Introduction

Health Unit agents collect, use and disclose personal information including personal health information in the management and delivery of public health services.  A privacy breach happens when personal information is collected, used, disclosed or disposed of in a manner that does not comply with applicable privacy legislation and the policies of the agency.

The most common privacy breaches are:

• unauthorized collection of personal health information (information is collected without consent or legal authority),
• unauthorized disclosure of personal health information through:
  • loss (a file is misplaced),
  • theft (a laptop is stolen), or
  • mistake (a letter addressed to one person gets faxed to the wrong person), and
• unauthorized or unsecured disposal of personal health information (an unshredded file is left in the garbage).

Purpose

The purpose of this policy is inform Simcoe Muskoka District Health Unit Board of Health members, employees, students, volunteers, contractors (collectively defined as Health Unit agents) and members of the public of their rights and obligations in the event of a privacy breach.

While this policy focuses on privacy breach, it should be interpreted within the context of the PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION PRIVACY – PRINCIPLES policy and the related set of policies that collectively define the information practices of the Health Unit for the purposes of all applicable privacy legislation.

Policy Definitions & Interpretations
This policy and any specific terms used herein will be interpreted to ensure consistency with all applicable information privacy legislation, including MFIPPA, RHPA and PHIPA. This policy cannot fully describe how the legislation is to be applied in every instance by the Health Unit. As a result, there may be circumstances where the legislation itself should be referred to, or specialized advice regarding privacy should be obtained.

For the purposes of this policy statement:

“agent” means a person that, with the authorization of the Medical Officer of Health as a Health Information Custodian (HIC), acts for or on behalf of the HIC in respect of personal health information for the purposes of the HIC, and not for the agent’s own purposes, whether or not the agent has the authority to bind the HIC, whether or not the agent is employed by the HIC, and whether or not the agent is being remunerated;

“applicable privacy legislation” means MFIPPA, and PHIPA;

“health information custodian (HIC)” means a person or organization …who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work as a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act , 1990

“Health Unit” means the Simcoe Muskoka District Health Unit

“MFIPPA” – means Municipal Freedom of Information and Protection of Privacy Act, 1991

“PHIPA” – means Personal Health Information Protection Act, 2004

 “personal health information” means identifying information about an individual in oral or recorded form, if the information:

• relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
• relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
• is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
• is the individual’s health number, or
• identifies an individual’s substitute decision-maker.

“personal information” means recorded information about an identifiable individual, including:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
• any identifying number, symbol or other particular assigned to the individual,
• the address, telephone number, fingerprints or blood type of the individual,
• the personal opinions or views of the individual except if they relate to another individual,
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
• the views or opinions of another individual about the individual, and
• the individual’s name if it appears with other personal information including personal health information relating to the individual or where the disclosure of the name would reveal other personal information including personal health information about the individual.

"record" is broadly defined to include any record of information however recorded.  This includes correspondence, minutes, reports, photographs, computer tapes and disks, files, and any other recorded information regardless of medium or format.  The definition also includes a record that does not yet exist but which can be created from existing data in a computer system.

“RHPA” – means Registered Heath Professions Act, 1991

Policy

It is the responsibility of Health Unit agents in possession of a record of personal information including personal health information to ensure the security of that record and to take the necessary measures to prevent unauthorized collection, use, disclosure or disposal of the record.

Health Unit agents will document and report all privacy breaches to their immediate supervisor.  Supervisors will take immediate action to identify the scope of the breach and to contain the breach.

If a record containing personal information including personal health information has been lost, stolen or accessed by unauthorized personnel the individual(s) will be informed of the privacy breach.

The Associate Director of Corporate Service (ADCS) is responsible for ensuring that individuals who were subject to a privacy breach are informed of the breach, for reviewing reports of all privacy breaches and recommending preventive action and for reporting to the Privacy Commission as required.

