Article

Risk management for healthcare entities: Personal health information privacy and security

In Canada, healthcare organizations must adhere to the Personal Health Information Protection Act (PHIPA), as well as any provincial or local laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in Ontario, which enforce protections around the collection, use, and disclosure of PHI.

Healthcare entities have an ethical responsibility to protect the personal health information (PHI) of their patients, by upholding patient privacy and confidentiality. Further, there is a legal responsibility. In Canada, healthcare organizations must adhere to the Personal Health Information Protection Act (PHIPA), as well as any provincial or local laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in Ontario, which enforce protections around the collection, use, and disclosure of PHI.

PHI typically refers to any identifying patient information in verbal, written, or oral form, including:

Physical or mental health
Health history
Healthcare services
Healthcare plan
Payments
Eligibility for healthcare

As custodians of PHI, healthcare entities must adopt appropriate measures to maintain patient privacy and confidentiality when collecting, using, or disclosing any identifying information. They will need to consider the range of risks that exist in a healthcare environment and identify opportunities to prevent, mitigate, and transfer them through a comprehensive risk management plan.

Actions may include strengthening their internal control systems, as well as building awareness around PHI best practices through improved talent acquisition, training, and continued education strategies. Undertaking these measures can help to ensure compliance with laws and regulations and prevent unauthorized access, use, or disclosure of PHI.

The following guidance highlights key risk controls healthcare entities may implement to create a consistent standard for PHI privacy and security across their healthcare organization. It is not an exhaustive list and should be used in conjunction with internal policies and procedures, as well in compliance with local laws and regulations.

I. Governance

Effective governance plays a vital role in establishing a culture that demonstrates its commitment to protecting all types of information across its organization, including PHI. This practice involves having the appropriate policies and procedures in place and enforced at the executive level to help ensure PHI is handled with consistency and care across all departments.

Institute clear governance and management oversight on PHI privacy and security. Specifically, the following parties should be aligned on PHI policies:
- Board of directors and/or board sub-committees
- Executive management
- Business management
Establish clear management accountability around PHI privacy and security policies, programs, and trainings. The accountability should rest with one of the following executive functions:
- Highest level of management (for example, the president or chief executive officer)
- Highest level of information management (for example, the chief information or privacy officer)
Develop clear criteria and channels for reporting matters related to PHI collection, use, and disclosure and review any legal obligations you may have as an employer to ensure you are aligned with them
Install clear response and recovery measures when responding to PHI breach incidents and review any legal obligations you may have as an employer to help ensure you are aligned with them

II. Code of conduct

Revising your code of conduct to include data protection standards can help ensure that professionals across departments are aligned in their commitment to patient safety and confidentiality and that PHI under their care, custody, or control is collected, used, and disclosed in accordance with relevant laws and regulations. It should address the type of equipment and devices that should be used when handling and storing PHI, as well as policies and procedures in place to respond to a PHI breach.

The code of conduct should include but not be limited to the following information:
- Your organization’s commitment to safeguarding PHI across all departments
  - Responsibilities and expectations of all parties:
  - Employees
  - Independent practitioners (For example, physicians and midwives)
  - Volunteers
  - Students
  - Vendors
  - Contractors
- Unacceptable behaviour (For example, removal of PHI from premises)
- Compulsory training, including topics covered and frequency training will occur
- Steps to file a report, including mechanisms for reporting and other necessary information
- Available support services internal and external to the organization
- Contact information of the person who is designated to receive complaints and/or inquiries
Develop and review, at least annually, a comprehensive suite of policies and procedures that address and provide guidance in the following areas:
- Collection, use, disclosure, storage, and destruction of PHI
- Use of approved/encrypted devices, as well as unapproved/unencrypted ones (for example, personal laptops and phones)
- Management, investigation, containment, and remediation of a PHI breach
- Ensure the code of conduct is made available and easily accessible to all individuals and groups within the organization

III. Talent acquisition and development

Creating a culture of accountability around patient safety and confidentiality within a healthcare organization requires a comprehensive approach that is focused on the people delivering services on its behalf. This practice begins during recruitment and continues through onboarding, training, and re-education to help ensure workers are positioned to succeed when working with PHI.

A. Job description

Job descriptions should be tailored to meet the specific needs of your organization and outline the roles and responsibilities of the position, including its duties when working with PHI. For each position, the following information should be clearly defined:
- Roles and responsibilities
- Required/preferred skill(s) and experience(s)
- Required/preferred license(s) and certification(s)

B. Screening

Screen potential hires for any previous history working with PHI. The following screening controls should be in place:
- Job description declaration
- Application self-disclosure
- Reference checks
For all new hires, current staff, and volunteers, keep complete records of the screening documents and ensure they are kept current, requesting new checks on a regular basis

C. Interview

The following practices should be adopted as part of the interview process to assess candidates’ fit and eligibility for staff and volunteer positions. Candidates should be provided with the following:
- Overview of the public entity and its mandate and services
- Their intended roles and responsibilities
- Services and activities with which they will be involved
- Accountability for the collection, use, disclosure, storage, and destruction of PHI
The interviewer should ask questions designed to gather specific information about candidates’ qualifications and prior work experiences, including their history working with PHI. Below are some examples of the types of interview questions that can be asked as part of the process:
- Competency
- Behavioural (past-focused)
- Situational (forward-focused)

