The Office of the Information and Privacy Commissioner (IPC) of Ontario developed new guidance for health-care custodians who provide virtual care. The guide — Privacy and Security Considerations for Virtual Health Care Visits — makes it clear that Ontario’s health privacy law, the Personal Health Information Protection Act (PHIPA), applies to virtual care as it does to in-person care.
While there are many advantages to providing virtual care, it also raises unique privacy and security concerns because it depends on technologies, communication infrastructures and remote environments.
“Virtual health care raises new kinds of cybersecurity risks that are not as prevalent in the analog world,” wrote Commissioner Patricia Kosseim in a blog about the new guidance.
In this guide, IPC recalls some of the key requirements in PHIPA relevant to all custodians, including those who operate in a virtual health care context. IPC then provides some practical steps custodians should take to protect personal health information, particularly as they plan and deliver virtual health care.
We will provide more detailed information in upcoming issues of eDialogue about the guidance, but the following is some information about the technical, physical and administrative safeguards needed to protect personal health information.
Technical Safeguards:
- Use only organization-approved email, messaging or videoconferencing accounts, software and related equipment;
- Use firewalls and protections against software threats;
- Regularly update applications with the latest security and anti-virus software;
- Encrypt data on all mobile and portable storage devices, both in transit and at rest;
- Maintain, monitor and review audit logs;
- Use and maintain strong passwords;
- Review and adjust settings to the most privacy protective setting; and
- Verify and authenticate a patient’s identity before engaging in an email exchange, chat or videoconference.
Physical Safeguards:
- Keep all technology containing personal health information, such as desktop computers and servers, in a secure location;
- Keep portable devices containing personal health information, such as smartphones, tablets and laptops, in a secure location, such as a locked drawer or cabinet, when they are unattended;
- Restrict office access, use alarm systems and lock rooms where equipment used to send, receive or store personal health information is kept;
- Do not lend technology containing personal health information to anyone without authorization;
- Ensure there are no unauthorized persons in attendance or within hearing or viewing distance; and
- Physically segregate and restrict access to servers to authorized persons only.
Administrative Safeguards:
- Ensure employees and other agents are properly trained to use secure email, messaging and videoconferencing platforms;
- Adopt a robust system of access controls and regularly maintain authorizations on a need-to-know basis;
- Ensure employees and other agents are aware of their ongoing obligation to avoid collecting, using or disclosing more personal health information than is necessary; and
- Ensure confidentiality agreements contain explicit provisions dealing with employees’ and other agents’ obligations when using secure email, messaging or videoconferencing to deliver virtual health care.
Safeguarding against privacy and security risks in virtual care is an ongoing obligation. Custodians should continue to monitor for and address cybersecurity threats. For example:
- Update software regularly;
- Provide ongoing security training to employees and other agents to support the detection of phishing attempts; and
- Conduct regular threat risk assessments.
