Information Privacy IT

Source: Personal notes from Privacy Lunch & Learn 2022-05 at work

Common Issues that cause Problems

• Lack of staff privacy training
• Lack of audit log retention policy
• Not logging all user actions
• No privacy auditing program
• Lack of privacy incident handling policy and procedure

Privacy & Security

Privacy - right of person to control their collection, use, and disclosure of their personal information

Cyber security - protection of systems and data. “CIA Triad” - balance of confidentiality, integrity and availability.

10 Privacy Principles

They are in Canadian privacy laws

• 1. Accountability

  • Organization/people responsibilities which they control
  • People know their accountability for privacy compliance

• 2. Identifying Purposes

  • Identify why information is collected
  • Purpose can be fulfilled orally or in person

• 3. Consent

  • Person allows their collection, use, disclosure of personal information and can withdraw at any time. Consent should relate to information and be specific on purpose.

• 4. Limiting collection

  • Like identifying purpose, only collect necessary information. Collect minimum needed.

• 5. Limiting Use, Disclosure And Retention

  • Do not use information for new purposes unless person gave consent or required by law
  • Personal data is only retained as long as necessary for organization’s stated purposes
  • Need to develop guidelines and procedures on destruction of personal information

• 6. Accuracy

  • Data collect/use/disclosed should be accurate, complete, and up to date for its purposes to prevent incorrect information used when making a decision about a person.

• 7. Safeguards

  • Need technical, operational, procedural measures to protect personal information collected.
  • Appropriate safeguards depending on sensitivity, amount, distribution, format, and storage of information.
  • Employees managing information must be aware of confidentiality of information.

• 8. Openness

  • Organization has open policy on personal information policies and practices. People whose information is collected can see these policies.

• 9. Individual Access

  • People should have right to access to their records of personal information and question and correct accuracy of their information

• 10. Challenging Compliance

  • People can challenge organization’s compliance with all principles
  • Person accountable for organization’s compliance is responsible for dealing with inquiries, challenges, or complaints. Organization needs to investigate all compliance and act/change accordingly.

Legislation

Personal Health Information Protection Act (PHIPA)

Use 10 privacy principles

• PHIPA sets out rules for the collection, use and disclosure of personal health information (PHI).
• These rules apply to all health information custodians (HICs) operating within the province of Ontario with rules for entities that support the management of PHI.
• The rules recognize the unique and sensitive nature of PHI.
• The legislation balances individuals’ right to privacy of their own PHI with the legitimate needs of persons and organizations to access and share this information.
• Generally, PHlPA requires HICs to obtain consent before they collect, use or disclose PHI. Consent can be ”implied” if providing health care.
• Individuals have the right to access and request correction of their own PHI.

Roles:

• Health information custodians (HICs)
  • Who: Health care practitioner, group, operator, work, etc. Person/organization who has custody/control of personal information
  • Responsible for implementing all principles
• Agents
  • Authorized by custodians to perform services on custodian’s behalf for purposes of the custodians
  • They are acting like a HIC, the authority comes from HIC.
  • They must inform HIC of privacy gaps, incidents.
• PHIPA Electronic Service Providers (ESP)
  • A person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, and who is not an agent of the custodian
  • A one to one relationship of ESP and HIC
  • E.g. EMR provider
• Health Information Network Provider (HINP)
  • Similar to ESP
  • A person who provides services to two or more HICs where the services are provided primarily to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.
  • Example: Ministry of Health is an HINP for the provincial Computer Aided Dispatch (CAD) services
  • Responsibilities
    • Notify HIC of breaches
    • Provide HICs with plain language description of services and safeguards
    • Make the above information available to the public along with directives, guidelines and policies
    • As practically reasonable, make available to the HIC an electronic record of all access to PHI and transfers of PHI
    • Provide to HICs a copy of the results of privacy and security assessments, Privacy Impact Assessment (PIA) and Threat and Risk Assessment (TRA)
    • Bind third parties providers to the same obligations
    • Enter into written contract with the HIC that define the services and measures to protect privacy and security
• Prescribed Organization — Ontario Health
  • As the prescribed organization, Ontario Health is mandated by PHlPA to perform the following functions:
    • Manage and integrate the PHI from HICs.
    • Manage Electronic Health Records (EHR) services and consent directives
    • Ensure the accuracy and quality of PHI
    • Security and privacy assessments
    • Logging, auditing, and monitoring

Person Health Information (PHI)

• PHI includes oral or written information about an identifiable individual, if the information:
  • Relates to the individual’s physical or mental health, including family health history;
  • Relates to the provision of health care, including the identification of persons providing care;
  • Is a plan of service for individuals requiring long-term care;
  • Relates to payment or eligibility for health care;
  • Relates to the donation of body parts or bodily substances or is derived from the testing or examination of such parts or substances;
  • Is the individual’s health number; or
  • Identifies an individual’s substitute decision-maker.
• Mixed Record Rule: if part of a record is PHI, all of the record is PHI

Example: PHI in Digital Health Immunization Repository (DHIR)

Identifying information in DHIR includes, but is not limited to:

• Name - Employment Information
• Address - Health Notes
• Date of birth - Ethnicity
• Gender - Email Address
• Telephone Number - Alternate Names
• OIID
• Health Card Number
• These data elements, either alone or in combination, could identify an individual and, therefore, constitute PHI. Some types of data constitute PHI by definition (HCN). Others may become PHI depending on the context, number of records, ability to match the data, etc.

