By Patricia Borja, Legal Intern, OntarioMD
Canadian health care institutions are attractive targets for would-be cyber attackers. Volumes of sensitive information, as well as clinicians’ reliance on networked systems to provide care, present vulnerabilities to exploit. Recent attacks against hospitals and provincial networks have attracted notoriety.
Smaller clinics and community care providers are equally vulnerable to cyber threats. For busy, independent practices, keeping up with privacy and security requirements can be daunting. OntarioMD (OMD) and other health care leaders are steadily working to make privacy and security compliance easier to manage. Meanwhile, it remains critical for YOU to understand your obligations and to ensure that appropriate policies and procedures are in place.
The Clinical Privacy Officer
Every medical practice, clinic, and/or institution must appoint a Privacy Officer. This person is responsible for implementing a privacy program and maintaining compliance with privacy law and regulations. The scope of the role may include:
- establishing privacy policies and procedures
; - monitoring compliance controls
;
- overseeing privacy impact assessments
; - administering or facilitating annual privacy training
Protecting Your Clinic from Cyber Attacks
Clinicians share the obligation to protect patients’ privacy with allied health professionals and office staff. Some practical tips that small practices should consider to protect the privacy and security of patient data include:
- establishing a written privacy policy (as required under applicable laws and professional regulations)
- installing security software onto your clinic devices (i.e., anti-virus or anti-spyware software) and training staff to regularly update these programs to add an additional layer of protection against cyber attackers
- ensuring that colleagues and staff are adequately trained regarding privacy policies/procedures and are alert to common cyber threats (i.e., phishing scams)
- making sure that staff understand and can apply common consent requirements for the collection, use, and disclosure of PHI (personal health information); for example, explicit, informed consent is required before disclosing an individual’s PHI to family members
) - reminding staff that they should only access patient records for certain authorized purposes — chiefly, for the direct provision of health care services (no snooping!)
Virtual care is now an established part of clinical practice. Throughout 2022, regulatory authorities have introduced new guidance for virtual care and the digital health tools that enable it. In our upcoming OMD Educates session, Year in Review: New Developments in Privacy, Cybersecurity, and Virtual Care, OntarioMD’s General Counsel and Chief Privacy Officer will provide an overview of these developments and will provide practical recommendations for the delivery of virtual care.
To learn more additional information on how to improve your clinics’ privacy and security preparedness, check out OMD’s Online Privacy & Security Training Module available to all clinicians and their staff. This module is an education tool that offers instruction on how to protect patient and practice information.
Find out more about OMD’s many digital health resources, products and knowledge at OntarioMD.ca. For questions and support with your EMR, or to get connected to digital health tools for your practice, contact support@ontariomd.com.
This post is not intended to provide legal advice or opinions of any kind and may not be used for professional or commercial purposes.
