Skip to content

Notice: Postal Service Disruption
If you need to contact the College, please contact us by phone or email.

Close Notice

Managing a Privacy Breach

Background

Manuel, an occupational therapist in an outpatient clinic, has been working with a client named Daisy. As a part of his role, Manuel recommended some adaptive equipment and was helping Daisy apply for funding for the equipment. The funding organization required an electronic application form to be submitted by the occupational therapist to justify the client’s need for the item.

Manuel explained the application process to Daisy and obtained her consent to complete and submit the online form. As the form was lengthy and Manuel wanted to be efficient, he used the copy and paste function in the electronic record system and copied excerpts of the client’s information from the clinical record to paste it into the funding application. He then submitted the form through a secure online portal and kept a copy of the form in the clinical record.

Several weeks later, Manuel receives a call from the funding organization stating that there was personal health information related to another client on the form. He checks the copy in the clinical record and realizes that he has copied and pasted identifying information of another client into the form. The inadvertent disclosure of an individual’s personal information is a privacy breach.

Manuel is wondering what he should do. He contacts his manager and reviews the College’s guidance document on Privacy Legislation and Occupational Therapy Practice (coto.org).

Practice Questions and Discussion

Which privacy legislation applies?

  • Occupational therapists work under one of three privacy laws. In this case, the Personal Health Information Protection Act (PHIPA) applies.

What are the roles and responsibilities for the agent and the health information custodian?

  • PHIPA outlines the roles and responsibilities of the health information custodian (HIC) and the agent. Occupational therapists must determine which role they are in within the context of their work.
  • Agents are required to follow the HIC’s policies for preventing and managing privacy breaches. This includes policies on the storing and safeguarding of personal and personal health information and responding to privacy breaches.
  • Health information custodians are required to have policies and processes in place to prevent and manage privacy breaches. Their responsibilities include:
    • Notifying the client
    • Managing and containing the breach
    • Taking steps to prevent future privacy breaches
    • Reporting the breach to the Information and Privacy Commissioner of Ontario (IPC)

Does the privacy breach need to be reported to the College?

  • Privacy breaches only need to be reported to the College if there is disciplinary action taken against the occupational therapist (by the employer).

Outcome

  • In this case the occupational therapist is the agent, and the clinic is the HIC.
  • As the agent, Manuel followed the policies of the clinic by immediately notifying his manager of the information privacy breach.
  • The manager engaged the organization’s privacy officer and followed their protocols to investigate and manage the breach.
  • The organization notified the individual whose personal health information was accidentally sent to the funding organization without authorization.
  • The individual was informed of the steps being taken to manage and contain the breach, as well as their right to file a complaint with the Information and Privacy Commissioner of Ontario (IPC) – for more information refer to the IPC’s PHIPA complaint process.
  • The organization reviewed their privacy policies and procedures, explored learning needs and opportunities for staff, and implemented additional safeguards in their electronic health records system. This included alerting staff to the potential risks associated with using the copy and paste function.
  • Manuel used this situation as an opportunity to improve his practice. To mitigate risks Manuel has eliminated using copy and paste between client files and has built in time to complete a thorough review of all documentation, ensuring it is correct before applying a signature and the occupational therapist designation.

Conclusion

Be aware when copying and pasting documents. With the growing use of electronic documentation systems, occupational therapists are reminded of their professional responsibility to protect client privacy and safeguard personal health information. Occupational therapists should be aware of any potential privacy pitfalls that they may encounter with their documentation processes or systems used. Occupational therapists should know and understand their responsibilities as either the health information custodian or the agent and be familiar with organizational procedures for responding to and managing a privacy breach. 

Resources 

For additional learning, watch the College’s presentation on Privacy Legislation and Occupational Therapy Practice.

Contact

If you have any questions about this case, or have any ideas or requests for future cases, contact the Practice Resource Service: 1-800-890-6570/416-214-1177 x240 or [email protected].

Want more case studies? Sign up to stay up to date and receive the latest cases when they’re released.  

Back to Case Study Archive