box10.gif (1299 bytes)







Privacy & security

Cancer agency ordered to stop sending paper records

TORONTO – Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian (pictured), has ordered Cancer Care Ontario (CCO) to discontinue its practice of transferring Screening Reports containing personal health information to physicians in paper format.

Order HO-011 was issued following a privacy breach involving the personal health information of over 7,000 Ontarians relating to a CCO screening program.

In June 2011, CCO advised the Commissioner’s office that it could not confirm delivery of a number of Screening Reports from its ColonCancerCheck program. The reports were sent to physicians across Ontario in February and March 2011, via Canada Post’s Xpresspost courier service.

“Following a thorough investigation, I ordered CCO to discontinue the practice of sending personal health information to physicians in paper format,” said Commissioner Cavoukian. “CCO should not have used a courier service to send paper-based records, which could easily be read on face value, when other viable, more secure and privacy protective options were available.”

“This Order highlights the fact that organizations need to carefully evaluate the available options for maintaining the security and confidentiality of records of personal health information. This evaluation must include a review of the technological solutions that are available for these purposes. In many cases, the use of technology to ensure the secure transfer of health information is not only a feasible option, but a necessary one.”

Days prior to the release of this Order, CCO advised the Commissioner that it had accepted the Commissioner’s position on not sending health records out in paper format, and had decided to develop its own web portal for the next delivery of Screening Reports.

“While I am pleased that CCO is prepared to consider a secure option for the delivery of Screening Reports, Order HO-011 requires CCO to report back to my office on the security and privacy protective measures of its proposed web portal, and compare them to the measures already built into the existing OntarioMD web portal,” said the Commissioner.

As well, to ensure that future privacy breaches are properly handled, CCO has been ordered to review its Privacy Breach Management Procedure and related policies, and to conduct additional training – with proof of compliance to the IPC no later than January 13, 2012.

For a copy of the Order, visit www.ipc.on.ca.

About the IPC
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians.

Posted October 20, 2011