Federal Privacy Commissioner on Bill c-27 news release.

Report into the 2021 cyber attack on Newfoundland health information systems released.

Privacy Commissioner of Canada announced his office is launching a joint investigation into OpenAI

Federal Privacy Commissioner launches new guidance on workplace privacy

Cybersecurity: Best Practices for Setting Up a Security Operations Centre

Alberta IPC finds risk of significant harm from stolen server.

Updates to Chapter 3 for the Guide to FOIP and the Guide to LA FOIP are now available!

Steps for effectively deploying multi-factor authentication.

Concerns about AI


Wait! Protect that phi in your waiting room!

April 9, 2018 - Melanie Coyle, Analyst and Deepa Pawar, Early Resolution Officer

I think everyone has had the following experience.  You’ve been sitting in you’re physician’s waiting room for 20 minutes.  You’ve checked all of social media apps on your smart phone twice and none of the magazines on the table have attracted your attention.  So you sit there quietly observing the sights and sounds around you.  Everyone else in the waiting room has also reached the same point of boredom.  All is quiet except for that one adorable toddler jabbering on his mother’s lap.  And then you hear the receptionist on the phone, loud and clear… “Hello, radiology clinic?  This is Dr. X’s office.  I need to book a pelvic ultrasound… Smith, Jane… HSN 123 456 789”.  You think to yourself “good for Jane, whoever she is! She’s a glowing expectant mother.”  Then you hear the receptionist again… “date of birth… April 2, 1937”  Ok, maybe she’s not expecting.

The point is, the receptionist has disclosed Jane’s personal health information to everyone in the waiting room.  A trustee has a responsibility under section 16 of The Health Information Protection Act (HIPA) to protect personal health information from unauthorized disclosures such as this. Unauthorized disclosures are breaches of privacy.

The truth is, there are many hazards in the waiting rooms and office space of trustees (physicians, dentists, physical therapists, psychologists, etc).  These can result in unauthorized disclosures of personal health information.  Examples of unauthorized disclosures can include:

  • faxes that are left on the fax machine behind the receptionist;
  • test results sitting in the clear mailbox outside of exam room 2 that can be seen by the patient being led to exam room 3;
  • the discussion with the receptionist as she weighs the patient in the hallway! (Eeeek!)

Here are some tips on how to safeguard your waiting rooms and office areas.

Paper Records

It is important not to have personal health information out in the open for all patients, and others without a need-to-know, to see.  Especially, if these records are left unattended.  For example, receptionists often lay out the files of patients in the order that are to be seen that day.  Even just having the patient names on the files on display can disclose that the individual is a patient of the trustee and they are seeking medical care on that day.  This is personal health information. Further, a receptionist might escort a patient into the room and place his/her file in a clear mailbox outside of the room.  Tests results may also be placed outside of the file to flag its importance to the physician.  If anyone can read this information when they pass by, it is a breach of privacy.  The trustee should find alternative ways to store this information.

Consider these physical safeguards:

  • Flip files over on the desk so no personal information shows. Never leave these unattended.
  • Store files and personal health information in rooms only accessible to those with a need-to-know. The receptionist or health care professional can pick it up there.
  • Store personal health information in locked cabinets when not in use.
  • Observe a clean desk policy. This is where personal health information is securely stored unless someone is actively working on it.
  • Keep printed personal health information off the fax machine or have the fax machine in a secure area. For more information see our resource Checklist for Trustees: Misdirected Faxes.
  • Make sure that exam/treatment rooms are clear of personal health information before a new patient is invited in.
  • Shred any discarded personal health information (do not leave it in the trash).

Electronic Records

With the advent the electronic health record and the systems that support it, the use of paper in trustee offices is less common.  Therefore, it is important to have safeguards in place to protect personal health information on computers or other electronic devices.

  • Face computer screens away from those without a need-to-know.
  • Place privacy screens on computer monitors to obstruct the view of others.
  • Healthcare providers should ALWAYS log out of his/her account when stepping away from the computer/device. (We can’t stress this enough!)
  • An extra safeguard is setting the system to log a user off after several minutes of inactivity.

Verbal Disclosure of Personal Health Information

HIPA doesn’t just apply to personal health information in recorded form, it also applies to personal health information that is shared orally.  If individuals without a need-to-know overhear healthcare providers discussing the personal health information of identifiable individuals, this would constitute an unauthorized disclosure of personal health information.  This can easily occur in waiting rooms and common areas of trustee offices.

Trustees should ask these questions about their own clinics:

  • Can seated patients in the waiting area hear other patients as they check in with the receptionist?
  • Can seated patients in the waiting area hear the receptionist on the telephone?
  • Can seated patients in the waiting area hear conversations that occur behind the reception desk?
  • Can seated patients in exam rooms overhear any conversations in the clinic?

The following are some safeguards to protect information discussed orally:

  • Enclose the reception desk with soundproof material/sliding window.
  • Have a sign and policy discouraging individuals from standing near the reception desk.
  • Create a barrier line on the floor around the receptionist’s desk.
  • Keep the waiting area away from the reception desk.
  • Make phone calls about patients in a separate, secure room.
  • Discuss personal health information with patients in a separate, secure room (this includes weighing patients, asking if they require a gown, etc.).
  • Refer to patients by their initials if it is clear who is being discussed and no other identifiers are discussed.
  • Call patients to exam rooms by first name only.
  • Play music or a television to help drive focus away from the reception desk.
  • Install acoustic ceilings and carpeting that can help with muffling noise.
  • Consider self check in kiosks so that the receptionist is free to work in a separate room.

Finally, subsection 9(3) of HIPA requires that trustees have policies and procedures to promote patient/client awareness of their privacy rights described in HIPA, their right to access personal health information, their right to request an amendment; and their right to request a review of a decision by the Commissioner.  Some professional bodies and associations have template posters and pamphlets to assist in achieving this requirement.

Here is some additional reading about safeguards in waiting rooms:

Investigation Report 225-2016

Investigation Report H-2013-003

With some minor changes to policies, procedures and practices, trustees can better protect personal health information in their offices.


Categories: BlogTags: , , , , , , ,

Back to Blog