PRIVACYWith Advancement

in Technology and the Introduction of Social Media

Marc Bouchard

CIO/CPO

HRPA North Bay ChapterNovember 16, 2010

Agenda• Who I Am

• IT & Privacy

• Evolution of Privacy

• PHIPA

• Privacy Trap

• Privacy and Social Media

• What You Can Do To Protect Your Organization

• Review Some Cases

Who I Am• CIO / CPO for NBGH and NEMHC• CIO/ CPO for SAH• MOHLTC/MCSS/MCYS• Chair of NEODIN (60 hospitals)

– Privacy

• Chair of CIMS (90 agencies)• Privacy from Health Perspectives• NE LHIN Security• Information Sharing Agreement

IT & Privacy

Technology has made it easier to share information.

The need for Privacy has never been greater:

•increasing electronic exchange of information

•increased use of technology & portable devices

•evolution of Social Media

•increased sensitivity around Privacy

Evolution of Privacy

• Rules about Privacy have been around for a long time

• Professional College – (i.e. Physician, nurse, etc. had rules)

• Not always well enforced – no one's to job to enforce/interpret– rules not always very specific

• With technology advancements

• Greater expectation around privacy

Ontario Privacy Legislation

Privacy

Health

Information

Protection

Act

PHIPA

• In Health Care this led to the introduction of the “Personal Health Information Protection Act” (PHIPA)

• PHIPA came into effect November 2004

• Continue to evolve as precedents are established

• Still very young legislation

• Must show reasonable effort

• Must show due diligence

The 10 Principles of Fair Information Practices

• Accountability • Identifying purposes • Consent• Limiting Collection• Limiting Use,

Disclosures & Retention

• Accuracy• Openness• Individual Access• Safeguards• Challenging

Compliance

Requirements of PHIPA• Requires consent for the collection, use and

disclosure of Personal Health Information (PHI) with limited exceptions

• KEPT confidential AND secure

• A statement of our practices must be made available to the public

• NBGH/NEMHC must establish clear rules for the use and disclosure of PHI for secondary purposes

Requirements of PHIPA

• Take reasonable steps to ensure accuracy and security of PHI

• Establish remedies for breaches

• Must have a contact person to ensure compliance with PHIPA e.g.. Chief Information Officer & Chief Privacy Officer

• Must notify Chief Privacy Officer when there has been or suspected breach- initiate investigation

Requirements of PHIPA

Patients have a right to…• access their own PHI

• request correction of their own PHI

• instruct the NBGH not to share any part of their PHI with other health care providers

• complain to the IPC about NBGH practices pertaining to PHI

Consent

Implied Consentpermits you to conclude from surrounding circumstances that a patient would reasonably agree to the collection, use or disclosure of the patient’s PHI. Required inside health care context

Express Consent patients explicitly agree to the collection,

use and disclosure of their PHI– Required outside health care context

Consent

Consent is implied for information sharing within the “Circle of Care” on a need to know basis

Circle of Care

• Health care providers that provide direct patient care

• Other providers who do not work at NBGH and health care institutions to whom a patient may be transferred to

The patient has the right to withdraw consent for information sharing at any time

“Privacy Trap”

• Most breaches committed by someone with good intention

• Having access does not give you the right

• Cannot make assumptions

• Often individual does not realize they are doing anything wrong

• Prevent with education

Social Media

Social Media

Web Technologies

+

User Generated Content

+

Social Interactions

=

Social Media

Social Media

Social Media (Some Numbers)

• More video is uploaded to Youtube.com in 60 days than all 3 major US networks created in 60 years

• More than 500 million active users on Facebook.com

• 28,751,709,706 Tweets and counting

• Mode of communication for new generation

Social Media (The Mobile Connection)

• Location based social applications

• Status updates and more status updates

• Always connected

Social Media (Risk)

Everybody brings their own expertise (and risk biases)

•Privacy and Security: confidentiality risks

•Public Affairs: reputation risks

•Human Resources: business and human safety risks

•Legal: defamation, intellectual property risks

•IT: availability risks

Social Media (Risk)

• When presenting risks, always provide a recommended course of action

• Without a recommendation, management is just as inclined to think of reasons the risk doesn’t apply to them as they are to think ways of actually addressing the risk

Social Media (Bad News)

Social media tends to amplify security risks!

Social Media (Good News)

You’re likely already dealing with these risks today, in some manner

Social Media (Security Risk)

1. Intentional / accidental exposure of confidential information

2. Introduction of viruses and malware into the corporate network

3. Exposure of corporate user credentials on external web sites

Social Media (Security Risk)

Best Method to Improve Security

Get Rid of Your Users?

Social Medial (Security Risk)

• Technology can’t solve your security problems

• Most risks are introduced by people due to:– poor practices– lack of knowledge– poor judgment– making assumptions

• Good technical controls are also required

Social Medial (2 Approaches)

• Allow Social Media (work with)– this approach is growing– some required for work– way of communication for younger

generation– provide guidelines

• Social Medial not allowed– corporate equipment is for work only– not allowed during work hours

What You Can Do To Protect Your Organization

• Good user practices– training and awareness– enough to be able to say “should have known”– set reasonable expectation

• Processes– incident response– system review and assessment– Privacy Impact Assessment (PIA)– Threat Risk Assessment (TRA)

What You Can Do To Protect Your Organization

• Good Policies– Acceptable Use Policies (eg. cell phone cameras)– Confidentiality Agreement– Privacy Policies– Portable Device Policies

• Due Diligence• Audits + Disclosure (phone, e-mail, etc…)• Technical Controls

– anti-malware suite, patching, web filtering / DLP / IPS

Let’s Review Cases

1. Sending information by fax vs. email

2. Occupational Health – employee wants access to own record

3. Discussing case with colleague via Facebook

4. Accessing family/friend/colleague's medical information

References• Presentation “Managing Risk to Enable Social

Media Use in Health Care” by Lyndon Dubeau, Cancer Care Ontario

• Presentation “Protecting PHI on Mobile and Portable Devices” by Fred Carter, Information & Privacy Commissioner of Ontario

• Personal Health Information Protection Act: The Role of the IPC, Ann Cavoukian, Information and Privacy Commissioner of Ontario