Midwives, as health information custodians under the Personal Health Information Protection Act (PHIPA) are responsible for safeguarding personal health information (PHI). The electronic environment can present particular challenges to protecting PHI that may be contained in EMRs, emails or text messages, electronic calendars, web intake forms, databases, etc. Here are some tips to consider:
- Avoid using public wi-fi (e.g., coffee shops or libraries) when sending, receiving or accessing a client’s PHI emailing about clients or logging onto databases that contain PHI such as Clinical Connect or OLIS because these public networks aren’t secure unless connecting to a Virtual Private Network (VPN). If using OLIS or sharing data with another application, check out the HIROC Risk Note on Data Sharing Agreements.
- As much as possible, don’t store PHI on mobile devices. Client information is best stored on a secure database and accessed by logging into the system remotely.
- Store databases with PHI behind a firewall; password protected access should be limited to only those who need it.
- If it is necessary to store PHI on a mobile device (e.g., cell phone, USB key) ensure that it is encrypted. All mobile devices should be protected by strong passwords; even better if they also have the ability to be tracked and remotely “erased” should they get lost or stolen. The Information and Privacy Commissioner Factsheet on Encrypting Personal Health Information on Mobile Devices includes information on choosing strong passwords and on whole disk encryption. When a portable device is no longer in use, the memory should be wiped clean or otherwise completely destroyed.
- Avoid using a personal email accounts (e.g., Gmail, Hotmail, Rogers) to send client information. If the practice sends client information by email, consider adopting a secure email service such as eHealth Ontario’s ONEMail. Some private internet service providers also offer secure email service at a fee.
- The CMO statement on Midwives Using Electronic Communications suggests a protocol on electronic communication with clients and to engage in informed choice discussions about the risks and benefits of communicating electronically, including considering written consent, if the practice plans to communicate electronically with clients.
- Even if a client consents to sharing their PHI over email, midwives still have a responsibility to share the least amount of PHI required. See this Fact Sheet on Communicating Personal Health Information by Email. If sending information over email, don’t forget about Canada’s Anti-Spam Legislation.
- If the practice group uses an online intake form that clients fill out from its website, check that it is secure (https, not http).
- If the practice sends out client satisfaction surveys electronically, make sure they are hosted by a reliable server or self-hosted. For example, Survey Monkey saves users’ IP addresses on their servers in the U.S. and does not meet privacy requirements for the transmission of PHI.
- Secure storage or equipment and documents is important. If there may have been a breach (loss or theft of unlocked device containing PHI, access to clinic computer or database by an unauthorized person or by an authorized person to unauthorized PHI), contact the AOM On-Call for support as midwives may have disclosure or reporting obligations. As of 2018, ALL incidents where PHI was compromised must be reported to the IPC as part of the annual reporting process.
- Consider securing insurance for cyber losses.
- Take reasonable steps to ensure complete destruction of personal health information on electronic devices (e.g. computers, phones, drives) when disposed of.
Webinars: Privacy Concerns and Solutions for Hard Copy and Paper Users and Protecting Client Privacy in the Electronic Environment - coming soon to our online store!