Ontario’s Privacy Commissioner is putting pressure on businesses and doctors to practice better information and records management and stem the leaking of personally identifiable information.
In a report released yesterday Ann Cavoukian calls on companies of all sizes to put in place best practices for information management.
She also wants a fast solution to the problem of retiring doctors abandoning patient records.
This comes after her office’s busiest year ever, with 264 privacy complaints filed against municipal or provincial government organizations, according to the 2009 annual report. Another 169 privacy complaints were filed against Ontario’s health sector.
Organizations must stop data leaks
Two glaring data leaks in 2009 show that businesses must take privacy controls more seriously, the report says. In July, Toronto Hydro announced its e-billing system had been breached and some customer records compromised. In December, a USB key containing health data of 84,000 patients receiving the H1N1 flu vaccine was lost in the Durham Region.
“Regardless of the business size, if they are collecting any personal information, that information may be at risk,” Cavoukian says in an interview. She called on businesses to practice “full lifecycle protection, from end-to-end.”
That includes ensuring personally identifiable information is destroyed thoroughly when no longer needed, she says. Paper records can be shredded, but data on a hard drive requires some extra consideration.
“Take a hammer to it or do some sort of physical destruction to make sure that data can’t be restored. The risk to not protecting your customer’s information is much greater than the costs of good privacy protection.”
Ingraining protection of data might seem like a tall order for small businesses, but it’s well worth the effort.
A data leak costs a business an average of $142 per record, notes Nandini Jolly, CEO of Toronto-based CryptoMill Technologies, a data encryption vendor.
CryptoMill was called in to help train Durham staff after the December breach. Other companies shouldn’t wait until after the fact.
“It’s just as critical for a small company as for a large company,” she says. “It must be weaved into the DNA of their day-to-day operations to be effective.”
A relatively small investment can save a potentially business-ending data breach, Jolly says. The first step for businesses getting started with implementing strong information management practices is for the seniors leaders or CEO to make it known that data privacy protection is part of workplace culture.
Challenge of abandoned records
Cavoukian is calling on the Ministry of Health and Long-Term Care to amend the Personal Health Information Protection Act (PHIPA) and find a solution to doctors abandoning health care records. The appropriate medical college should be ultimately responsible for ensuring records are properly managed.
“We need a solution right now,” Cavoukian says. “Make the colleges responsible so they’ll impose penalties on members if they don’t do it.”
Ontario physicians are currently working towards converting to electronic health records (EHRs) instead of paper-based records.
The records could then be easier to manage, but the process is slow moving and currently only about 10 per cent of doctors are using electronic records exclusively, but about one-third use some EHRs.
If the government would pay for the conversion process, that could happen a lot more quickly, suggests Sid Soil, vice-president of sales and marketing at DOCUdavit Services Inc. The Toronto-based firm manages records for doctors.
“It would be nice if the government covered the cost of patient transfers and scanning medical records,” he says. “But we’re talking about substantial public dollars and there’s no appetite for that sort of thing.”
Few doctors store records electronically, Soil says. But DOCUdavit converts documents it manages over time. Though the firm manages the records on behalf of doctors, the responsibility of the file is still with the doctor until 10 years after they stop practicing. After that, the records can be destroyed if a patient hasn’t claimed them or transferred them.
Most doctors are very aware of their responsibility to care for patient records, he adds. But Canada is facing a family physician shortage and that means fewer doctors are available to take over when one retires.
“I read about it across the country,” Soil says. “We need more doctors.”
Ontario will see some dramatic shifts over the next few years as more doctors move to EHRs, Cavoukian says. Both digital and paper records must be better accounted for by medical professionals now.