Mohawk DI-r: Privacy Breach Management Procedure Version 2.0 April 2011
Table of Contents 1 Purpose... 3 2 Terminology... 5 3 Identifying a Privacy Breach... 5 4 Monitoring for Privacy Breaches... 6 5 How to Report Privacy Breaches... 7 6 How to Contain Privacy Breaches... 8 7 How to Investigate Privacy Breaches... 8 8 How to Notify Individuals of Privacy Breaches... 9 9 How to Remediate Privacy Breaches... 10 Appendix A: Breach Management Report Template... 12 2
1 Purpose The purpose of this Privacy Breach Management Procedure is to assist the hospitals in Waterloo Wellington (WW) Local Health Integration Network (LHIN 3) and the Hamilton Niagara Haldimand Brant (HNHB) Local Health Integration Network (LHIN 4), Mohawk Shared Services (Mohawk) and Regional Shared Services (RSS) and individuals functioning on their behalf in responding quickly and effectively to privacy breaches relating to the Mohawk Diagnostic Imaging Repository (DI-r) by describing how organizations and individuals participating in the DI-r should identify, monitor, report, contain, investigate, notify and remediate privacy breaches that involve the DI-r data set (i.e. personal health information, including diagnostic images, reports, health numbers and patient identifying information). This procedure governs the privacy breach management activities of Mohawk, RSS and health information custodians participating in the DI-r in relation to actual or suspected privacy breaches that may involve personal health information they collect, use or disclose via the Mohawk DI-r. The following diagram provides an overview of the breach management process. 3
Mohawk DI-r Privacy Breach Management Process Overview Lead Custodian Identification of potential privacy breach through audit log monitoring, staff or patient complaint or other means (See Part 4) Did an actual privacy breach occur? (See Part 2) No Yes Commence breach containment (see part 5) Follow internal incident management protocol No Did the breach involve personal health information accessed via the DI-r Yes Notify Mohawk Privacy Lead of breach Conduct investigation (see Part 6) and develop breach investigation report (see Appendix A) Take any additional steps required to contain breach Notify individuals whose privacy was breached (see Part 7) Submit breach investigation report, including remediation plan, to Mohawk Privacy Lead Implement remediation plan Mohawk Notify RSS of suspected breach Again confirm, did an actual privacy breach occur? (See Part 2) No Yes Follow up with Privacy Officer that identified potential breach Notify affected custodians of the breach, identify Lead Custodian (generally the Privacy Officer that identified the breach) of breach scope Share breach investigation report with other affected custodians and RSS, where appropriate. Obtain sign off from all affected custodians Share relevant information from breach investigation report with custodians participating in the DI-r RSS Work with Mohawk to run audit report and identify affected custodians Did the breach involve custodians from LHINs 1 or 2 Provide audit report information to Mohawk Privacy Lead Coordinate breach response with Mohawk Yes Other Affected Custodian(s) Assist Mohawk and Lead Custodian with breach investigation, as required Review, revise and sign off on breach investigation report 4
2 Terminology Term Lead Custodian Mohawk Shared Services (Mohawk) Regional Shared Service (RSS) Definition In order to prevent multiple parties from reporting a breach to affected individuals or organizations multiple times, the parties involved in the breach will identify a single organization to lead the breach management activities, including containment, investigation, notification, and resolution. Unless there is justification for an alternative approach, the lead organization will be the health information custodian that identified the breach or suspected breach. A not-for-profit organization that serves clients in the health care, public and volunteer sectors with business support solutions that standardize processes, increase efficiencies and contain costs. It operates four independent business streams that focus on supply chain services, central laundry, employee assistance services and a diagnostic imaging repository. The Regional Shared Service is a program of London Health Sciences Centre that provides direction and support for implementing a shared IT solution at sites throughout Southwestern Ontario. RSS is Governed through a Memorandum of Understanding between participating organizations in LHINs 1 & 2. RSS provides the diagnostic imaging technical infrastructure and support services used by Mohawk in support of the Mohawk DI-r. 3 Identifying a Privacy Breach A privacy breach occurs when a health information custodian, Mohawk or RSS, or individuals acting on their behalf: have contravened or are about to contravene a provision of the Personal Health Information Protection Act, 2004 (PHIPA) or the PHIPA Regulation; 1 believes or has reason to believe that personal health information involved with the Mohawk DI-r has been lost, stolen, or has been used, accessed, disclosed, copied,modified or destroyed in an unauthorized manner; 2 1 2 Information and Privacy Commissioner/Ontario. What to do When Faced with a Privacy Breach: Guidelines for the Health Sector. PHIPA. Section 12(1). 5
