TORONTO, August 6, 2010 /Canada NewsWire/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, is urging key players in the province's health sector to join her in a multi-level education campaign aimed at preventing the far-too-frequent disclosure of unencrypted personal health information through the loss or theft of portable electronic devices such as laptops and USB keys.
This announcement comes on the heels of yet another USB key containing the unencrypted, identifiable personal health information of more than 750 patients being lost through the theft of a purse.
"These privacy breaches - which in recent years have included the loss or theft of the unencrypted personal health information of more than 100,000 patients - can and must be stopped," said the Commissioner. "Portable devices should never be loaded with unencrypted personal information. Either encrypt the information, or remove all personal identifiers from the information before loading it onto a portable device."
"Despite my issuing three health Orders and other publications addressing this issue, it is still happening. The message is obviously not getting through to all levels," said the Commissioner. "We have had cases where employees were not aware of a "must encrypt" policy."
Commissioner Cavoukian is sending letters out to all regulatory health colleges and professional associations in Ontario, stressing the need for a new awareness campaign - which she is calling Think before you Copy - and offering the assistance of her office in developing educational initiatives. The College of Nurses of Ontario has already contacted the Commissioner's office, after she publicly cited her concerns Wednesday, offering to explore how to incorporate the information into its ongoing education for its members.
"I applaud the College of Nurses for being proactive and I look forward to working with them," said Commissioner Cavoukian.
While several of the recent breaches have involved hospital staff, many different sections of the health sector have encountered problems, said the Commissioner.
"It is essential," she added, "that all health-care practitioners, their staff and other agents ask themselves one key question before copying any health information to a mobile device. Is it necessary to store personal health information on this device? If the answer is yes, then they must either encrypt the information or effectively de-identify the information by removing all personal identifiers. It's that simple. We are reaching out to the Colleges and associations for their assistance in getting this message out to the entire health sector."
Among the initial ammunition the Commissioner is considering for the Think before you Copy campaign, are:
- generating case studies or practical examples applicable to staff in the various health sectors;
- creating pertinent posters;
- producing stickers for mobile devices with a message reminding health staff to STOP, THINK, ENCRYPT;
- distributing existing guidelines as well as producing short, pertinent articles for college/association newsletters.
The Commissioner stressed that she is also looking for input from colleges and associations.
An awareness campaign and firm action are needed, said the Commissioner. She praised Dr. Bob Bell, president and CEO of the University Health Network, for his commitment to encryption to protect the personal health information of the patients of UHN's three hospitals. Bell explained this week that the hospital group "is putting USB keys across the organization that are encrypted. We told all our staff they must put patient information on an encrypted device if they need to put it on a device at all."
Commissioner Cavoukian is encouraging all health colleges and associations to contact her office "to determine how we may work together in helping you create education programs for health-care practitioners, their employees and other agents on how to minimize the threat to privacy posed by mobile devices."
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians, in addition to educating the public about access and privacy issues.