Privacy Breach

Service: Risk Management
Subject: Regulatory
Setting: Privacy

As a custodian of Personal Health Information (PHI), healthcare organizations have a legal duty to ensure that PHI is kept private and is protected against theft, loss, unauthorized access, use or disclosure, duplication, modification, or disposal. Negative consequences arising from a privacy breach can be far-reaching and include lawsuits, provincial or territorial privacy commissioner investigations, reputational damage, and financial losses. The scope of potential consequences is magnified by the presence of patient records in digitalized and readily-accessible format. Such form of records increase the risk of snooping, unauthorized use of PHI for research or teaching purposes, and accidental loss of unencrypted laptops and USB keys containing PHI. Employees who breach patient privacy may face termination, disciplinary action by their professional college, and criminal charges. 

Note: HIROC Subscribers are encouraged to contact HIROC before commencing privacy-breach related investigations (as per the HIROC policy wording). Financial coverage will be available for independent legal and required specialties for the investigation and based on experts’ determination of notification requirements.

Common claim themes

System

  • Untimely patient notification or disclosure before:
    • Completing a thorough investigation to determine the extent and scope of the breach;
    • Notifying the insurer.
  • Insufficient or inadequate: 
    • Technological safeguards to restrict access to electronic records;
    • Audit logging capabilities (user and access audits);
    • Encryption and storage controls on external storage devices (e.g., laptops, mobile phones, and USB keys).

Knowledge and judgment

  • Lack of awareness and compliance with privacy policies and procedures.
  • Employees, students, and independent practitioners accessing health records of a family member, friend, celebrity, or person of interest.
  • Accessing patient health records:
    • To gather and sell PHI for financial gain;
    • For research or teaching purposes without obtaining appropriate consent or authorization.

Case Study 1

A Privacy Officer was alerted of a privacy breach involving an employee accessing the health record of their estranged partner. The healthcare facility undertook a thorough investigation of this privacy breach. The internal review found that the employee accessed the patient’s hospital records, as well as records from another facility through a shared health records application. The investigation also revealed that, over the past seven years, the employee inappropriately accessed the records of four other patients over several years, adding up to a total of 196 inappropriate accesses. Further, the investigation revealed that the employee shared the PHI with the patients’ families and friends.  Expert review, including (but not limited to) the provincial privacy commissioner’s office, identified significant gaps in the facility’s user access, remote access, and electronic health record auditing practices. In addition to the orders issued by the Privacy Commissioner, legal action was commenced against the facility and the employee.

Case Study 2

A facility learned of a privacy breach involving a well-respected healthcare practitioner through a whistleblower submission.  The internal investigation revealed that the practitioner had knowingly accessed dozens of patients’ records to make copies and prepare teaching material for lectures at the local university. Legal action was commenced against the facility, practitioner, and the university. Expert review of the facility’s practice was not supportive, in particular the failure to have  a formal approval process in place for use of facility documents for teaching purposes, as well as, a process for de-identification of documents. Additionally, expert review noted that the facility did not have an access audit review process that may have helped identify the breach early on.

Mitigation strategies

Reliable Prevention Strategies

  • Implement standardized, legislation compliant, privacy, and confidentiality policies and procedures that include (but are not limited to):
    • The appropriate collection, storage, use, transfer, disclosure, destruction, and protection of patient records;
    • Clearly defined accountabilities of employees, independent practitioners, volunteers, students, agents, and third parties or vendors.
  • Implement formal authorization and access control processes that include (but are not limited to): 
    • Approvals process for electronic health records and system access, including remote access and virtual private networks;
    • Requirement for strong passwords;
    • Prohibition of password sharing;
    • The need to lock computers and devices when unattended;
    • Timed screen lockout; 
    • Scheduled prompts to change passwords.
  • Adopt stringent protocols for use of unapproved and/or unencrypted mobile devices (e.g., laptops, USB keys, tablets, and smart phones) for storage of PHI; prohibit the removal of PHI (both hard and soft copies) from premises unless required for the provisions of direct healthcare.
  • Implement formal administrative and technological strategies to protect:
    • PHI and confidential information during email communications (e.g., encrypted email technology, corporate safe email policy, encouraging staff to confirm that email address and recipient is correct, and the need to obtain patient consent for unencrypted email communication);
    • Stored records used for research (e.g., de-identified and/or coded data). 

