Canadian Information and Privacy Regulators Urge Governments, Health Sector Institutions and Health Providers to Strengthen Safeguards for Sharing Personal Health Information
In a joint resolution released today, Canada’s federal, provincial, and territorial information and privacy commissioners and ombudspersons are calling for a concerted effort across the healthcare sector to modernize and strengthen privacy protections for sharing personal health information.
Because of the pandemic, the shift to virtual care came quickly, maybe without enough time for a thorough examination of it; that shift in service model could adversely impact access and privacy rights. Despite advancements in the health sector, breaches continue to occur and the use of outdated and vulnerable technologies, such as faxes and unencrypted email not only impacts patient privacy but also the delivery of timely patient care.
This has spurred innovation and change in the delivery of services, including virtual health care visits and other forms of digital health communications.
Canada’s Information and Privacy Commissioners urge stakeholders to take the following action:
- Develop a strategic plan to phase out the use of traditional fax and unencrypted email and ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians.
- Promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks. For health sector institutions and providers, this may include the adoption of standards developed by organizations such as ISO, NIST, or CIS that provide reasonable safeguards to protect personal health information.
- Amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties, for health institutions and providers that willfully refuse to take reasonable measures necessary to protect personal health information as well as for individuals who unlawfully collect, use, or disclose personal health information.
- Seek guidance to understand how to evaluate new digital health solutions and assess their compatibility with other digital assets, compliance with health information privacy laws, and how they facilitate citizens’ rights to access their own records of personal health information.
- Promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public.
- Use the procurement process to help ensure third-party compliance by establishing contractual requirements for vendors of health information software and services
If you have any questions or would like to request an interview with the Commissioner, please email or call our office at the contact below.
To learn more, a copy of the joint resolution and these initiatives can be found here.
Julie Ursu, Manager of Communication