We suggest that the first steps for community health providers seeking to improve privacy are the following:
1. Create a privacy officer role
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) affirms that every organization should have a designated privacy officer. This does not only mean appointing an individual, but defining a role: Who will the privacy officer need to consult with? Which committees will he or she sit on? What actions or changes will need to be approved by the privacy officer? While the privacy officer’s role will be unique to your context, it is helpful to keep in mind that privacy connects multiple areas, including policy, communications, information technology, service delivery, and staff training.
2. Review communications
3. Investigate information management
4. Develop breach response protocols
What will be done if there is a privacy breach – for instance, if your website or record-keeping system is hacked? Do you have the ability to block access from a hacked account, or are you dependent on service providers to manage access? What if a USB, laptop, or smartphone containing personal information is lost or stolen? Are these devices password protected? How much information could be compromised by a breach? Who needs to be notified in the event of breach? At this stage, the privacy officer will need to consult with IT staff to reduce security risks and develop breach response protocols.
For healthcare organizations and health professionals in Ontario, we recommend consulting:
A Guide to the Personal Health Information Protection Act (PHIPA). Information and Privacy Commissioner of Ontario. http://www.ipc.on.ca/images/resources/hguide-e.pdf