The Importance of Privacy Training and Policies in Healthcare Organizations

Written By Sharon Bauer

 A recent decision (PHIPA Decision 260) by the Information and Privacy Commissioner (IPC) of Ontario highlighted the importance of mandatory privacy awareness training for all staff, including physicians, as well as awareness of the privacy policies developed within the organization.

In this circumstance, a public hospital experienced a significant privacy breach involving unauthorized access to the personal health information of patients by one of its physicians. The IPC investigated this breach under the Personal Health Information Protection Act (PHIPA).

During the investigation, the IPC found that at the time of the breach, the hospital violated sections 10 (Information practices) and 12 (Security) of PHIPA. PHIPA requires health information custodians (like hospitals and other health organizations) to have and comply with information practices that meet the Act's requirements. It also requires custodians to take reasonable steps to protect personal health information against unauthorized use or disclosure.

The investigation revealed several key areas where the hospital's practices were inadequate at the time of the breach, highlighting the necessity of robust policies and training:

  • Lack of Privacy Training for Physicians: Despite having a policy requiring all agents, including physicians, to complete privacy training upon hire and annually, the hospital did not provide mandatory privacy training to its physicians at the time of the breach. The physician involved had not received this training.

  • Lack of Annual Confidentiality Agreements for Physicians: The hospital's policy also required all agents to sign confidentiality agreements annually. However, at the time of the breach, there was no formal process for physicians to sign or for the hospital to track the signing of these agreements. The physician involved had only signed one upon hire.

  • Failure to Ensure Compliance by All Agents: Even for non-physician staff, the hospital discovered that a significant percentage (nearly 50%) had not completed the required privacy training or signed confidentiality agreements in the year of the breach. The hospital had not performed the necessary reviews and follow-ups to confirm that agents were complying with its policies.

  • Lack of Guidance on Specific Use Cases: The physician involved in the breach believed accessing patient records remotely for "educational purposes" was authorized, demonstrating a gap in clear policy or training regarding specific uses of personal health information, such as for self-study or education.

The IPC emphasized that simply having policies is not enough; health information custodians must implement their policies in practice and take steps to ensure they have safeguards in place. It is inadequate to have different expectations for privacy training and confidentiality agreements for physicians compared to non-physician staff. The circumstances of this breach demonstrate the importance of having policies, communicating these policies to agents, and enforcing them. The hospital's failure to ensure its physicians were trained on its policies and privacy obligations contributed to the physician's unauthorized access.

Critically, while the hospital was initially found in violation, the IPC decided that a formal review was not warranted under Part VI of the Act. This decision was made in light of the comprehensive steps the hospital took after the breach to address the identified privacy concerns. These remedial steps underscore what the IPC considers "adequate measures" and demonstrate the necessity of these actions:

  • Implementing Mandatory Training and Annual Confidentiality Agreements for All Agents: The hospital implemented a system to ensure physicians complete mandatory privacy training and sign confidentiality agreements annually, aligning expectations across all staff.

  • Establishing Tracking and Enforcement: The hospital set up tracking systems to monitor completion rates for both training and confidentiality agreements for all physicians and non-physician agents. Non-compliant agents are now subject to disciplinary processes, including potential loss of hospital privileges for physicians.

  • Updating Policies and Training with Clear Guidance: The hospital reviewed and updated its privacy policies and training materials to be more specific, including providing clear direction that using personal health information for self-study without authorization is not allowed and constitutes a breach.

  • Implementing Ongoing Education Initiatives: The hospital committed to ongoing privacy education through various methods like eLearning, in-person sessions, huddles, and newsletters, and dedicating a specific month to reinforce privacy importance.

This case illustrates that simply having written privacy policies is insufficient. Effective, mandatory, and tracked privacy training and the consistent requirement and tracking of confidentiality agreements for all staff (including physicians) are essential operational necessities to ensure compliance with PHIPA, prevent unauthorized access and breaches caused by a lack of understanding, and demonstrate to the regulator that your organization has taken reasonable steps to protect personal health information. Taking these steps not only meets legal obligations but can also significantly mitigate the regulatory consequences if a breach were to occur.

 

Sharon Bauer
Next

Legal Privilege: Is It the Shield You Expect It To Be?