Risk management for healthcare entities: Personal health information privacy and security

Healthcare entities have an ethical responsibility to protect the personal health information (PHI) of their patients, by upholding patient privacy and confidentiality. Further, there is a legal responsibility. In Canada, healthcare organizations must adhere to the Personal Health Information Protection Act (PHIPA), as well as any provincial or local laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in Ontario, which enforce protections around the collection, use, and disclosure of PHI.

PHI typically refers to any identifying patient information in verbal, written, or oral form, including:

• Physical or mental health
• Health history
• Healthcare services
• Healthcare plan
• Payments
• Eligibility for healthcare

As custodians of PHI, healthcare entities must adopt appropriate measures to maintain patient privacy and confidentiality when collecting, using, or disclosing any identifying information. They will need to consider the range of risks that exist in a healthcare environment and identify opportunities to prevent, mitigate, and transfer them through a comprehensive risk management plan.

Actions may include strengthening their internal control systems, as well as building awareness around PHI best practices through improved talent acquisition, training, and continued education strategies. Undertaking these measures can help to ensure compliance with laws and regulations and prevent unauthorized access, use, or disclosure of PHI.

The following guidance highlights key risk controls healthcare entities may implement to create a consistent standard for PHI privacy and security across their healthcare organization. It is not an exhaustive list and should be used in conjunction with internal policies and procedures, as well in compliance with local laws and regulations.

       I.         Governance

Effective governance plays a vital role in establishing a culture that demonstrates its commitment to protecting all types of information across its organization, including PHI. This practice involves having the appropriate policies and procedures in place and enforced at the executive level to help ensure PHI is handled with consistency and care across all departments.

• Institute clear governance and management oversight on PHI privacy and security. Specifically, the following parties should be aligned on PHI policies:
  • Board of directors and/or board sub-committees
  • Executive management
  • Business management
• Establish clear management accountability around PHI privacy and security policies, programs, and trainings. The accountability should rest with one of the following executive functions:
  • Highest level of management (for example, the president or chief executive officer)
  • Highest level of information management (for example, the chief information or privacy officer)
• Develop clear criteria and channels for reporting matters related to PHI collection, use, and disclosure and review any legal obligations you may have as an employer to ensure you are aligned with them
• Install clear response and recovery measures when responding to PHI breach incidents and review any legal obligations you may have as an employer to help ensure you are aligned with them

      II.         Code of conduct

Revising your code of conduct to include data protection standards can help ensure that professionals across departments are aligned in their commitment to patient safety and confidentiality and that PHI under their care, custody, or control is collected, used, and disclosed in accordance with relevant laws and regulations. It should address the type of equipment and devices that should be used when handling and storing PHI, as well as policies and procedures in place to respond to a PHI breach.

• The code of conduct should include but not be limited to the following information:
  • Your organization’s commitment to safeguarding PHI across all departments
    • Responsibilities and expectations of all parties:
    • Employees
    • Independent practitioners (For example, physicians and midwives)
    • Volunteers
    • Students
    • Vendors
    • Contractors
  • Unacceptable behaviour (For example, removal of PHI from premises)
  • Compulsory training, including topics covered and frequency training will occur
  • Steps to file a report, including mechanisms for reporting and other necessary information
  • Available support services internal and external to the organization
  • Contact information of the person who is designated to receive complaints and/or inquiries
• Develop and review, at least annually, a comprehensive suite of policies and procedures that address and provide guidance in the following areas:
  • Collection, use, disclosure, storage, and destruction of PHI
  • Use of approved/encrypted devices, as well as unapproved/unencrypted ones (for example, personal laptops and phones)
  • Management, investigation, containment, and remediation of a PHI breach
  • Ensure the code of conduct is made available and easily accessible to all individuals and groups within the organization

      III.         Talent acquisition and development

Creating a culture of accountability around patient safety and confidentiality within a healthcare organization requires a comprehensive approach that is focused on the people delivering services on its behalf. This practice begins during recruitment and continues through onboarding, training, and re-education to help ensure workers are positioned to succeed when working with PHI.

A.    Job description

• Job descriptions should be tailored to meet the specific needs of your organization and outline the roles and responsibilities of the position, including its duties when working with PHI. For each position, the following information should be clearly defined:
  • Roles and responsibilities
  • Required/preferred skill(s) and experience(s)
  • Required/preferred license(s) and certification(s)

B.    Screening

• Screen potential hires for any previous history working with PHI. The following screening controls should be in place:
  • Job description declaration
  • Application self-disclosure
  • Reference checks
• For all new hires, current staff, and volunteers, keep complete records of the screening documents and ensure they are kept current, requesting new checks on a regular basis

C.    Interview

• The following practices should be adopted as part of the interview process to assess candidates’ fit and eligibility for staff and volunteer positions. Candidates should be provided with the following:
  • Overview of the public entity and its mandate and services
  • Their intended roles and responsibilities
  • Services and activities with which they will be involved
  • Accountability for the collection, use, disclosure, storage, and destruction of PHI
• The interviewer should ask questions designed to gather specific information about candidates’ qualifications and prior work experiences, including their history working with PHI. Below are some examples of the types of interview questions that can be asked as part of the process:
  • Competency
  • Behavioural (past-focused)
  • Situational (forward-focused)