D. Onboarding

Require staff and volunteers to sign a confidentiality agreement that outlines their duties and responsibilities to uphold privacy and confidentiality when working with PHI
Provide staff and volunteers with on-the-job training when initially assuming their duties. This can be achieved by appointing the following designated individual(s) as a resource:
- Manager or supervisor
- Peer resource
Provide staff and volunteers with the opportunity to ask questions and seek feedback regarding their performance as it relates to carrying out their duties

E. Training

Develop a mandatory, role-based training program that enhances awareness and understanding of employee duties, obligations, and requirements when working with PHI. Specifically, the training should address the following:
- Definition and importance of PHI
- Consequence of non-compliance with policies and procedures
- Best practices for reporting and responding to a PHI breach
- Appropriate collection, use, disclosure, storage, and destruction of PHI
- Measures in place to protect PHI across the organization
Establish a training schedule, requiring new staff and volunteers to receive training upon hire, as well as refresher training at least annually for all current staff and volunteers

IV. Vendors and contractors

Most healthcare entities rely on vendors and contractors to help them provide safe and quality healthcare services to their patients and community. Ensuring that a culture of accountability is instilled across the organization will require healthcare entities to carefully assess their potential and current vendors and contractors and evaluate whether they share the organization’s commitment to protecting PHI.

A. Screening

Confirm the vendor or contractor screens potential hires for any previous history working with PHI. Their screening mechanisms should include but is not limited to the following controls:
- Job description declaration
- Application self-disclosure
- Reference checks
Verify the vendor or contractor keeps complete records of the screening documents and ensures they are kept current, requesting new checks on a regular basis
Require vendors to sign a confidentiality agreement that outlines their and thereby their employees’ duty to uphold patient privacy and confidentiality when working with PHI on behalf of your organization. It can also impose additional requirements, which can include asking the vendor or contractor to provide evidence of the following:
- Their established internal policies and procedures that demonstrate a commitment to protecting PHI. These should outline measures employed in its collection, use, disclosure, storage, and destruction
- Any role-based training programs they mandate that enhance their employees’ awareness and understanding on their duties, obligations, and requirements when working with PHI
- Their approach to investigating and managing PHI breaches, including actions, timelines, and roles involved
- Appropriate insurance coverage for contract-related liabilities
Establish and require the vendor or contractor to sign a data sharing agreement regulating how data will be shared between you and for what purpose

B. Candidate review

Your agreement with the vendor or contractor may grant you the ability to select which of their employees perform the services outlined therein. In these cases, require the vendor or contractor to provide you with employee portfolios of candidates, outlining their roles and responsibilities, including their duties when working with PHI. For each candidate, the following information should be available:
- Roles and responsibilities
- Relevant skill(s) and experience(s)
- Copies of valid license(s) and certification(s) where applicable

C. Training

Maintaining a culture of accountability requires ensuring that all vendors and contracted employees have received the same degree of PHI protection education as your internal employees and volunteers.

Review the vendor’s or contractor’s training materials, and if there are any gaps in education, develop a mandatory, role-based training program designed to enhance awareness and understanding of their duties, obligations, and requirements when working with PHI. Specifically, the training should address the following:
- Definition and importance of PHI
- Consequence of non-compliance with policies and procedures
- Best practices for reporting and responding to a PHI breach
- Appropriate collection, use, disclosure, storage, and destruction of PHI
- Measures in place to protect PHI across the organization
Establish a training schedule, requiring new vendors and contractors to receive training upon beginning work for your organization, as well as refresher training at least annually

V. Security

Healthcare entities must have security measures in place to protect PHI in all its forms (for example, electronic, paper, and verbal) throughout its lifecycle across the organization. These mechanisms will help prevent any unauthorized collection, use, disclosure, storage, or destruction of PHI. They must correctly correlate to the sensitivity of the PHI and the nature of its use. The security measures healthcare entities adopt should include a blend of the following:

Physical measures
- Ensure that hardcopy PHI records are not left unattended/posted in plain view
- Require locks for filing cabinets containing hardcopy PHI records
- Restrict access to offices and areas containing hardcopy PHI records
- Forbid hardcopy PHI records from being taken off premises
Electronic/system measures
- Standardize approval and review processes for granting system access, including remote access
- Install encryption software for storage drives and messaging services
- Automate lockout of electronic devices due to inactivity
- Perform regular network and system access audits
- Complete privacy impact assessments and threat risk assessments for new systems
- Enforce the use of strong passwords
- Require users change passwords at regular intervals

Summary

To foster a culture that prioritizes patient confidentiality and safety, healthcare entities must enforce the appropriate collection, use, and disclosure of PHI. Achieving this goal requires healthcare entities to consider the wide range of risks that exist in healthcare settings and embrace a comprehensive approach to risk management. Some key actions they can take include strengthening their governance and code of conduct around PHI, creating alignment between employees on PHI best practices during acquisition, onboarding, and beyond, and improving security measures in-person and online to prevent any unauthorized access, use, or disclosure of PHI.

Woman consoling a man with a checkered shirt. Talk therapy. Mental health concept.

Article

Risk management for healthcare entities: Personal health information privacy and security

Governance

Code of conduct

Talent acquisition and development

Vendors and contractors

Security