Privacy Breach Protocol

Procedure

Category: Privacy
Subject: Privacy Breach Protocol
Division: Human Resources and Corporate Services
Procedure Number: CA.58.02.103
Effective Date: August 1, 2015

Personal Health Information (PHI)

  • Under Personal Health Information Protection Act (PHIPA) the health information custodian is obligated to notify affected individuals if their Personal Health Information (PHI) is lost, stolen or accessed by unauthorized individuals.
  • PHI records include information in any format including but not limited to paper, electronic, film, visual and audio that contains health information which may be linked to an identifiable individual by a person who has access.
  • PHI records are considered “lost” where there is reasonable belief that the records cannot be located, and it is probable that it is no longer in the custody and control of Wellington-Dufferin-Guelph Public Health (WDGPH), or are not physically within WDGPH premises.
  • PHI records are considered “stolen” where there is reasonable belief that the records are in the custody of a third party who is not entitled to receive WDGPH  records, e.g. files within a stolen briefcase or a personally identifiable files stored on a stolen laptop.
  • Unauthorized access in this policy means access to paper or electronic records by an external party or a person who is not entitled to have access to the records, and includes breaches of electronic database security. Improper access by WDGPH employees or agents is considered a violation of this policy if it is determined that the access was intentional, malicious or clearly made in bad faith, and the employee or agent did not have a professional need to access or use the PHI.

PROCEDURE

All privacy breaches (documentation, electronic records, video surveillance etc.) must be immediately reported to the immediate Manager/Supervisor or Director and Chief Privacy Officer (CPO). Upon learning of a breach immediate action must be taken following the protocol as outlined:

  1. Response – Respond immediately by notifying internal contacts, inform Information Privacy Commissioner (IPC) if assistance is required and address containment and notification procedures.
  2. Containment – Identify the scope of the potential breach and take steps to contain it.
  3. Notification – Identify those individuals whose privacy was breached and advise them of the breach.
  4. Investigation and Remediation – Conduct an internal investigation into the matter to ensure the immediate requirements of containment and notification have been addressed, review the circumstances surrounding the breach and review the adequacy of existing policies and procedures in protecting personal health information. 

NOTE:  All breaches may not be reported directly to WDGPH; individuals have the option to report a breach or potential breach to the Information and Privacy Commissioner of Ontario (IPC) directly. The IPC themselves may initiate a complaint in the absence of the individual complainant of a potential breach.

Upon learning of any privacy breach, the following immediate action(s) must be taken. In addition, there shall be documentation for each step:

Step 1: Response
  1. When WDGPH learns of a possible privacy breach, the employee should immediately contact the Manager/Supervisor/Director and the Chief Privacy Officer (CPO). 
  2. Depending on the nature of the privacy breach, the Director or CPO may contact the following internal and/or external individuals or departments:
  • MOH;
  • Legal counsel (if needed);
  • Manager, Operations;
  • Manager, Communications (if needed);
  • Police (if the breach involves criminal activity such as a break-in or stolen laptop or WDGPH cell phone);
  • Relevant Regulatory College is applicable;
  • Information Privacy Commissioner of Ontario* (IPC).

*The CPO will determine whether a situation will be reported to the IPC but will notify the MOH prior to making a report. The CPO will evaluate reporting requirements based on the following factors:

  • Whether the breach, loss or theft of WDGPH information (PHI) is limited or significant in scale;
  • The relative sensitivity of the PHI breached;
  • Whether the IPC may be able to provide direction which will assist WDGPH in handling the situation; or
  • Whether WDGPH has already identified or taken all possible and reasonable steps to handle the situation adequately.
  1. The Manager/Supervisor, Director and CPO will address the priorities of containment, and notification as set out in Steps 2, 3, and 4.
Step 2: Containment – Identify the scope of the potential breach and take steps to contain it.
  1. The Manager/Supervisor or Director in collaboration with employees will retrieve hard copies of personal or personal health information which have been disclosed to, or taken by an unauthorized recipient. 
  • The retrieval process may require WDGPH employees to:
    • Contact the recipients to secure the documents; or
    • Arrange to have the documents picked up, or returned to the nearest WDGPH location.
  • Once the information has been retrieved the CPO/MOH should be notified of the outcome by the Manager/Supervisor or Director.
  1. Every effort should be made to confirm that the unauthorized recipient did not make or keep copies of the personal information. Contact information should be obtained in the event follow-up is needed.
  2. Ask the unauthorized recipient to delete electronic copies of any personal information from his/her desktop computer, server, and other storage devices or media; noting their agreement or refusal on breach documentation.
  3. ​The CPO and/or MOH in collaboration with the Manager/Supervisor and Director will determine if the privacy breach would allow unauthorized access to other personal information, or confidential information, such as an electronic information system. In this case the following steps will occur:
  • Change passwords and identification numbers, and/or temporarily shut down system;
  • Immediately isolate physical or system resources that may contain evidence, such as paper files, workstations, logs, electronic records, and e-mail files; and
  • Secure existing back-ups by taking tapes out of circulation and backing up any system resources associated with the incident.
  1. Document all actions (dates and times) during containment.
Step 3: Notification – Identify those individuals whose privacy was breached and notify them of the breach.

There are numerous factors that may need to be taken into consideration when deciding the best form of notification (e.g. sensitivity of the personal health information). As a result, the CPO may contact the Information Privacy Commissioner (IPC) to discuss the most appropriate method of notification.

  1. Notify the individual, at the first reasonable opportunity, that a privacy breach occurred. 
  • Consider the sensitivity of the personal or personal health information;
  • Use the most appropriate method to contact the person (meeting, telephone call, letter);
  • Provide details on the extent of the breach, and the specifics;
  • Advise the client of the steps that have been or will be taken to address the breach (immediate and long-term); and
  • Record all actions taken in the client’s file.
  1. Depending on the breach; indirect notification may be required which can be determined by Managers/Supervisors in collaboration with Director and CPO.
Step 4: Investigations and Remediation.
  1. The CPO and/or MOH, in consultation with the affected Manager/Supervisor, Director and employees, conducts an internal investigation into the privacy breach incident and will:
  • Ensure that the immediate requirements of containment and notification were addressed;
  • Review the circumstances related to the breach;
  • Review and determine existing policies and procedures in protecting personal or personal health information are adequate;
  • Review systematic processes to implement changes to prevent future repeated breaches; and
  • Determine if training is required for staff based on any changes to the process.
  1. The Manager/Supervisor and Director will provide a written report to the CPO of their findings and recommendations to avoid future repeated breaches of the same kind.
  2. The CPO will advise the IPC in writing, as appropriate of findings and necessary changes to be implemented. The IPC may conduct an additional investigation and may issue a report with recommendations to minimize future privacy risks. 
  3. ​Managers/Supervisor must:
  • Implement the recommendations of the CPO/MOH and the IPC, where applicable;
  • Provide training to employees if required;
  • Upon completion of all steps, complete a CA.30.01.806 Reporting Form: Information Breach or Complaint and forward along with any other documentation (new policies or procedures, investigation notes) to the CPO for review and signature to close the file.
WDGPH Records Held by External Agencies:

WDGPH often provides copies of PHI records to external agencies as allowed under PHIPA (e.g. Family and Children’s Services, hospitals, community agencies). Under PHIPA, WDGPH may be deemed to retain control over the records if they are in the possession of a different institution.  In these cases if WDGPH is notified by an external agency that WDGPH records have been lost, stolen or breached, WDGPH may take actions as outlined in the policy and procedure CA.58.01(02).103 Privacy Breach Protocol.

Where PHI is provided to an external agency which is functioning as an agent of WDGPH (as the term is defined under PHIPA), operating agreements and understandings between WDGPH and the agent must include a requirement that WDGPH is notified by the agent of any breaches.

RESPONSIBILITIES

Directors will:
  • Monitor adherence to Privacy Governance policy;
  • Monitor progress of breach and provide updates to the CPO;
  • Be accountable for completion of all procedures regarding any privacy breach; and
  • Provide resolution for prevention of repeated breach to CPO.
Manager/Supervisor will:
  • Ensure employees adhere to Privacy Governance policy;
  • Ensure Directors and the CPO are immediately notified of any breach;
  • Provide direction or guidance to employees to address a breach;
  • Be accountable for following procedures to address a  breach;
  • In collaboration with employees identify measures to prevent repeated breaches; and
  • Provide training to team if necessary related to proactive measures implemented.
Chief Privacy Officer will:
  • Ensure the privacy breach is managed immediately;
  • Provide guidance and direction, if required;
  • Inform IPC and provide necessary reports, as required; and
  • Ensure proactive measures are in place to prevent repeat of breach.
Employees will:
  • Advise Manager/Director/CPO of any breach immediately;
  • Adhere to policies and procedures regarding a privacy breach;
  • Ensure the privacy breach protocol is completed; and
  • Provide feedback for preventive measures of further breaches.

DEFINITIONS

Breach – Any unauthorized collection, use, retention, or disclosure of personal or personal health and business information. A breach also encompasses the loss of custody or control over confidential, personal or personal health information intentional or unintentional.

Confidentiality – The duty to protect, respect and maintain privacy of confidential, personal and personal health information. As an Agency we are obligated to refrain from disclosing personal health information outside the Agency to others not involved in the use of the information in their authorized work.

Direct notification – Refers to notifying individuals who have been affected by a privacy breach through direct means, including telephone, letter or in person.

Indirect notification – Refers to notifying individuals who have been affected by a privacy breach through indirect means including website information, posted notices or the media.

Third party contractor – Individual, institution, organization or government agency that is not directly employed by WDGPH, but is or may be contracted to provide specific services over a specified period of time.

REFERENCES AND RELATED FORMS, POLICIES AND PROCEDURES

Corresponding Policy:  N/A
CA.30.01.806  Reporting Form: Information Breach or Complaint
CA.58.01.100 and CA.58.02.100 Privacy Governance
What to do when faced with a privacy breach? Guidelines for Health Sector (Information and Privacy Commissioner/Ontario) http://www.ipc.on.ca/images/Resources/hprivbreach-e.pdf
Privacy Breach Protocol- Guidelines for Government Organizations (IPC) http://www.ipc.on.ca/images/Resources/Privacy%20Breach-e.pdf
Hospital Privacy toolkit- Guide to Ontario Personal Health Information Protection Act http://www.oha.com/KnowledgeCentre/Library/Toolkits/PublishingImages/Hos…
IPC Breach Notification Assessment Tool 

CONTACT FOR INQUIRIES

Director, Human Resources and Corporate Services 

APPROVED BY

Director, Human Resources and Corporate Services