D.    Onboarding

• Require staff and volunteers to sign a confidentiality agreement that outlines their duties and responsibilities to uphold privacy and confidentiality when working with PHI
• Provide staff and volunteers with on-the-job training when initially assuming their duties. This can be achieved by appointing the following designated individual(s) as a resource:
  • Manager or supervisor
  • Peer resource
• Provide staff and volunteers with the opportunity to ask questions and seek feedback regarding their performance as it relates to carrying out their duties

E.    Training

• Develop a mandatory, role-based training program that enhances awareness and understanding of employee duties, obligations, and requirements when working with PHI. Specifically, the training should address the following:
  • Definition and importance of PHI
  • Consequence of non-compliance with policies and procedures
  • Best practices for reporting and responding to a PHI breach
  • Appropriate collection, use, disclosure, storage, and destruction of PHI
  • Measures in place to protect PHI across the organization
• Establish a training schedule, requiring new staff and volunteers to receive training upon hire, as well as refresher training at least annually for all current staff and volunteers

      IV.         Vendors and contractors

Most healthcare entities rely on vendors and contractors to help them provide safe and quality healthcare services to their patients and community. Ensuring that a culture of accountability is instilled across the organization will require healthcare entities to carefully assess their potential and current vendors and contractors and evaluate whether they share the organization’s commitment to protecting PHI.

A.    Screening

• Confirm the vendor or contractor screens potential hires for any previous history working with PHI. Their screening mechanisms should include but is not limited to the following controls:
  • Job description declaration
  • Application self-disclosure
  • Reference checks
• Verify the vendor or contractor keeps complete records of the screening documents and ensures they are kept current, requesting new checks on a regular basis
• Require vendors to sign a confidentiality agreement that outlines their and thereby their employees’ duty to uphold patient privacy and confidentiality when working with PHI on behalf of your organization. It can also impose additional requirements, which can include asking the vendor or contractor to provide evidence of the following:
  • Their established internal policies and procedures that demonstrate a commitment to protecting PHI. These should outline measures employed in its collection, use, disclosure, storage, and destruction
  • Any role-based training programs they mandate that enhance their employees’ awareness and understanding on their duties, obligations, and requirements when working with PHI
  • Their approach to investigating and managing PHI breaches, including actions, timelines, and roles involved
  • Appropriate insurance coverage for contract-related liabilities
• Establish and require the vendor or contractor to sign a data sharing agreement regulating how data will be shared between you and for what purpose

B.    Candidate review

• Your agreement with the vendor or contractor may grant you the ability to select which of their employees perform the services outlined therein. In these cases, require the vendor or contractor to provide you with employee portfolios of candidates, outlining their roles and responsibilities, including their duties when working with PHI. For each candidate, the following information should be available:
  • Roles and responsibilities
  • Relevant skill(s) and experience(s)
  • Copies of valid license(s) and certification(s) where applicable

C.    Training

Maintaining a culture of accountability requires ensuring that all vendors and contracted employees have received the same degree of PHI protection education as your internal employees and volunteers.

• Review the vendor’s or contractor’s training materials, and if there are any gaps in education, develop a mandatory, role-based training program designed to enhance awareness and understanding of their duties, obligations, and requirements when working with PHI. Specifically, the training should address the following:
  • Definition and importance of PHI
  • Consequence of non-compliance with policies and procedures
  • Best practices for reporting and responding to a PHI breach
  • Appropriate collection, use, disclosure, storage, and destruction of PHI
  • Measures in place to protect PHI across the organization
• Establish a training schedule, requiring new vendors and contractors to receive training upon beginning work for your organization, as well as refresher training at least annually

      V.         Security

Healthcare entities must have security measures in place to protect PHI in all its forms (for example, electronic, paper, and verbal) throughout its lifecycle across the organization. These mechanisms will help prevent any unauthorized collection, use, disclosure, storage, or destruction of PHI. They must correctly correlate to the sensitivity of the PHI and the nature of its use. The security measures healthcare entities adopt should include a blend of the following:

• Physical measures
  • Ensure that hardcopy PHI records are not left unattended/posted in plain view
  • Require locks for filing cabinets containing hardcopy PHI records
  • Restrict access to offices and areas containing hardcopy PHI records
  • Forbid hardcopy PHI records from being taken off premises
• Electronic/system measures
  • Standardize approval and review processes for granting system access, including remote access
  • Install encryption software for storage drives and messaging services
  • Automate lockout of electronic devices due to inactivity
  • Perform regular network and system access audits
  • Complete privacy impact assessments and threat risk assessments for new systems
  • Enforce the use of strong passwords
  • Require users change passwords at regular intervals

Summary

To foster a culture that prioritizes patient confidentiality and safety, healthcare entities must enforce the appropriate collection, use, and disclosure of PHI. Achieving this goal requires healthcare entities to consider the wide range of risks that exist in healthcare settings and embrace a comprehensive approach to risk management. Some key actions they can take include strengthening their governance and code of conduct around PHI, creating alignment between employees on PHI best practices during acquisition, onboarding, and beyond, and improving security measures in-person and online to prevent any unauthorized access, use, or disclosure of PHI.