RQRHA did not adequately protect health information

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.leaderpost.com/health/RQRHA+adequately+protect+health+information/8066232/story.html

The Regina Qu'Appelle Regional Health Authority (RQRHA) failed to
follow provisions of the Health Information Protection Act (HIPA) in a
2010 privacy breach, according to Saskatchewan's Information and
Privacy Commissioner.

Gary Dickson's office began an investigation into the Regina breach
after 15 addressograph cards - blue cards attached to patients' charts
when they go to a hospital for tests or admissions - were found on the
ground near two facilities belonging to a document destruction company
on May 20, 2010.

The cards contained personal information of patients who had been
treated at the Pasqua and Regina General hospitals.

The privacy breach occurred when an employee of a document destruction
company was transferring the cards in a container with a lid between
two facilities. The container's lid was not secured and the cards flew
out. They were discovered two days later by a member of the public.

Although the company lost the cards, the RQRHA is responsible for the loss.

Each card had information that included the patient's name, date of
birth, hospital services number and address.

According to the commissioner's report, the RQRHA did not adequately
safeguard the personal health information.

Dickson recommended the health region conduct regular audits to ensure
that document destruction employees agree in writing to protect the
confidentiality and security of personal information.

The health region responded that it met with representatives and was
assured that practice was in place. The RQRHA informed the privacy
commissioner's office that it would not conduct audits on a regular
and ongoing basis, but has since reversed its decision.

However, Brent Kitchen, the region's director of risk management and
privacy officer, said the company responsible for destroying the blue
cards quit moving the cards between the two facilities after the
privacy breach. Therefore the RQRHA didn't feel there was a need to
monitor the new process.

The commissioner recommended the RQRHA immediately develop procedures
pertaining to the destruction of the blue cards. The region responded
that it would draft a procedure ready for internal review by March 31.

"That delay is unreasonable," Dickson wrote.

Kitchen said the region has been conducting a comprehensive review of
the destruction of all personal health information, not just the blue
cards.

"Soon after the event, we did send out internal instructions to all of
our staff on how to handle addressograph cards to make sure they are
destroyed appropriately," he said. "Technically, it wasn't called a
procedure, but it was instructions to staff on how to destroy and
handle this type of information."

In a letter dated Aug. 10, 2011, the privacy commissioner requested a
copy of the contract between the RQRHA and the document destruction
company. The region provided a copy of the contract with its letter
dated Nov. 3, 2011.

"We would have liked to have received that sooner," said Diane
Aldridge, director of compliance with the privacy commissioner's
office.

Kirchen said the Regina Qu'Appelle Health Region takes privacy issues seriously.

He said the region immediately investigated the privacy breach when it
became aware of it, voluntarily notified the commissioner's office and
provided Dickson with its investigation results. In addition, it
notified all clients of the breach.

Kitchen believes sufficient safeguards are in place to protect patient
information and work is underway to strengthen those procedures.

"We're confident that we won't see a recurrence of that type of
event," he said. "It is a learning opportunity so that's why we're
looking at not just the addressograph cards to be fixed, but the
destruction of personal documents in general."

The RQHR has 30 days to respond to the report that was formally issued
last week and released to the media on Thursday.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.