Is your medical clinic compliant with PIPA? Twelve recommendations from a recent case involving an OIPC audit

Part 3 of our series on Privacy and Data Security Best Practices.

An interesting case was just published last month concerning the first audit of a private business that the Office of the Information & Privacy Commissioner for British Columbia (OIPC) has undertaken through its Audit & Compliance Program, established in 2014.  Interestingly, the first private sector business the OIPC audited turned out to be a medical clinic.

The findings, which are published here, highlighted a particular situation which called into question the use of video and audio surveillance within the clinic. However, the audit covered much more than this.  Its goal was to review the extent in which the clinic was in compliance with British Columbia’s Personal Information Protection Act (PIPA), to identify risk factors in protecting personal information, and to provide recommendations to strengthen clinic policies and practice.  The audit uncovered a number of issues:

  • Significant problems were cited concerning the clinic’s storage, security and disposal of personal information. While a complete technology assessment of the clinic’s EMR was not part of this particular audit, one of the key concerns the auditors cited was that privacy risk assessments had never been done.
  • Paper records are stored on a shelf behind the reception desk, which is separated from the public, but they were not kept in a locked facility.
  • Clinic staff manually tore up paper records and disposed of them with regular garbage.
  • The clinic owner kept his door open and CCTV monitors could be viewed by other staff
  • Logs had not been kept of when, why and by whom CCTV or audio recordings had been accessed, reviewed or disclosed (e.g., to police).
  • The clinic had not conducted an internal audit of the access to and use of personal information.
  • The clinic owner was unaware of whether a confidentiality agreement relating to the protection of employee or patient personal information was in place with the software company managing the clinic’s EMR.

12 Recommendations that are worthy of everyone’s attention

It is well worth asking yourself, are you already doing the recommendations the auditors made concerning this particular clinic?

Recommendation 1: The clinic should update its Privacy Policy with six provisions that were missing from its present one, including, among others, stating clearly that personal information is collected in accordance with PIPA, and to ensure the definition of personal information is defined in a manner that is consistent with BC legislation.

Recommendation 2: The clinic should formally review its privacy policies at a minimum of every three years to make sure they are relevant and up to date.

Recommendation 3: The clinic should immediately cease the collection of personal information via video and audio recording equipment.

Recommendation 4: The clinic should create and regularly maintain a personal information inventory related to the collection of personal information from patients and employees. The sensitivity of the information, the type of information collected, where it is stored, why it was collected and how the clinic intends to use it should be included in the inventory.

Recommendation 5: The clinic should develop formal procedures and conduct at least annually privacy risk assessments to ensure that a) adequate safeguards are in place to protect collected personal information and b) collection is limited to only the personal information necessary for the purposes identified.

Recommendation 6: The clinic should develop and provide regular privacy training and education to all staff, with initial training to occur within three months of receiving the audit.

Recommendation 7:  The clinic should formally review this training and education at a minimum of every three years and update as necessary.

Recommendation 8: The clinic should develop and request that all clinic staff sign an agreement related to the protection of personal information at the completion of privacy training. This agreement should be reviewed and re-signed annually by all clinic staff.

Recommendation 9: The clinic should shred paper records containing patient or employee personal information when disposing of the records.

Recommendation 10: The clinic should store paper records securely in locking cabinets or behind locked doors and lock cabinets and doors when access to records is not necessary.

Recommendation 11: The clinic should develop formal procedures and conduct regular audits of access to and use of personal information within the Clinic.

Recommendation 12: The clinic should immediately ensure that a confidentiality agreement is in place with its EMR software support company with respect to the protection of employee and patient personal information.

The entire report makes interesting reading.  As part of this ongoing series of blogs on privacy and data security best practices, we will share some great methods which you can use to self-assess your clinic for compliance with PIPA.

In the meantime, if you need help, contact us.