By Stan Shaw, Founder, CTS
An interesting case was just published last month concerning the first audit of a private business that the Office of the Information & Privacy Commissioner for British Columbia (OIPC) has undertaken through its Audit & Compliance Program, established in 2014. Of particular importance to the healthcare community is that the first private sector business the OIPC audited turned out to be a medical clinic.
The findings, which are published here, highlighted a particular situation which called into question the use of video and audio surveillance within the clinic. However, the audit covered much more than this. Its goal was to review the extent in which the clinic was in compliance with British Columbia’s Personal Information Protection Act (PIPA), to identify risk factors in protecting personal information, and to provide recommendations to strengthen clinic policies and practice.
It is well worth asking yourself, are you already doing the recommendations the auditors made concerning this particular clinic?
Recommendation 1: The clinic should update its Privacy Policy with six provisions that were missing from its present one, including, among others, stating clearly that personal information is collected in accordance with PIPA, and to ensure the definition of personal information is defined in a manner that is consistent with BC legislation.
Recommendation 2: The clinic should formally review its privacy policies at a minimum of every three years to make sure they are relevant and up to date.
Recommendation 3: The clinic should immediately cease the collection of personal information via video and audio recording equipment.
Recommendation 4: The clinic should create and regularly maintain a personal information inventory related to the collection of personal information from patients and employees. The sensitivity of the information, the type of information collected, where it is stored, why it was collected and how the clinic intends to use it should be included in the inventory.
Recommendation 5: The clinic should develop formal procedures and conduct at least annually privacy risk assessments to ensure that a) adequate safeguards are in place to protect collected personal information and b) collection is limited to only the personal information necessary for the purposes identified.
Recommendation 6: The clinic should develop and provide regular privacy training and education to all staff, with initial training to occur within three months of receiving the audit.
Recommendation 7: The clinic should formally review this training and education at a minimum of every three years and update as necessary.
Recommendation 8: The clinic should develop and request that all clinic staff sign an agreement related to the protection of personal information at the completion of privacy training. This agreement should be reviewed and re-signed annually by all clinic staff.
Recommendation 9: The clinic should shred paper records containing patient or employee personal information when disposing of the records.
Recommendation 10: The clinic should store paper records securely in locking cabinets or behind locked doors and lock cabinets and doors when access to records is not necessary.
Recommendation 11: The clinic should develop formal procedures and conduct regular audits of access to and use of personal information within the Clinic.
Recommendation 12: The clinic should immediately ensure that a confidentiality agreement is in place with its EMR software support company with respect to the protection of employee and patient personal information.