Audit and Monitoring Guidelines for Trustees

2 Introduction Auditing practices are necessary to safeguard personal health information (PHI). Section 16 of The Health Information Protection Act (HIPA) requires trustees to put administrative, technical and physical safeguards in place to protect PHI against theft, loss and unauthorized access to or to use, disclosure or modification of the information. As such, it is mandatory for trustees to monitor the access of this information by staff within their organization. The purpose of these guidelines is to assist trustees of personal health information in establishing a proactive audit and monitoring program. As part of its mandate, the office of the Saskatchewan Information and Privacy Commissioner (IPC) undertakes breach of privacy investigations. All too often after conducting an investigation, it is determined that the breach resulted from employee snooping. In the course of each investigation, the IPC will ask whether or not the trustee does routine or proactive auditing. Surprising, the answer is usually no. There are a number of reasons provided as to why this is the case including not knowing what to audit and when. Though these guidelines focuses on the ‘how to’ when it comes to auditing, trustees should also prepare for how to handle requests from patients for copies of user logs/records of user activity. For instance, will the print-outs include the specific name of the health care professional that accessed the patient’s personal health information? We recommend that you do. Although the information on the print-out relates to an identifiable individual, it would not be considered personal information of the health care professional as is about the job, not the person in his or her personal capacity. Providing access to these types of print-outs will also help trustees to meet its obligations under HIPA to inform patients of disclosures that have occurred without consent (see section 10). As well, once the patient receives a copy of the print-out, the name may help the individual to determine whether or not the particular data transaction associated with that health care professional is legitimate or not. A number of complaints have been reported to the IPC as a result of patient scrutiny of such reports. In addition to releasing names, after an internal privacy breach investigation, the trustee should develop a position as to whether or not to inform any affected individuals of any employee discipline resulting from snooping. In terms of authority to disclose this type of information, the Commissioner has a blog and an investigation report that speak to the specifics. Those are found at:  Snooping: When will people Learn?  Investigation Report 100-2015

RkJQdWJsaXNoZXIy MTgwMjYzOA==