collects, uses or discloses personal health information for purposes other than those described in their DI-r Service Agreement or Purchased Service Agreement; provides access to the Mohawk DI-r data set to an individual that is not qualified to access the DI-r data set; or contravenes the applicable privacy provisions of the DI-r Service Agreement between hospitals participating in the DI-r and Mohawk or the Purchased Services Agreement between Mohawk Shared Services and Regional Shared Services. 4 Monitoring for Privacy Breaches Each health information custodian (e.g. hospital) participating in the Mohawk DI-r must monitor their agents activities to ensure that the DI-r data set is collected, used, and disclosed within the terms and conditions of the DI-r Service Agreement and in compliance with PHIPA. Mohawk, with the assistance of RSS, will undertake audits on behalf of health information custodians to identify any unauthorized accesses and will provide these reports to health information custodians on a regular basis for follow up and review. In addition, health information custodians may request specific audit log reports by patient or by authorized DI-r user to assist them in conducting audits. For additional information on audit process and frequency, refer to Mohawk DI-r Audit Procedure. Monitoring activities that may be completed by Mohawk, with the assistance of RSS, include: reviewing the DI-r audit log reports on a regular basis to confirm appropriateness for unusual or unauthorized activities, specifically in relation to access requests across health information custodians (e.g. a health care provider accessing the personal health information of a patient with whom they have no readily apparent clinical relationship); reviewing the list of authorized agents with access to the Mohawk DI-r data set to ensure the list is up to date (e.g. users have made an access request within the past 12 months); and assisting health information custodian privacy officers in investigating privacy complaints to ensure a privacy breach has not occurred. Monitoring activities may be completed by health information custodians include: promptly (e.g. within two weeks of receipt) reviewing audit log reports provided by Mohawk to ensure that all identified users accesses to personal health information are for authorized purposes; and 6
requesting audit logs by patient or authorized DI-r user upon patient request or as part of existing organizational auditing practices. 5 How to Report Privacy Breaches Agents of health information custodians (e.g. physicians, nurses, technicians, etc.) are responsible for immediately reporting privacy breaches or suspected privacy breaches involving the Mohawk DI-r to their Privacy Officer. Where the breach may involve personal health information collected from multiple sites, the Privacy Officer must notify Mohawk who will work with RSS to determine the extent of the breach and notify other affected custodians (e.g. custodians that have either collected personal health information that may have been breached or those with users who may have perpetrated a breach). All Privacy Officers at hospitals participating in the Mohawk DI-r must assist in breach investigations. Mohawk Privacy Lead may be contacted by telephone at 1-866-790-4642 ext. 2704 or by email at: dlarwood@mohawkssi.com. Health information custodian Privacy Officers must report the following information to Mohawk at the first reasonable opportunity (Note: a sample reporting template is included as Appendix A to this policy): the date and time the actual or suspected privacy breach occurred; a general description of the privacy breach; and the immediate steps that will or have been taken to contain and remedy the breach (see steps under Contain and Remediate respectively, below). The Mohawk Privacy Lead will be responsible for leading Mohawk DI-r breach responses where the breach occurs due to the actions of an individual or organization acting on behalf of Mohawk. In such cases, the Mohawk Privacy Lead is responsible for ensuring the following breach management activities occur: containment, investigation, notification, and resolution. However, in such circumstances, affected health information custodians will be responsible for notifying those individuals whose privacy has been breached. Where the breach is the result of activities of a health information custodian or its agent and relates to personal health information in the custody or control of the health information custodian and does not involve the Mohawk DI-r, the health information custodian will be responsible to manage the breach in compliance with their information practices. The Mohawk Privacy Lead will consult with the affected health information custodians prior to reporting a breach to the following parties: 7
the IPC; law enforcement, if theft or other crime is suspected; technology vendors or suppliers that may need to assist in breach containment and resolution; or professional or regulatory bodies responsible for disciplining individuals involved in the breach and/or that require notification. 3 6 How to Contain Privacy Breaches The organization responsible for a privacy breach involving the Mohawk DI-r must take steps to determine the scope of the breach and contain it. Containment means preventing additional records of personal health information from being affected as well as ensuring affected records are not further compromised by: retrieving hard or electronic copies of the information that was inappropriately used or disclosed; receiving confirmation that the information was destroyed in lieu of retrieving hard or electronic copies; permanently or temporarily disabling access to the Mohawk DI-r; and/or 4 taking immediate action to contain a privacy breach and to alleviate its consequences. Containment is complete when personal health information that is the subject of the privacy breach is no longer at risk of the inappropriate collection, use, disclosure or access that resulted or may have resulted in the breach. 7 How to Investigate Privacy Breaches The organization(s) affected by the privacy breach must conduct an investigation to: determine the cause of the privacy breach; ensure containment was successful; evaluate the adequacy of administrative, technical, and physical safeguards; and 3 4 Information and Privacy Commissioner/British Columbia. Breach Notification Assessment Tool. December 2006. Office of the Federal Privacy Commissioner of Canada. Key Steps for Organizations Responding to Breaches. 8
