According to the Office of the Privacy Commissioner of Canada, data breach reports increased six-fold in the past year. To date, more than 28 million Canadians have been affected by a data breach. The pharmaceutical profession is not immune to this growing problem, threatening patients’ trust in the health care system and exposing pharmacies to penalties and legal sanction. This article provides an overview of pharmacies’ legal obligations in retaining, disposing and protecting an individual’s personal health information and the steps that must be taken in the event of a data breach.
The legal obligations of pharmacies and pharmacists are governed in part by the following. The Personal Health Information Act (Manitoba) (“PHIA”) regulates how pharmacies must handle the personal health information of their patients, including its collection, use, disclosure, retention and destruction. The College of Pharmacists of Manitoba (the “College”) provides pharmacies additional and supplemental policies and practice directives that reflect the requirements of PHIA. The Pharmaceutical Act (Manitoba) (the “TPA”) governs the requirements that pharmacies must adhere to with respect to the confidentiality of its patients.
Personal health information is (a) recorded in any form, including electronically or in writing; (b) can be linked to an identifiable person; and (c) relates to that person’s health, health history, genetic makeup, health care, payment for health care, or personal health identifying information collected in the course of providing health care.
Pharmacies and pharmacists, along with their employees, are designated by PHIA as trustees. As trustee, pharmacies are obligated to protect the privacy of their patients when handling their personal health information. A trustee may retain an information manager, provided the parties enter into a written agreement, to ensure personal health information is adequately protected.
Personal health information must be retained for at least five years in written form or electronically. However, the information must be stored such that only individuals who require the information have access to it.
While personal health information does not have to be stored in a pharmacy, it must be stored in a secure location that is satisfactory to the College. This means that:
- pharmacies must ensure the storage location is secure from unauthorized access, theft, use or loss;
- a personal residence cannot be used to store personal health information;
- it is advisable for pharmacies to seek approval from the College prior to moving personal health information to an off-site location; and
- pharmacies must retain a permanent record documenting any transfer of personal health information.
Trustees are responsible for adopting and maintaining reasonable administrative, technical and physical safeguards to ensure that personal health information and its storage location is secure from unauthorized access to maintain, security, accuracy and integrity of information. These measures include, without limitation, implementing controls to:
- limit access to and use of personal health information to only those individuals specifically authorized by the trustee to access and use that information;
- ensure that personal health information cannot be accessed unless the person seeking such access is authorized to access the information, the identity of the person has been identified and recorded, and the proposed use is permitted under PHIA; and
- prevent interception by unauthorized persons of personal health information transmitted or stored by electronic means.
The degree of sensitivity of the personal health information should be considered by the trustee when evaluating whether the safeguards are reasonable and adequate, or if further safeguards are required.
Trustees must establish and comply with a written policy in respect of the destruction of personal health information. This policy must comply with PHIA’s Personal Health Information Regulations, including requiring personal health information to be destroyed in a manner that ensures its confidentiality is preserved, such as using a shredder or a bonded PHIA-compliant record destruction company. While a pharmacy may delegate record destruction duties to a third party, as a trustee, a pharmacy or pharmacist cannot delegate their fiduciary duty to a third party. Pharmacies must ensure that any delegated third party disposes of the personal health information in a PHIA-compliant manner, including via use of appropriate contractual provisions. Pharmacies must maintain a permanent record documenting the destruction date and the prescription numbers of the destroyed records. If electronic records are destroyed, destruction must be done ensuring the information contained in those records cannot be reconstructed.
A data breach occurs where personal health information has been accessed, collected, used, disclosed or disposed of in an unauthorized way, or by an unauthorized person. An unintentional breach may occur if personal health information is stolen (e.g. a laptop on which information is stored is stolen), lost or misdirected. An intentional breach can occur if an employee or third party accesses personal health information without authority to do so.
PHIA compliance and data breaches are investigated and may be enforced by the Manitoba Ombudsman and if necessary, the Information and Privacy Adjudicator (“Adjudicator”). The Ombudsman supervises compliance with PHIA generally and investigates complaints dealing with specific violations of PHIA. The results of the Ombudsman’s investigations may be provided to the College, and/or if an offence under PHIA is believed to have occurred, to Manitoba Justice for prosecution. The Ombudsman will release a report to the trustee of its findings and recommendations. If the trustee does not comply with its recommendations within 15 days, the Ombudsman may refer the complaint to the Adjudicator, pursuant to The Freedom of Information and Protection of Privacy Act (Manitoba). The Adjudicator must complete a review within 90 days unless otherwise extended. The Adjudicator’s order is final and binding unless judicial review is sought within 25 days.
If found guilty of an offence under PHIA, a pharmacy or pharmacist may receive a fine up to $50,000 and an additional fine may be imposed for each day the offence continues. However, if a pharmacy or pharmacist can establish they took reasonable steps to comply with PHIA’s requirements, they cannot be found guilty of an offence.
If a data breach occurs, the pharmacy must take measures to contain and remedy the breach as soon as reasonably possible. This includes ensuring the security of the remaining personal health information, notifying the affected individuals, the College, and the legal authorities if the breach is a result of criminal activity, and modifying security measures to prevent reoccurrence.
Not all breaches occur simply as a result of a pharmacy’s non-compliance with ethical and legal standards. In many cases, the best intentions exist, however a lack of adequate safeguards, or a motivated outside actor, may result in a data breach. To protect your pharmacy from the results of non-compliance, including complaint, investigation, penalties and legal sanction, as well as your patients from harm that may result from a data breach, proper measures must be taken to ensure personal health information is kept secure and that legal and ethical obligations are complied with.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.
This article first appeared in Communication Journal, a publication of Pharmacists Manitoba.
Authors: Madison Sutherland, Maria Penner