Definitions of Collect, Use and Disclose

• “Collect” means to gather, acquire, receive or obtain PHI by any means from any source
• “Use” in relation to PHI, means to handle or deal with the information, but does not include to disclose the information.
  • Transmission of PHI between an agent of the HIC and the HIC is a use and not a disclosure.
  • In an electronic environment, accessing PHI from a database and/or simply viewing PHI on a screen is “use” of PHI.
• “Disclose” in relation to PHI, means to make the information available or to release it to another HIC or to another person.
  • Sharing sometimes required to provide services

Privacy Responsibilities

Example, Ministry of Health is HINP

• HINPs may come in contact with PHI in performing their duties such as help desk, systems maintenance, etc. Such contact with PHI must always be for the purposes of the HIC.
• Ministry project team members must adhere to the same privacy and security standard of care as HICs:
  • Staff and contractors are responsible for protecting PHI against theft, loss and unauthorized use or disclosure
  • PHI may only be used or disclosed for purposes consistent with the purpose of collection. Client consent is necessary for any other uses or disclosures
  • PHI must not be collected, used or disclosed if non-PHI could be used
  • Minimize the collection, use or disclose PHI to just what is needed
• Information security elements:
  • Physical, system security controls (locks, access, authentication, password)
  • Proactive auditing process
  • Account management
  • Privacy training
  • Strong user authentication and account management process
  • Strong password policy (characters, upper & lower case, numbers, special characters)
  • Individual named accounts only
  • Logging and auditing of all access to the PHI
  • Limiting individual users access to PHI through appropriate Role assignments
  • Staff privacy training
  • Acceptable use policies

What IS a Privacy Impact Assessment (PIA)?

• PlAs are business documents that identify:
  • Potential privacy risks of new or redesigned programs or systems
  • Mitigation actions that can reduce the identified risks
• PIAs take a close look at how personal health information is collected, used, disclosed, stored and ultimately destroyed.
• Typically, PIAs include the following:
  • Personal information flows in the new or redesigned activity
  • Legal authorities for collection, use and disclosure
  • Review of documented measures in place to protect privacy, including policies and procedures, and technical features
  • Identifying any privacy risks and options to reduce or eliminate the risks.
• These assessments help create a privacy-sensitive culture.

When is PIA required?

PIA is a best practice when new or modified activity is introduce with new privacy risk.

HINPs and prescribed organization are required by PHIPA to do PIAs. Others are not required by law, but many private and public organizations do it.

Privacy Incidents and Breaches

• The term incident includes both privacy and security events that have the potential to be a breach.
  • Breach includes:
    • The collection, use or disclosure of PHI that is not in compliance with PHIPA
    • Circumstances where PHI is stolen lost or subject to unauthorized or inappropriate collection, use or disclosure, copying, modification, retention or disposal
• Avoiding privacy breaches is everyone’s responsibility

Examples of breaches:

• Loss or theft of a laptop, mobile storage device or other electronic media containing unencrypted PHI or sensitive information
• Staff sends a screen capture that shows the name of a client and their immunization history
• A database was supposed to be de-identified, but client date of birth and address were mistakenly not masked
• A user accesses a production database to check their own record or record of a family member
• Misdirected fax containing PHI or security-sensitive information
• External actors: Hacking / viruses / ransom ware

Breach Management - Response, Upon discovery of a breach:

• Notify your manager or the privacy contact to open a ticket
• The manager or privacy contact is to:
  • Have the breach documented using the Security & Privacy Incident Report form
  • Determine whether and how to contact other involved organizations
  • Determine whether there is a need to contact the Office of the Information and Privacy Commissioner

Breach Management - Notification, At the first reasonable opportunity:

• Identify individuals whose privacy was breached
• Select an appropriate communication method (e.g., mail) and notify the affected individuals about the breach
• When giving the notice:
  • Provide details of the breach
  • Provide details of the information involved
  • Describe the steps that have been or will be taken

Breach Management — Investigation and Mitigation

• When investigating a breach:
  • Identify the causes for the incident/breach
  • Incident Reporting Form to the manager
  • When finalized, send form to Tier 1 Support for summarizing and attaching to the ticket
  • Assist with any further investigation by the Office of the Information and Privacy Commissioner
• To mitigate a risk of a future breach:
  • Develop/revise procedures and make other changes as required
  • Staff training

Reporting to Information Privacy Commissioner (IPC)

Point-in-Time Breach Reporting

• Section 6.3 of Ontario Regulation 329/04 states a health information custodian must notify the IPC of a theft, loss or unauthorized use or disclosure in the following circumstances:
  • Use or disclosure without authority
  • Stolen information
  • Further use or disclosure without authority after a breach
  • Pattern of similar breaches
  • Disciplinary action was taken
  • Significant breach
• Can be submitted online

Audit

• System logging and user access auditing are critical for breach response and responding to individual requests for information
• Audit logging should capture all user actions in a system that involve PHI
• Audit logs should be retained as long as the records of PHI are retained
• Audit reporting must be able to provide a clear picture of:
  • Activity by a specified user
  • Activity against a particular individual’s records
• Best practice: Organizations should have a program of pro-active auditing to identify privacy issues and serve as a deterrent to inappropriate behavior

Questions

Q: Balance audit log storage retention with financial ability?

Depends on situation - for offline analysis.

Architecture Privacy Session 2017-04-26

Session goals:

• To provide the participants with an overview of privacy within the health context
• Provide an overview of the laws that cover the work we do.
• Emphasis on provision on PHIPA
• Breach management processes ( how to set up)
• Processes that are there within the ministry that we all need to integrate to (FOI) etc.
• Relevance of a PIA
• Recent updates to PHIPA, introduced last year.

Common Risks, can be addressed by policy

• Access controls, authentication
• Open data & analytics
• Open text fields
• Retention controls
• Information exchange & authentication
• Understanding role of PIAs, privacy, role of IT/business on sign off

For breaches, for a set process.