B.C.’s Information and Privacy Commissioner has found medical clinics need to do more to protect highly sensitive information.
The audit, released on Wednesday, looked at how 22 B.C. medical clinics were meeting legal obligations on how to collect, use, and disclose personal information.
The review found gaps in the management programs at several clinics, including a lack of funding and resources for privacy, and a failure to ensure that privacy practices keep up with technological advances.
“Medical clinics were chosen for this review for two reasons: the amount and sensitivity of the personal information they collect – some of the most sensitive personal information out there – and the volume of complaints and privacy breach reports my office receives that are related to privacy practices at facilities like these,” Privacy and Information Commissioner Michael McEvoy said.
“The results show that while some clinics were complying with their obligations, many have work to do when it comes to improving their privacy practices.”
WATCH (Watch December 19, 2017): Questions about new medical clinics website
The report gives 16 recommendations, which include ensuring adequate funding for privacy management programs and maintaining an inventory of the types and sensitivity of personal information.
McEvoy is also recommending ongoing privacy training for those who access personal information, including staff, physicians and contractors and exercising caution when collecting information online.
“There is no question about the intense demands medical professionals face. However, respecting and protecting patients’ private information is critically important,” McEvoy said.
“Doctors and staff at clinics not only owe it to their patients to do their utmost to build and maintain strong privacy programs, but they are also legally obligated to abide by privacy legislation.”
The report looks at both good and bad privacy practices at medical clinics. The Information and Privacy Commissioner found some clinics are collecting sensitive personal information online and recommends that clinics provide patients with unique and secure login information for booking appointments online.
“Medical clinics collect, use, and disclose vast amounts of people’s most sensitive personal information. While new technologies allow for improved handling, storage, retention and disclosure of such information, they also create greater potential risk given the volume and sensitivity of the information,” the report reads.
“It is therefore imperative that medical clinics work to protect the personal information in their custody or under their control.”
The report points out that data breaches can have huge impacts on the individuals whose data has been publicly released.
“Accidental disclosures by email, sensitive information kept in and stolen from doctors’ vehicles, and compromised computer systems are a few of the more common manifestations of privacy violations experienced at medical clinics throughout this province,” reads the report.
“The harms caused by these breaches can be very serious, leaving victims vulnerable to everything from damaged relationships to humiliation, financial loss and more. Increased effort and attention to privacy practices within clinics is needed to establish and maintain trust in physicians, medical clinic staff, and the medical system in general.”