As virtual visits become an accepted method of providing health care, it is important to ensure that health privacy laws are observed. Whether care is provided by telephone consultation, video conferencing or secure messaging, providers must be mindful of their obligations relating to the collection of personal health information, health information security, and ensuring that those involved have the necessary training in privacy and security.
Ontario’s health privacy law, the Personal Health Information Protection Act (PHIPA), applies to virtual care as well as in-person care. Custodians1 must comply with PHIPA in a virtual care setting. The Information and Privacy Commissioner of Ontario (IPC) recently released guidelines with respect to privacy and security considerations for virtual health care. The guidelines set out certain requirements that must be met when a custodian uses an electronic service provider. There are different requirements depending on whether the electronic service provider is an agent of the custodian. There are additional obligations if the electronic service provider is a health information network.
In order to ensure that custodians are complying with PHIPA in a virtual setting, the IPC has provided guidelines to assist custodians with fulfilling their requirement to properly collect and safeguard personal health information (details of each set out below):
- conducting a privacy impact assessment;
- developing a virtual health care policy;
- undertaking comprehensive privacy and security training;
- ensuring there is an information security management framework in place; and
- developing a privacy breach management protocol.
Privacy Impact Assessment
Custodians should conduct a privacy impact assessment to identify risks and determine how to manage them. Without taking the time to identify risks, it will be difficult to appropriately respond to them and safeguard against them.
Virtual Health Care Policy
A virtual health care policy should be developed that sets out the following:
- when, how, and the purposes for which health care may be provided virtually;
- conditions or restrictions with respect to providing virtual health care;
- administrative, technical, and physical safeguards that will be in place
- i.e. email and encryption safeguards, confirmation of identity of patients, where hardware is to be kept and stored, how individuals will be trained to ensure privacy is appropriately administrated.
As well, the virtual health care policy should explicitly set out that employees and other agents will have access to only the minimum amount of personal health information that is required to perform their duties.
Patients should be notified about the virtual health care policy.
Comprehensive Privacy and Security Training
Training should be ongoing for employees and other custodian agents. Training should be held on the virtual health care policy, circumstances that arise in the virtual health care context, how virtual care interacts with remote work, and the risks associated with remote working and virtual care.
Information Security Management Framework
The framework should outline safeguards expected of employees, agents, and electronic service providers.
Privacy Breach Management Protocol
The obligation to report privacy breaches at the first reasonable opportunity to affected individuals (and in certain circumstances, to the IPC) continues to apply in the virtual context. The protocol should address how to seamlessly respond to a privacy breach.
What are the risks to not implementing the recommendations?
The IPC’s mandate includes investigating privacy complaints relating to personal information and ensuring compliance with PHIPA. These new guidelines are intended to assist custodians with PHIPA compliance and best practice. Failure to implement the measures set out in the guidelines may lead to a greater risk of a privacy breach, and may also lead to a failure to reasonably mitigate the negative impact of a breach in the event one does occur. In the event of a privacy breach, the custodian can expect its compliance or noncompliance with the guidelines to be considered.
1 “Health information custodian” is a defined term under section 3 of PHIPA, and essentially, is a person or organization listed in PHIPA that has custody or control of personal health information as a result of his, her or its power or duties or work set out in PHIPA.