Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recently ordered Cancer Care Ontario (CCO) to discontinue its practice of transferring Screening Reports containing personal health information to physicians in paper format.

Order HO-011 was issued following a privacy breach involving the personal health information of over 7,000 Ontarians relating to a CCO screening program. In June 2011, CCO advised the Commissioner’s office that it could not confirm delivery of a number of Screening Reports from its ColonCancerCheck program. The reports were sent to physicians across Ontario in February and March 2011, via Canada Post’s “Xpresspost” courier service.

“Following a thorough investigation, I ordered CCO to discontinue the practice of sending personal health information to physicians in paper format,” said Commissioner Cavoukian. “CCO should not have used a courier service to send paper-based records, which could easily be read on face value, when other viable, more secure and privacy protective options were available.”

This Order highlights the fact that organizations need to carefully evaluate the available options for maintaining the security and confidentiality of records of personal health information. This evaluation must include a review of the technological solutions that are available for these purposes. In many cases, the use of technology to ensure the secure transfer of health information is not only a feasible option, but a necessary one.”

Days prior to the release of this Order, CCO advised the Commissioner that it had accepted the Commissioner’s position on not sending health records out in paper format, and had decided to develop its own web portal for the next delivery of Screening Reports.

While the Commissioner is pleased that CCO is prepared to consider a secure option for the delivery of Screening Reports, Order HO-011 requires CCO to report back to the IPC on the security and privacy protective measures of its proposed web portal, and compare them to the measures already built into the existing OntarioMD web portal.

As well, to ensure that future privacy breaches are properly handled, CCO has been ordered to review its “Privacy Breach Management Procedure” and related policies, and to conduct additional training – with proof of compliance to the IPC no later than January 13, 2012.