Unauthorized access

Preventing or Reducing the Risk of Unauthorized Access

The collection, use or disclosure of personal health information without the consent of individuals and for purposes that are not permitted or required by the Personal Health Information Protection Act (PHIPA) is commonly referred to as unauthorized access, or “snooping.” Unauthorized access includes the viewing of personal health information in electronic information systems, and may be motivated by a number of factors including interpersonal conflicts, curiosity, personal gain or concern about the health and well-being of individuals.

As a health information custodian (custodian), you are required to take reasonable steps to ensure that personal health information is protected against theft, loss, and unauthorized use and disclosure, and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. You must also take reasonable steps to ensure that personal health information is not collected without authority and that records of personal health information are retained, transferred and disposed of in a secure manner. Unauthorized access must be taken seriously, regardless of the motive. The protection of privacy should be integral to the delivery of health care and embedded into the culture of every health care organization.

You can work towards minimizing the risk of unauthorized access by incorporating a variety of measures, such as:

  • Develop and implement comprehensive privacy policies and procedures that set out the expectations and obligations of all agents for the protection of personal health information.
  • Develop and implement a comprehensive privacy training and awareness program that requires all agents to complete privacy training at the beginning of their employment, contractual or other relationship with the custodian and before being granted access to personal health information.
  • Provide ongoing annual privacy training to ensure agents understand the expectations and obligations for the protection of personal health information under your privacy policies and procedures as well as under PHIPA.
  • Ensure that electronic information systems that contain personal health information in your custody or control include privacy notices and privacy warning flags.
  • Require all agents to sign confidentiality agreements, before being granted access to personal health information and on annual basis thereafter, to acknowledge the privacy expectations and obligations for the protection of personal health information under your privacy policies and procedures as well as under PHIPA.
  • Require all agents to sign end-user agreements acknowledging the expectations and obligations that apply to personal health information in electronic information systems before being granted access and on an annual basis thereafter.
  • Develop and implement comprehensive policies and procedures and physical, technical, and administrative measures, such as password controls and search controls, to limit access to and use of personal health information by agents based on the need-to-know principle.
  • Ensure that all accesses to personal health information in electronic information systems are logged, audited, and monitored on an ongoing, targeted (reactive), and random (proactive) basis.
  • Develop and implement comprehensive privacy breach management policies and procedures that address the identification, reporting, containment, notification, investigation, and remediation of suspected or actual privacy breaches.
  • Develop and implement policies and procedures that set out the types of discipline or corrective action that may be imposed on agents for privacy breaches, including termination of the employment, contractual or other relationship with the custodian, and the circumstances in which the actions of agents may be reported to third parties, including the police, their health regulatory college and/or the Attorney General or their agent to commence a prosecution under PHIPA.

For more information on preventing unauthorized access, please read our guidance document, Detecting and Deterring Unauthorized Access to Personal Health Information.

 

Is It Worth It?

To address the issue of unauthorized access, the IPC launched an educational campaign that asks the question, “Is it worth it?” to those who would contemplate accessing medical records without authorization. The materials feature stark messages about the possible consequences of getting caught snooping, including damage to professional reputations, termination by employers, disciplinary action by regulatory colleges or professional associations, fines, and even civil lawsuits.

Watch the Video

 

Poster
 Is it worth it poster thumbnail image
Click to download

 

This post is also available in: French