Many legal changes are taking place that directly affect Ontario healthcare organizations. The Ontario government has recently introduced a new framework that changes the reporting requirements for those working in the healthcare field.
While these changes are being enacted in Canada, shifts in U.S. legislation are threatening the privacy of Canadian medical patients. These changes are important to note for all healthcare organizations. Here is what you need to know to better understand your organization’s data and how it must be kept safe.
Voice is Now Part of Collected Data
Voice over Internet Protocol (VoIP) continues to be an instrumental technology for hospitals, elder care facilities and medical clinics. VoIP is quickly replacing legacy circuit-switched systems at the heart of the Public Switched Telephone System (PSTN). For healthcare organizations, it is essential to understand how this technology works and how voice is now part of collected data.
VoIP telephony converts analog voice calls into packets of data. These packets may travel over the Internet the way that other forms of data do. Voicemails and call recordings are stored similarly to email messages. In hosted and cloud VoIP systems, they are sent to data centres. When voice becomes data, it automatically becomes confidential and in need of protection.
Interpreting the New Data Laws
The Ontario government introduced the Personal Health Information Protection Act (PHIPA) in 2004. This legislation remained unchanged until 2016 when the government passed Bill 119. This bill made significant changes to the duties of Health Information Custodians.
Health Information Custodians (HICs) are responsible for the collection, use and disclosure of personal health information. HICs refer to both individual practitioners such as doctors and organizations such as hospitals. Agents of HICs are employees of medical clinics and hospitals. HICs, Agents of HICs, Members of the Board, Privacy Officers, Directors of Care, Directors of Nursing and Healthcare Management staff maintain their own responsibilities when it comes to confidential patient information. Privacy breaches can result in a substantial reputational risk for individuals and organizations, regulatory investigations and an arduous litigation process.
PHIPA enforces rules for consent, confidentiality and accountability for personal health information. Previously it was stated that privacy breaches were only reported to Information and Privacy Commissioner of Ontario (IPC) if they resulted in unlawful disclosure. Under Bill 119, HICs will be asked to submit annual reports detailing any theft, loss or unauthorized use of information if the incident meets specified criteria.
A revision to the initial wording in Section 12 of PHIPA now defines the “use” of personal health records as “to view, handle or otherwise deal with the information”. Therefore, viewing personal information with the intention of snooping is now considered a breach.
There is a conflict between the amendments to PHIPA, the U.S. Patriot Act and the CLOUD Act that was recently passed by President Donald Trump. The CLOUD Act grants the American government more access to the private information of its people.
If your hosted VOIP provider stores data in the United States, the data stored falls under this prying law. This causes considerable compliance and privacy risks for Canadian healthcare organizations and is extremely concerning for those surrendering their vulnerable information in trust.
3 Critical Questions for Cloud Storage and Hosted VoIP Providers That Every Canadian Health Organization Should Be Asking
Your patients’ privacy could be at risk. However, you can prevent a devastating breach by asking the right questions.
- Where is the data centre located? Where is my data stored? Where are the provider’s backups stored?
These are the most imperative questions that should be posed to a provider. You are completely protected from external legislation if all of your voice data is being stored within Canada and your provider is Canadian. To be protected from U.S. law, these two factors must be present. When these factors are not present, HICs may be in violation of section 12 of PHIPA.
If your provider is American and is storing some data on Canadian soil, that data is not safe. This is a tactic used by larger companies that is confusing to those unfamiliar with the legal tenets. It does not matter if the data is Canadian and being housed in Canada – the fact that the company is American contravenes Canadian policies.>/p>
It is also common for Canadian-based providers to store data outside of our borders. When this prevalent practice occurs – it does not matter if both the information and the business are Canadian – they become subjected to invasive laws.
Bottom line: Confirm that your provider or potential provider is 100% Canadian and 100% of your data is kept within Canada.
- Who has access to my data?
One of the many benefits of cloud storage is its convenient accessibility. That being said, knowing exactly who is authorized to access your data is fundamental in order to keep it secure.
Work with your provider to develop an Access Control Policy that pertains to your organization. Ask questions about adding authorized users and user authentication. Ask the provider who is in charge of administrating the system and is responsible for addressing issues. If using a database that is shared with several partner institutions, verify that other cloud clients cannot access your stored information.
It should be clear who has access on both your end and the provider’s end. Take as much time as you need to fully understand these concepts and don’t be afraid to request clarification.
Bottom line: Confirm who within your organization has authorized access to data and how users are managed.
- Is the provider SOC 2 certified?
Service Organization Control 2 or “SOC 2” compliance is another important factor for mitigating risk. A third party that sets out to hold providers accountable to industry standards is responsible for successfully auditing and categorizing them as SOC 2 compliant. The yearly audit looks at areas of both physical and logical security, confidentially, processing integrity and privacy. Healthcare organizations should specifically inquire if their service providers data centres are SOC 2 Type 2. Unlike Type 1 audits that assess security at a single point in time, Type 2 audits are conducted on a routine basis to analyze how the provider performed over an entire year. Type 2 delivers more clear, conclusive insights. SOC 2 compliance is a standard requirement for most businesses when choosing a provider.
Bottom line: Confirm that your Canadian provider is SOC 2 Type 2 compliant and is committed to protecting your organization.
These laws generated by the U.S. government pressure Canadian health organizations to take action to protect their clients. If you aren’t feeling confident about your current situation and wish to better understand how these changes directly affect you, please contact our experts!