Better safe than sorry is the right way for clinics to approach the new rule changes to Canada’s federal private sector privacy law that came into effect on November 1, 2018.
As the third post in this series suggested, you need to keep a record of every breach. And you must report those that involve a real risk of significant harm (RROSH). Most data breaches involving medical records would fall under the RROSH guidelines, which means there are multiple steps to the reporting process.
For one, any organization must notify the Office of the Privacy Commissioner of Canada (OPC) following a breach, using a PIPEDA breach report form. That includes a responsibility for personal information it has transferred to a third party for processing — including physicians who use medical transcription services.
Beyond that, individuals also have a need to be notified if affected or potentially affected by the breach. The timing is as open to interpretation as so many aspects of the guidelines, with the OPC requiring that warning be given “as soon as feasible” after a breach of security safeguards that involve a RROSH.
While the ‘when’ (the “as soon as feasible”) is a little loose, the ‘what’ is more concrete.
The individual needs enough information to truly understand the implications of the breach and be able to take any steps possible to reduce the potential impact. The expectation is that the material is easily digestible, as well as avoiding legal jargon.
The regulations specifically require a description of the circumstances of the breach; the day or period during which it occurred (or approximate time); a description of the personal information that was accessed; the steps the organization has taken to reduce the risk of harm that could result; the steps affected individuals can take to lessen potential harm; and contact information the patient can use to get more information about the breach.
It must be communicated directly, which includes communicating in person, by phone, mail or email.
Others to involve in the notification process could include the police, or a third-party service, such as a provider of medical transcription, when their involvement could help reduce the risk of harm from a breach.
If your considering medical transcription outsourcing, this should be one of the questions you raise with any medical transcription services in Canada. Consider when selecting a transcription company, anywhere throughout Canada, asking them what their experience has been with privacy breaches. You also may find your transcription company has a process in place to handle a privacy breach and may be able to provide you with help.
See the remainder of our series of articles on Privacy Breeches at:
Part 1: Reporting Privacy Breaches
Part 2: Assessing the Real Risk of Significant Harm (RROSH)
Part 3: Record Keeping for Privacy Breaches
2Ascribe Inc. is a medical transcription services agency located in Toronto, Ontario Canada, providing medical transcription services to physicians, clinics and other healthcare providers across Canada. Our medical transcriptionists take pride in the quality of your transcribed documents. WEBscribe is our client interface portal for document management. 2Ascribe continues to implement and develop technology to assist and improve the transcription process for physicians and other healthcare providers, and recently introduced AUTOfax. AUTOfax works within WEBscribe to automatically send faxes to referring physicians when a document is signed off by the healthcare professional. As a service to our clients and the healthcare industry, 2Ascribe offers articles of interest to physicians and other healthcare professionals, medical transcriptionists and office staff, as well as of general interest. Additional articles may be found at http://www.2ascribe.com.