determine remediation plans to prevent future breaches. 5 Where a privacy breach occurs at a health information custodian and involves the Mohawk DI-r, the Privacy Officer conducting the investigation must provide a written report to Mohawk once the investigation is complete or within one month following the incident, whichever is sooner (see Appendix A for a breach management report template). The written report should include: a description of the privacy breach; the circumstances under which the breach occurred; the steps the health information custodian is taking to address the breach and minimize the risk of recurrence; and any other information reasonably requested by Mohawk in order to minimize the risk of similar breaches occurring again in the future. Where a privacy breach occurs at Mohawk, the Mohawk Privacy Lead will provide a written report to the affected health information custodians participating in the Mohawk DI-r (or in the case of severe privacy breach, to all health information custodians participating in the Mohawk DI-r) once the investigation is complete or within one month following the incident, whichever is sooner. Where the breach involves health information custodians in LHINs 1 & 2, the report will be provided to RSS for notification of affected custodians within those LHINs. Where the breach occurs at RSS and involves health information custodians in WW and HNHB LHINs, RSS will develop the written report and provide it to Mohawk. The written report will include: a description of the unauthorized access, use or disclosure; the circumstances under which the unauthorized access, use or disclosure occurred; and the steps that Mohawk and/or RSS is taking to address the unauthorized access, use or disclosure and minimize the risk of recurrence. Mohawk and RSS may work with other health information custodians affected by the breach to investigate and resolve the incident. 8 How to Notify Individuals of Privacy Breaches Health information custodians are required to notify an individual whose personal health information was stolen, lost, or accessed by unauthorized persons, as well as collected, used or 5 Information and Privacy Commissioner/Ontario. What to do When Faced with a Privacy Breach: Guidelines for the Health Sector. 9
disclosed in a manner or for a purpose not permitted by PHIPA. 6 The notification should provide sufficient information about what happened and the nature or potential or actual risks to them, and should include: the date (or timeframe) of the breach; a general description of what happened; a generic description of the types of personal health information involved including if any unique identifiers or sensitive information was involved; a brief description of the steps taken to control or reduce the harm and steps planned to prevent further privacy breaches; the contact information of the individual who can provide further information or assistance; and how to contact the IPC. 7 The organization responsible for leading the privacy breach response (i.e. where the breach was identified) should work with the IPC, if and as needed, to determine and develop appropriate notifications. 9 How to Remediate Privacy Breaches The organization(s) affected by the privacy breach must determine a remediation plan to address the cause of the privacy breach and ensure the breach or similar breaches do not recur. The remediation plan should include: a detailed description of the remediation activity (e.g. a review of relevant information management systems, any amendments or reinforcements to existing policies and/or practices, development and implementation of new security or privacy measures, testing and evaluating remedial plans and training of staff); the individual responsible for implementing the remediation activity; and the implementation schedule (i.e. when the implementation will be complete). Remediation plans should be reviewed, approved, and monitored by the Privacy Officer of the organization leading the breach investigation and resolution. 6 7 The requirements for breach notification identified in this protocol build upon the statutory requirements under section 12(2) of PHIPA, but are broader in nature and encompass inappropriate collection, use or disclosure, all of which require patient notification. Information and Privacy Commissioner/British Columbia. Breach Notification Assessment Tool. December 2006. 10
The organization(s) affected by the privacy breach must report the completion of the remediation activities to the Mohawk Privacy Lead, who will track all privacy breaches involving the Mohawk DI-r in order to determine system enhancements that can improve the protection of personal health information. Reports concerning privacy breaches and remediation plans will be made available to all health information custodians participating in the Mohawk DI-r in a manner that does not involve the organizations and parties involved. 11
Appendix A: Breach Management Report Template Privacy Breach Timeline, Overview, and Response The following table identifies the steps taken to contain the breach and identify its scope, investigate the breach, notify the patients involved and investigate the circumstances of the breach and develop a remediation plan. Date/Time [Insert date and time] Breach Management Stage Breach Identification Description of Actions Taken [Insert overview of breach identification and description of actions taken.] [Insert date and time] [Insert date and time] [Insert date and time] Breach Containment and Scope Identification Notification of Clients Impacted by the Breach and IPC (where applicable) Remediation Plan [Insert overview of breach containment and scope identification, and description of actions taken.] [Insert a description of the notification process and the content of the notice. See section 7 for breach notification content requirements. Where a letter or script is used, it should be appended to the breach management report.] [Insert description of remediation action required. See remediation action plan table below.] Privacy Breach Remediation Action Plan The following table sets out the remediation action required to reduce the probability of similar privacy breaches from occurring again in the future and the remediation strategies and implementation timelines to address them. Remediation Action Immediate Remediation Strategies and Actions Taken Status and Expected Date of Completion 12
Remediation Action [Insert overview of remedial action of privacy issue identified] Immediate Remediation Strategies and Actions Taken [Insert description of remedial action steps to be taken.] Status and Expected Date of Completion [Insert status of remedial action: complete/partially complete/incomplete and the expected date of completion.] 13