeting education on a monthly basis;
      • Regional privacy meetings;
      • Ombudsman privacy workshop/conferences, etc.
  • HR practices
    • Human resources new hire protocols including sign-off of confidentiality agreement
    • Proper protocols followed when staff change roles to ensure role-based access rights are maintained
    • Stringent employment termination procedures  (e.g. terminating access rights to systems, notifications to/from agencies and contractors of terminations)
  • Information system/technology solutions
    • Information technology controls (e.g. role-based access rights with management authorization, password protection, encryption, anti-virus system, internet and e-mail proxy servers, patch management, scanning software, and privacy warnings at system log-in)
    • Encryption of all external hard drives, USB keys, laptops and phones
    • Implementation of security tools and technology to protect against threats such as malware, spam, phishing e-mails, etc.
    • Implementation of systems that support required level of auditing
    • Confidential information locked in folders within the internal servers with limited access
    • Complexity required for passwords (e.g. minimum 8 characters) with a requirement to change every 90 days
    • Implementation of Artificial Intelligence (AI) privacy tools
    • Physical restriction from data centers that house the data
    • Implementation of online security/risk course for Information Technology (IT) department
    • IT security response team and plan
  • External relationship management
    • Partnership with associations and regulatory bodies to identify best practices and tools
    • Appropriate vendor management practices (e.g. confidentiality and non-disclosure agreements, and a review of agreements to ensure privacy language, roles and responsibilities of each party is clearly defined around privacy incidents/breaches)
    • Data sharing agreements detailing roles and responsibilities of each party
    • Additional cyber insurance coverage purchased and reviewed on a regular basis
    • Off-site storage vendors
  • Physical security of paper records:
    • Health Information Management (HIM) department always locked with a service window
    • Review room is separate from where medical records are stored in the HIM department
    • Limited access to hardcopy records within short and long-term storage
    • External vendors needing access to chart storage area are accompanied by Security Guard
    • Directing staff to lock filing cabinets and desk drawers at night
    • Operating fire suppression system to minimize risk of incineration 
    • Only short period of records (1 year for health files, and 2 years for finance files) are kept on site; all others are kept in long-term storage
      • Records maintained in long-term storage are on shelves within a no-traffic area;
      • Records are organized by destruction date, and category of content;
      • Destruction of records reviewed by Privacy Officer;
      • Scanning records for storage electronically

Monitoring / Indicators

  • Number of privacy incidents/breaches and complaints, including the time required to achieve satisfactory resolutions
  • Number of unplanned system downtime
  • Number of completed confidentiality agreements, consent forms
  • Tracking of staff privacy training records for new staff at orientation and all staff annually
  • Audits of PHI systems, privacy policies/procedures, record destruction logs, user access to patient systems
  • Completed PIAs and TRAs
  • Results of vulnerability assessment and penetration tests conducted by IT 
  • Level of compliance with best practice security standards 
  • Information Privacy Commissioner (IPC) or Ombudsman reports, decisions and alerts
  • Appropriate level of resources with privacy knowledge and background
  • IT security monitoring 
  • Discharges audited on a monthly basis to ensure all charts are received by HIM department
  • HIM staff monitor charts on a daily basis and the location of the charts are tracked at all times
  • Regular review of media scans and social media
  • Increased privacy assessments during COVID-19 pandemic as virtual and off-site clinical activities increased significantly
  • Regular reporting through relevant committees to the board
  • Quarterly privacy scorecard; maturity score assessment every 3 years
  • Review and testing of disaster recovery plan

Note: Information presented in this document has been taken from the shared repository of risks captured by HIROC subscribers participating in the Integrated Risk Management program.

Date last reviewed:
This is a resource for quality assurance and risk management purposes only, and is not intended to provide or replace legal or medical advice or reflect standards of care and/or standards of practice of a regulatory body. The information contained in this resource was deemed accurate at the time of publication, however, practices may change without notice.

Partnering to create the safest healthcare system

HIROC is not just a not-for-profit, we are a reciprocal. This means we are governed by our Subscribers – a group of over 800 diverse healthcare organizations across Canada. Together we share learnings and find ways to adapt to the changing nature of the industry.
Learn More
HIROC staff members