Late last week, the Information and Privacy Commissioner of Ontario (Ontario IPC) published guidelines they have been consulting on and refining for many months. The factsheet on Communicating Personal Health Information by Email provides invaluable advice to any organization that communicates sensitive personal information via e-mail.
Addressing E-mail Risks
After acknowledging the risks associated with email in general, such as inadvertently sending an email to the wrong individual or the risk of interception by an unauthorized third party, the factsheet presents technical, physical and administrative safeguards that should be applied to email communications involving health (or for that matter any sensitive) information. Technical safeguards include encryption and anti-malware scanners and physical safeguards include securing mobile devices when they are left unattended. But the most important list of safeguards in my view is the one that covers administrative safeguards. Here we find day-to day practices that can reduce the risks associated with email. They include restricting access to email content on a need-to-know basis; communicating by email from professional rather than personal accounts; and providing instructions to follow if an email is received in error. Many of the administrative safeguards require behavioral changes – employees need to think about the records they are creating with email and where they could potentially end up.
The fact sheet goes on to stress the importance of encryption but also provides considerations for determining whether it is reasonable to communicate with a patient via unencrypted email, such as volume and frequency, the sensitivity of the content, the purpose of the transmission and the expectations of patients. This guidance can likewise apply to relationships where other types of sensitive content is communicated electronically, such as financial information.
Privacy and Data Security Best Practices
Privacy and security governance topics are then addressed in the factsheet as they relate to email use, such as the need for an email policy, notice and consent options, secure retention and disposal of personal health information contained in email messages, training on acceptable use of email so practices are consistent and risk is minimized, and privacy breach management.
This useful factsheet concludes by emphasizing the peace of mind that reliance on encryption and employee reporting can bring: “The IPC does not consider the loss or theft of an electronic device containing encrypted personal health information to be a privacy breach. However, whether or not the information is encrypted, custodians should require their [employees and other] agents to report any such loss or theft. This will enable custodian to determine, on a case-by-case basis, whether the information was properly encrypted.”
For assistance with your e-mail policy, staff training, or to discuss the tips offered in the IPC’s factsheet, contact PRIVATECH.