On Sept. 15, 2016, the Information and Privacy Commissioner of Ontario (the IPC) released long awaited guidance on communicating personal health information (PHI) by email.
The fact sheet sets out a number of requirements the IPC expects health information custodians (custodians) to meet if they decide to use email to communicate PHI. These include:
- Email policy: Having a written policy on the communication of PHI by email.
- Notice and consent: Giving notice to patients of the custodian's email policy and obtaining their consent prior to the use of unencrypted email to communicate PHI.
- Training: Comprehensive and mandatory training of employees and agents in connection with the custodian's email policy.
- Email platform: Prohibiting the use of a personal email account to send or receive PHI.
- Encryption: The use of encrypted email, except in exceptional circumstances (see below for more).
- Retention and disposal of PHI: The secure maintenance and disposal of emails communicating PHI (see below for more).
- Breach protocol: Having a breach management protocol relating to emails communicating PHI.
It is important to note that patient consent is not sufficient: custodians have a duty to determine whether the use of email to communicate unencrypted PHI is appropriate in the circumstances and to limit the amount and type of PHI included in email.
Encryption
The IPC has been writing about encryption for some time. In 2007, in HO-004, the IPC remarked that "to the extent that personal health information on a mobile computing device has been encrypted to protect it from unauthorized access," the theft or loss of the device would not be considered a loss or theft of PHI. The IPC has since issued other orders in relation to encryption and a Fact Sheet in 2010 on the acceptable standard of encryption for the health care environment.
According to the Fact Sheet, the IPC expects that email communication of PHI among custodians "will be secured from unauthorized access by use of encryption, barring exceptional circumstances", for example, in an "emergency or other urgent circumstances".
Where feasible, custodians are advised they should use encrypted email for communications with patients. If encryption is not feasible, the IPC suggests that custodians should determine whether email communication is reasonable considering: (1) the degree of sensitivity of the information; (2) the volume and frequency of the emails; (3) the purpose of the transmission; (4) patient expectations; and (5) the availability of alternative methods of communication.
Retention and disposal of PHI
PHI should be stored on email servers only for as long as is necessary. It is up to each custodian to determine how long is necessary. For example, once an email has been documented in a patient's record, it may not be necessary to retain the email on the email server. The same goes for emails on a portable device.
The IPC has a fact sheet (2005) regarding the secure destruction of PHI. Secure destruction includes ensuring that PHI is disposed of in a permanent manner. If destruction is outsourced to a third party service provider, the IPC recommends using a provider accredited by an industrial trade association, such as the National Association for Information Destruction. It also describes provisions that should be part of the custodian's agreement with the service provider.
If you have any questions about the impact of the fact sheet on communicating PHI by email, please do not hesitate to contact us. We would be happy to assist in developing the policies and procedures referred to by the IPC.