Third-Party Vendors – Management and Disposal of Records

  • Ensure written contracts and agreements are in place with agents and vendors that are engaged to destroy paper and/or electronic PHI records (e.g., media, storage devices, and drives).
  • Ensure the following elements (but are not limited to) are specified in the written contracts:
    • No unauthorized person or organization will have access to the records from the time they leave the custody of the healthcare organization to their storage or destruction locations;
    • Written policies and procedures specify how the information will be protected;
    • Adequate and appropriate indemnification coverage for contract-related liabilities;
    • All personnel are required to sign confidentiality agreements;
    • Information is destroyed following specified methods and within a specified time period approved by the procuring organization;
    • A Certificate of Destruction is provided for each destruction event;
    • Customer audit and/or witnessing internal practices are permissible;
    • Breach notifications requirements;
    • Limitations on sub-contracts without expressed approval of the healthcare organization.

Education

  • Implement formal multifaceted and targeted strategies to support and enhance employees, independent practitioners, volunteers, students, agents, and other third party users understanding of their duties and obligations related to the collection, protection, use, and disclosure of PHI (e.g., mandatory training and included in new staff orientation; mandatory annual role-based and information security training; requirement to sign confidentially agreement prior to hire and annually thereafter; sharing of learnings and trends from periodic chart audits and extracts, analysis of reported incidents and events, medical-legal matter, and privacy commissioner investigations).

Breach Management and Look Backs

  • Implement a privacy breach management protocol which ensures an immediate and coordinated response with clarity around roles and responsibilities and associated steps required for timely investigation, containment, and remediation of the breach (including timely investigation, documentation, and notification to patients, provincial and territorial privacy office, and insurer).  
  • Ensure the organization’s privacy officer (or other privacy designated person), risk management, and legal experts (where available) are consulted to determine the appropriate threshold for notification of a privacy breach and (along with communication professionals) to determine the appropriate process for carrying this out.
  • Notify HIROC before any investigation is commenced, as per the HIROC insurance policy. Financial coverage is available for independent legal and required specialties for investigation based on experts’ determination of notification requirements.
  • Ensure all records and information related to breach investigation (including details of the information breaches) are maintained, reported to Senior Management and staff members, and retained for documentation purposes.

References

  • HIROC claims files.
  • Bromwich M, Bromwich R. (2016). Privacy risks when using mobile devices in health care. CMAJ. 188(12):855-856.
  • Cavoukian A, El Emam K. (2011). Dispelling the myths surrounding de-identification: Anonymization remains a strong tool for protecting privacy. Toronto, ON: Information and Privacy Commissioner of Ontario.
  • HIROC. (2015). Critical incidents and multi-patient events risk resource guide.
  • HIROC. (2017). Cyber Risk Management: A guide for healthcare administrators and risk managers. 
  • HIROC. (2017). Strategies for improving documentation: Lessons from medical-legal claims.
  • Office of the Information and Privacy Commissioner of Newfoundland. (2018). PHIA compliance checklist for custodians.
  • Information and Privacy Commissioner of Ontario. (2012). Encryption by default and circles of trust: Strategies to secure personal information in high-availability environments.
  • Information and Privacy Commissioner of Ontario. (2014). PHIPA Order HO–013. 
  • Information and Privacy Commissioner of Ontario. (2015). Detecting and deterring unauthorized access to personal health information.
  • Information and Privacy Commissioner of Ontario. (2016). Communicating personal health information by email. 
  • Information and Privacy Commissioner of Ontario. (2018). Disposing of your electronic media.
  • Information and Privacy Commissioner of Ontario. (2018). Responding to a health privacy breach: guidelines for the health sector.
  • Office of the Saskatchewan Information and Privacy Commissioner. (2015). Privacy breach guidelines.