Procedures

A. Identifying and Containing a Privacy Breach:

1. If a record has been stolen the Health Unit agent will report the theft and the circumstances involved to the local police authority and then proceed to step 3.
2. If a record is missing (i.e. cannot be located when needed) or has been accessed by unauthorized personnel, the agent discovering the loss or unauthorized access (e.g. letter containing personal health information faxed to the wrong number).
3. The agent will notify his/her program manager immediately.
4. The manager/supervisor will review, with the agent the circumstances associated with the loss/theft, unauthorized access of the record. If it is determined that a record has come into the possession of a third party (e.g. through theft), the Medical Officer of Health will be notified of the circumstances both verbally and in writing.
5. The manager/supervisor, with the agent, identifies the extent of the privacy breach and take steps to contain it including:
   • retrieve the hard copies of any personal information including personal health information that has been disclosed.
   • ensure that the person who was not authorized to receive the information did not make or keep copies of the information and get that person’s contact information in case you need to follow up.
   • determine whether the privacy breach allows unauthorized access to any other information (for example, through an electronic information system). Take all appropriate steps (for example, change passwords) to stop any further breaches.
6. The manager/supervisor with the agent and others as required (MOH, Director, Associate Director of Corporate Service) will determine what actions could be undertaken to avoid a re-occurrence.

B. Notification of a Privacy Breach

1. The program manager, with the agent member, and others as required (MOH, Director, Associate Director of Corporate Service) will:

• Identify the people whose privacy has been breached.
• Notify (by telephone or in writing) anyone whose privacy was breached (except for any of those who do not have the right to see or obtain their own information).
• Specify what and how much information was affected.
• Explain immediate and long-term steps taken to rectify the breach.
• Note the unauthorized uses and disclosures in or linked to the affected records.

C. Reporting a Privacy Breach or Privacy Complaint

Reports of a privacy breach may be generated internally by Health Unit agents or may come as a complaint from the public.

1. The agent will complete a “Report of Privacy Breach”  Form A1.048 (F1) report detailing:
• essential identifying information of the person(s) whose privacy has been breached
• the last known location of the record(s),
• efforts made to locate the record(s),
• circumstances related to the loss or discovery of unauthorized access
• date last signed out and by whom and
• other relevant information e.g. police report
• outcomes and actions taken to notify the affected parties and address the reason for the breach.
2. The original of the report will be forwarded to the Service Director, who reviews the report and forwards to the Associate Director Corporate Service for filing in the Central Corporate file. A copy of the report will be retained by the agent and by the manager/supervisor. (If the record is subsequently located, a follow-up communication will be sent to the same people, and the new record will be merged with the recovered record).
3. The agent will create a new record and document the fact that the original record has been lost, as well as any information from the original record that can be accurately recalled. The “Breach of Security” report will be cross-referenced on the record.

D. Audit and Reporting on Breaches of Personal Privacy

1. On an annual basis, the ADCS will review and compile a report of the privacy breaches under the Personal Health Information Protection Act, 2004 and the Municipal Freedom of Information and Protection of Privacy Act, 1991.
2. The ADCS will submit to executive committee the report along with a summary of actions taken to prevent future privacy breaches and recommendations for additional action.
3. The report will be reviewed by executive committee and response to recommendations documented.
4. The ADCS will provide the required information regarding privacy breaches to the Privacy Commission as part of a report submitted annually or upon request.

Related Policies:
Policy A1.041  Personal Information Including Personal Health Information Privacy – Principles
Policy A1.042  Personal Information Including Personal Health Information Privacy – Accountability
Policy A1.043  Personal Information Including Personal Health Information Privacy – Consent
Policy A1.044  Personal Information Including Personal Health Information Privacy – Collection & Use
Policy A1.045  Personal Information Including Personal Health Information Privacy – Disclosure
Policy A1.046  Personal Information Including Personal Health Information Privacy – Access
Policy A1.047  Personal Information Including Personal Health Information Privacy – Correction
Policy A1.048  Personal Information Including Personal Health Information Privacy – Privacy Breach

Policy
Final Approval Signature: __________________________________
                                                            Board of Health
Review/Revision History:
2006-09-20 Revised

Procedure
Final Approval Signature: __________________________________
                                                            Executive Committee
                                                           
Review/Revision History:
2006-10-02 Revised