Use These Reports To Improve Your Privacy Compliance
Investigation reports of privacy breach incidents helps to inform and update policies, procedures, and risk assessments can be used by privacy officers, clinic managers, and healthcare custodians to improve privacy compliance in their healthcare practice.
Recent publications by the Alberta Office of the Information and Privacy Commissioner (OIPC) and the College of Physicians and Surgeons of Alberta (CPSA) are great resources.
We can use these real-world examples to improve our current practices to protect the privacy, confidentiality, and security of personal health information and to protect personal health information from unauthorized access, use, disclosure, and loss.
Alberta OIPC Annual Report
In the Alberta OIPC Annual Report 2020-21, Jill Clayton, the Privacy Commissioner, noted that ‘this past year was a year like no other for access to information and protection of privacy in Alberta as the COVID-19 pandemic raised new challenges for regulated stakeholders and my office.’
Work from home mandates impacted how organizations responded to access to information requests and the security of personal information as employees shifted to remote work. The OIPC received over 150 privacy impact assessments (PIA) and notifications about the implementation of new virtual care (or telemedicine) projects.
Overall, the OIPC reports that there was a 31% increase in the number of PIAs that they had received over the previous years. The healthcare sector may not have applied the usual rigour to assess new virtual care solutions as has been previously applied to, for example, EMR implementation. The urgency of the pandemic may have triggered this weakness, but it's something that now we should be able to do better.
There were 930 breaches reported by health information custodians to the OIPC in 2020-21, representing a slight decrease from 2019-20 (938). There were four convictions under the Health Information Act (HIA) for unauthorized access to health information in 2020-21.
CPSA Virtual Care Standards of Care
The Alberta College of Physicians and Surgeons (CPSA) released on December 20, 2021, its updated Virtual Care Standards of Practice. This was previously released as telemedicine standards.
I want to highlight a few things that have changed and a few things that we should know about already. The standard provides clarity about physicians who can provide virtual care services for Albertans. A physician who has been licensed to practice and provide care in Alberta, with some exceptions. Other healthcare providers outside of Alberta should not be providing virtual care to residents of Alberta.
The standards also provide guidance on the procedures that a regulated member providing virtual care must follow, including Standard #8:
- provide the patient with their name, location and licensure status during the initial virtual care encounter;
- take reasonable steps to confirm the identity and location of the patient during each virtual care encounter;
- confirm the patient’s physical setting is appropriate given the context of the encounter and ensure consent to proceed, in accordance with the Informed Consent standard of practice;
- offer the patient the opportunity for in-person care; and
- ensure there is a plan in place to manage adverse events or emergencies and make patients aware of appropriate steps to take in these instances.
The standards also remind physicians that prior to implementing new virtual care technologies or practices, that you must prepare a PIA. This applies even if you are ‘just’ using telephone to provide virtual care.
PIA Remote Working and Virtual Care Templates
Last year, Information Managers created a virtual care privacy impact assessment package which includes template policies, procedures, implementation tips, and privacy training. This follows the requirements from the standards from the CPSA and the HIA.
The PIA Remote Working and Virtual Care Templates provide you virtual care procedures, workflow, tips, and Privacy Impact Assessment templates that you can quickly and easily download and customize for your healthcare practice. The training provided will help you to assess privacy and security options to assist you to select the best technology solution for your needs. Then, use the Privacy Impact Assessment templates to document your decisions and submit to the OIPC.