Privacy Training & Audits to Prevent Breaches or Mitigate their Harm

Health care providers – whether individual professionals or large organizations – are trusted with the most sensitive information there is: personal health information (PHI). As such, custodians of PHI are duty-bound and required by law to take steps that are reasonable in the circumstances to safeguard their clients’ PHI records, and to prevent them from being lost, stolen, accessed without authorization, modified or destroyed.

Health care professionals need to be acutely aware of the harm that privacy breaches can cause. They can harm clients emotionally and psychologically, and impair the trust clients have in their health care provider. Breaches can also be widely reported, resulting in reputational harm to the provider and in the loss of trust that other clients and members of the public have in them. And of course, privacy breaches can result in lawsuits and in orders being made against the custodian by the Information and Privacy Commissioner of Ontario (IPC), which can include fines, penalties, and the requirement to take significant steps to remediate the breach.

This knowledge, and the recognition that consequences can flow from even a seemingly small oversight such as an employee leaving a computer unlocked when they leave the room, is enough to scare privacy professionals into doing everything possible to ensure compliance with privacy laws.

But fear alone won’t prevent privacy breaches – especially if the folks that collect, use, disclose and store PHI records don’t appreciate their role in preventing breaches. To prevent breaches – and to mitigate the consequences that may arise from a privacy breach that may not be preventable – custodians need a four-pronged approach that includes:

1. implementing robust policies and procedures;

2. instilling a culture of privacy;

3. training all staff in the organization on their role in preventing privacy breaches; and

4. continuously auditing and assessing privacy compliance.

Policies and Procedures

Robust policies and procedures are an essential first step towards achieving privacy compliance. There are two key elements to this: Policies and procedures must be compliant with the law and best practices; and they must be followed.

Privacy documentation must include confidentiality agreements for all staff, information for clients and patients, and internal documents setting out how PHI is collected, used and disclosed, and for what purposes. This documentation needs to be kept current, so policies and procedures created to comply with the Personal Health Information Protection Act, 2004 (PHIPA) when it was first enacted are likely woefully out of date!

Policies and procedures must be developed over time to address the organization’s individual circumstances and comply with best practices. They also must be followed – to the letter. An audit or assessment of an organization’s policies and procedures, which considers compliance, will identify gaps and areas for improvement. An audit (and implementing changes following an audit) will also create a record of robust privacy compliance that can be relied upon when responding to an investigation or inquiry.

In the event of an investigation by the IPC or another entity like a regulatory health college, copies of all relevant policies and procedures will be requested. The investigator will also consider whether the custodian is complying with their own policies and procedures. Orders from the IPC have not only criticized custodians for having inadequate policies and procedures, but have also expressed concern where adequate policies were not followed. The IPC has held that a failure to comply with a policy related to protection of patient privacy was a violation of PHIPA. In contrast, demonstrating compliance with effective policies has been identified as a reason for the IPC not undertaking a formal review in the case of a breach.

A Culture of Privacy

The IPC first referred to a “culture of privacy” in Order HO-002 where the former Commissioner spoke to the need for hospitals to

ensure that they not only educate their staff about the Act and information policies and practices implemented by the hospital, but must also ensure that privacy becomes embedded into their institutional culture.

The current Commissioner has referred to the importance of building a transparent and privacy-respectful culture in her recent blog and in a podcast. The Federal Privacy Commissioner of Canada explained a culture of privacy in a recent speech:

It means limiting the collection, use, retention and disclosure of personal information to what is demonstrably necessary and proportional to achieve an organization’s purposes. It also means adequately training those dealing with that information on the importance of protecting privacy, and having monitoring mechanisms in place to ensure that policies are being followed on an ongoing basis.

From our perspective, building a culture of privacy is critical for preventing privacy breaches and adequately responding to them when they occur. It requires buy-in from all members of an organization.  It starts with education, which is reinforced regularly with training and discussion, and should be addressed when it is not respected.

Staff Training

Fundamental to building that culture of privacy is training for all staff who deal with patients, or who collect, use or disclose personal health information. Every member of an organization has a role to play in privacy compliance, and training will reinforce that message.

Training is also a key factor in preventing a formal review by the IPC in the event of an investigation. In a 2022 decision, the IPC considered two privacy breaches at a hospital involving snooping. Recognizing that the hospital had a mandatory training program for all staff, the adjudicator found that a review was not warranted. However, this was likely only the result of the hospital having stepped up its training program since learning of the breaches at issue. The adjudicator noted that as the nurse who accessed PHI inappropriately did not have malicious intent,

[t]his indicates that the hospital failed to adequately inform the Nurse when she was allowed to access [PHI]. Policies and training materials only help protect patient privacy if employees read them, and it was not clear that the hospital employees were being given sufficient reminders of their privacy obligations.

Finally, training works: a 2019 study in Western Canada looked at some 600 employees who worked in a large healthcare organization on both the clinical and non-clinical side. The objective was to determine the effectiveness of existing education and awareness modules in delivering key messages around IT security and privacy. The results indicated there was a significant positive correlation between what staff thought about the effectiveness of IT security educational material and satisfaction with IT security in the organization. Takeaways included that training should be an integral part of healthcare staff continuing education and a greater emphasis placed on part-time staff.

Audit and Assessment

An audit and assessment, ideally by someone outside of the organization, can be the best way to assess whether an organization’s privacy practices are current and PHIPA-compliant. This can include:

• an evaluation of the organization’s policies and procedures

• an assessment of whether the organization’s practices are compliant with its own policies and procedures

• an evaluation of whether the organization’s staff have the knowledge they require to discharge their privacy obligations to safeguard PHI

• a report of any gaps in compliance and how these can be addressed.

We have assisted many health care providers to identify deficiencies in their privacy program, and helped to reinforce the culture of privacy in the process, by holding the organization and its staff accountable (in a supportive and confidential manner) for their privacy practices. By going through this process and addressing the gaps identified, organizations can demonstrate their commitment to privacy, which can impact whether an investigation or breach results in a regulator taking further steps.

Conclusion

If your office’s or organization’s privacy program has not kept pace with recent developments, now (rather than following a significant breach!) is the time to redouble efforts to ensure privacy compliance. Please contact us to discuss reviewing policies and procedures, staff training, or a preventative audit.