A review by the Information and Privacy Commissioner of Ontario (IPC) of two significant privacy breaches involving the sale of new mothers’ personal health information for financial gain has determined that Rouge Valley Health System (hospital) failed to put in place reasonable technical and administrative safeguards to protect patient information.
In Order HO-013, issued today, Acting Commissioner Brian Beamish found the hospital was not in compliance with its obligations under the Personal Health Information Protection Act, (PHIPA) and ordered the hospital to implement changes to its electronic information systems, revise its privacy and audit policies, as well as deliver privacy training to all staff.
This post is also available in: French
