Saturday, March 10, 2007

Hospitals must encrypt patient data on portable devices

The Information and Privacy Commissioner of Ontario yesterday released order HO-004 under the Personal Health Information Protection Act following the theft of a laptop containing confidential personal health information on 2,900 patients at the Sick Kids hospital in Toronto.

The order requires the hospital

  • to develop or revise and implement policies and procedures the ensure that records of personal health information are safeguarded
  • to develop a corporate policy that prohibits the removal of identifiable personal health information in from the premises. If identifiable personal health information must be removed in electronic form, it must be encrypted;
  • to develop an encryption policy for mobile computing devices, a policy relating to the use of virtual private networks, a privacy breach policy, and to educate staff regarding the policies how to secure the information contained on mobile computing devices.

While the order directly relates to a hospital, it would applyl to all health information custodians in the province of Ontario and will likely serve as guidance to all health care providers in the country.

For more info, see - News - Sick Kids ordered to encrypt all electronic patient files.

No comments: