THUNDER BAY - In the course of a year, more than 300 Ontarian’s private health information is breached. The Office of the Information and Privacy Commissioner said it is up to health care organizations to protect patient’s data, something local health care officials say they take very seriously.
As part of the Reaching Out to Ontario pogrom, Brian Beamish, the Ontario Information and Privacy Commissioner, was in Thunder Bay last Wednesday to update the region on new information and policies relating to the IPC.
An information session on protecting personal health care information was held to provide steps on how organizations can protect privacy breaches in the health care field.
“The issue we’ve been dealing with in health privacy is what is called unauthorized access or snooping,” Beamish said. “That is the case of health staff going in without authority or without a need to know into electronic health records of patients they are not providing services to.”
According to the IPC, they receive between 300 and 350 health privacy breach complaints a year. In order to protect patient privacy, Beamish said it is up to health care organizations to safeguard patient information.
“It’s really important that organizations like hospitals train their staff that this is not acceptable,” he said. “A strong message has to be sent, not just at orientation, but continually that they only be going into records that they need to know.”
“Organizations also should be able to audit those records,” he continued. “They should be able to perform spot audits or when they have concerns, go in and check staff activity and verify that they only go into records that they have a right to see.”
At the Thunder Bay District Health Unit, all staff receive privacy training when hired and complete training sessions throughout the year. Protocols are also in place to protect patient information, both electronic and physical.
"We have a lot of physical measures like locked filing cabinets and limiting who can access things," said Laurie Niskanen, privacy officer with the Thunder Bay District Health Unit. "There is a limit to the number of staff who can collect and access personal information.
In the past 10 years, there have been no major breaches of patient information at the Health Unit. Niskanen said there have been minor incidents involving a misplaced folder of consent forms and a mislabeled address label, which were all investigated with the privacy commission.
According to Dawn Bubar, senior director of informatics with the Thunder Bay Regional Health Sciences Centre, there have been minor breaches of patient privacy at the hospital, but nothing of malicious intent.
“There are a number of different types of breaches of patient privacy,” she said. “They can be verbal, through misdirected communication, and the likes. So yes, as in the case with most hospitals, we have had them, but nothing of malicious intent or personal gain. All of those have been addressed. With every breach we investigate everything.”
The Thunder Bay Hospital also has several polices in place to protect patient records, which reflect the IPC recommendations.
Bubar said all access to patient information has to be validated and all staff are given privacy training upon hiring and complete an annual certification in privacy.
“All of their transactions are audited and logged so we can verify when and who accessed the records and what detail they went into,” she added.
While any breaches of patient information have been accidental, Bubar said the hospital still tries to limit any accidental sharing of confidential patient information.
“It depends on the accident,” she said. “We try to limit the type of information circulated on paper. If they do have to print certain type of information, we try to limit the identification of the patient on those sheets.”
“We take it very seriously and we are continuously reviewing our practices and our policies to see if we can put in new technologies to support us in protecting our records,” Bubar added.
