From the Office of the Information and Privacy Commissioner of British Columbia, a press release and an audit report. First, the press release:
Medical clinics throughout British Columbia need to do more to protect the often highly sensitive personal information in their custody, according to a newly released review from the Office of the Information and Privacy Commissioner for British Columbia (OIPC).
Audit and Compliance Report P19 01: Compliance Review of Medical Clinics looked at how 22 BC medical clinics, each with five or more licensed physicians on staff, were meeting their legal obligations under the Personal Information Protection Act (PIPA). PIPA governs how private organizations collect, use, and disclose personal information.
OIPC auditors examined clinics’ privacy management programs and privacy policies as well as their collection and safeguarding of personal information.
The review found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy, and a failure to ensure that privacy practices keep up with technological advances.
Michael McEvoy, Information and Privacy Commissioner, said that the report raises concerns about patient privacy that are relevant throughout the province.
“Medical clinics were chosen for this review for two reasons: the amount and sensitivity of the personal information they collect – some of the most sensitive personal information out there – and the volume of complaints and privacy breach reports my office receives that are related to privacy practices at facilities like these. The results show that while some clinics were complying with their obligations, many have work to do when it comes to improving their privacy practices,” the Commissioner said.
“There is no question about the intense demands medical professionals face; however, respecting and protecting patients’ private information is critically important. Doctors and staff at clinics not only owe it to their patients to do their utmost to build and maintain strong privacy programs, but they are also legally obligated to abide by privacy legislation. I hope that the focus of this report underscores the need for clinics to address gaps in how they protect this sensitive personal information, and my office’s willingness to assist them in doing so.”
To that end, the report includes 16 recommendations aimed at helping clinics address the gaps in their privacy management programs, build better policies and safeguards, and ensure they provide adequate notification about the purposes of collecting personal information online. The report recommends that clinics:
- build a robust privacy management program that covers everything from creating a personal information inventory and privacy policies through to breach response protocol and monitoring compliance;
- ensure adequate funding and resources for effective privacy management programs;
- designate a privacy officer and establish and communicate clear internal reporting structures on privacy issues;
- provide ongoing privacy training for all who access personal information, including staff, physicians and contractors; and
- exercise caution when collecting information online and ensure adequate notification to patients.
The report is available for download here: https://www.oipc.bc.ca/audit-and-compliance-reports/2340