This module focuses on Privacy, Confidentiality, and Security of Personal Health Information. Move this to online module slides 11-56 Privacy, Confidentiality, and Security of Information: Annual Training 2018 – Part 3

Keeping Electronic Communication Secure Sign off computer terminals after completing your work Select strong passwords Don’t share passwords EVER It’s important to sign off computer terminals after completing work because all accesses of a patient record and any documentation are tracked to the current login of the terminal. In the case of a lawsuit against the Hospital staff involved would be tracked in large part by documentation in the electronic health record.

E-mail Use E-mail is not to be used as the primary method of communication for PHI due to potential risk for privacy breach Refer to SMGH Privacy and Acceptable Use policies for guidance. Click on the following link to read the Acceptable Use Policy Read slide

Disposing of Confidential Information All confidential information must be placed hospital grey “shred it” confidential bins “Open” Confidential waste bins must be stored in secure areas Confidential waste must be emptied regularly into locked shredding containers Read slide

Privacy Breaches – From the Headlines.. These are just a few examples of patient privacy breeches and the consequences that can result.

Examples of Privacy Breaches Lost records, files, documents Stolen-theft of computer Accessing Meditech to view any information about family & friends Accessing your own or a family member’s record in Meditech and/or Clinical Connect Accessing a patient’s record after they have left your care. Inappropriate disclosure such as disposal of hard copy PHI or faxing/mailing errors Read slide

How to Access Your Own Hospital Records at SMGH To access or get copies of your own hospital records you must complete a Release of Information form in Health Records (or on smgh.ca). You can request an audit to see who has accessed your own hospital patient record anytime by contacting the Chief Privacy Officer. Read slide

Duty to Report if You Become Aware of a Privacy Breach If you become aware of patient information being lost, stolen, shared or accessed by an unauthorized person, you have a duty to notify your Manager, or the Chief Privacy Officer as soon as possible, providing: date and time the actual or suspected privacy breach occurred general description of the privacy breach the immediate steps that will be or have been taken to contain and remedy the breach Read slide

Consequences of a Privacy Breach People who commit a privacy breach face one or more of the following consequences: Read slide

Disciplinary Action $100,000 and SMGH can be fined $500,000. And Loss of employment/affiliation Report to your professional college You can personally be fined up to: $100,000 and SMGH can be fined $500,000. And If you fail to maintain privacy and confidentiality at SMGH this information will be placed on your personnel file in Human Resources. Read slide

Mandatory Privacy Breach Reporting Effective 1 Oct 2017, the Ontario government amended the Personal Health Information Protection Act. Under section 12(3) of the act and its related regulation, health information custodians (such as hospitals, medical offices, and others who deal with patient health information) will be required to report certain privacy breaches to the Information and Privacy Commissioner. These amendments are designed to better protect patient privacy and improve accountability and transparency in the health care system. Legislation has recently been tightened.

Mandatory Reporting of Breaches to the Privacy Commissioner: Use or disclosure without authority: i.e. - where the person committing the breach knew or ought to have known that their actions are not permitted either by the act or SMGH. Stolen information: i.e. - where someone has stolen paper records or a laptop or other electronic device; patient information is subject to a ransomware or other malware attack; or where the information has been seized through use of a portable storage device. Further use or disclosure without authority after a breach: i.e. where following an initial privacy breach, the information was or will be further used or disclosed without authority. Pattern of similar breaches: i.e. - a letter to a patient inadvertently included information relating to a different patient. Over a few months, the same mistake is repeated several times because an automated process for generating letters has been malfunctioning for some time. Read slide

Mandatory Reporting of Breaches to the Privacy Commissioner: 5. Disciplinary action against a college member: i.e. - a duty to report an employee or other agent to a health regulatory college also triggers a duty to notify the Commissioner. 6. Disciplinary action against a non-college member: i.e. - in the same circumstances that would have triggered notification to a college, also 7. Significant breach: i.e. – a breach involving many patients, whose information has potentially been made widely available. Read slide

Privacy Audits Privacy audits are done weekly to monitor who is accessing patient information and which screens are being viewed Managers are notified of any potential privacy breaches Managers meet with the identified staff, Human Resources (and union representatives where applicable) and the Chief Privacy Officer to review the potential privacy breach and determine next steps Read slide

PHIPA FAQ A comprehensive guide on: interpretation and application of PHIPA practices to protect PHI consent concerning PHI collection, use and disclosure of PHI fundraising and marketing research Ontario health cards and health numbers access to records of PHI and correction administration and enforcement Read slide