{"id":2034,"date":"2024-06-09T18:20:00","date_gmt":"2024-06-09T22:20:00","guid":{"rendered":"https:\/\/live-coto.pantheonsite.io\/?post_type=resource&#038;p=2034"},"modified":"2025-01-16T11:54:45","modified_gmt":"2025-01-16T16:54:45","slug":"managing-a-privacy-breach","status":"publish","type":"resource","link":"https:\/\/www.coto.org\/resources\/managing-a-privacy-breach\/","title":{"rendered":"Managing a Privacy Breach"},"content":{"rendered":"\n\n<div class=\"content-section-block has-fade-in-up  align wp-block-acf-content-section\" id=\"section-background\">\n    <div class=\"section-header \">\n        <h2>Background<\/h2>\n            <\/div>\n\n    <div class=\"content-section\" aria-hidden=\"false\">\n        <div class=\"acf-innerblocks-container\">\n\n<p>Manuel, an occupational therapist in an outpatient clinic, has been working with a client named Daisy. As a part of his role, Manuel recommended some adaptive equipment and was helping Daisy apply for funding for the equipment. The funding organization required an electronic application form to be submitted by the occupational therapist to justify the client\u2019s need for the item.<\/p>\n\n\n\n<p>Manuel explained the application process to Daisy and obtained her consent to complete and submit the online form. As the form was lengthy and Manuel wanted to be efficient, he used the copy and paste function in the electronic record system and copied excerpts of the client\u2019s information from the clinical record to paste it into the funding application. He then submitted the form through a secure online portal and kept a copy of the form in the clinical record.<\/p>\n\n\n\n<p>Several weeks later, Manuel receives a call from the funding organization stating that there was personal health information related to another client on the form. He checks the copy in the clinical record and realizes that he has copied and pasted identifying information of another client into the form. The inadvertent disclosure of an individual\u2019s personal information is a privacy breach.<\/p>\n\n\n\n<p>Manuel is wondering what he should do. He contacts his manager and reviews the College\u2019s guidance document on&nbsp;<a href=\"https:\/\/www.coto.org\/standards-and-resources\/resources\/privacy-legislation-and-occupational-therapy-practice\" target=\"_blank\" rel=\"noreferrer noopener\">Privacy Legislation and Occupational Therapy Practice (coto.org)<\/a>.<\/p>\n\n<\/div>\n    <\/div>\n<\/div>\n\n\n\n<div class=\"content-section-block has-fade-in-up  align wp-block-acf-content-section\" id=\"section-practice-questions-and-discussion\">\n    <div class=\"section-header \">\n        <h2>Practice Questions and Discussion<\/h2>\n            <\/div>\n\n    <div class=\"content-section\" aria-hidden=\"false\">\n        <div class=\"acf-innerblocks-container\">\n\n<p><strong>Which privacy legislation applies?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Occupational therapists work under one of three privacy laws. In this case, the Personal Health Information Protection Act (PHIPA) applies.<\/li>\n<\/ul>\n\n\n\n<p><strong>What are the roles and responsibilities for the agent and the health information custodian?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PHIPA outlines the roles and responsibilities of the health information custodian (HIC) and the agent. Occupational therapists must determine which role they are in within the context of their work.<\/li>\n\n\n\n<li><strong>Agents<\/strong>\u00a0are required to follow the HIC\u2019s policies for preventing and managing privacy breaches. This includes policies on the storing and safeguarding of personal and personal health information and responding to privacy breaches.<\/li>\n\n\n\n<li><strong>Health information custodians<\/strong>\u00a0are required to have policies and processes in place to prevent and manage privacy breaches. Their responsibilities include:\n<ul class=\"wp-block-list\">\n<li>Notifying the client<\/li>\n\n\n\n<li>Managing and containing the breach<\/li>\n\n\n\n<li>Taking steps to prevent future privacy breaches<\/li>\n\n\n\n<li>Reporting the breach to the Information and Privacy Commissioner of Ontario (IPC)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Does the privacy breach need to be reported to the College?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Privacy breaches only need to be reported to the College if there is disciplinary action taken against the occupational therapist (by the employer).<\/li>\n<\/ul>\n\n<\/div>\n    <\/div>\n<\/div>\n\n\n\n<div class=\"content-section-block has-fade-in-up  align wp-block-acf-content-section\" id=\"section-outcome\">\n    <div class=\"section-header \">\n        <h2>Outcome<\/h2>\n            <\/div>\n\n    <div class=\"content-section\" aria-hidden=\"false\">\n        <div class=\"acf-innerblocks-container\">\n\n<ul class=\"wp-block-list\">\n<li>In this case the occupational therapist is the agent, and the clinic is the HIC.<\/li>\n\n\n\n<li>As the agent, Manuel followed the policies of the clinic by immediately notifying his manager of the information privacy breach.<\/li>\n\n\n\n<li>The manager engaged the organization\u2019s privacy officer and followed their protocols to investigate and manage the breach.<\/li>\n\n\n\n<li>The organization notified the individual whose personal health information was accidentally sent to the funding organization without authorization.<\/li>\n\n\n\n<li>The individual was informed of the steps being taken to manage and contain the breach, as well as their right to file a complaint with the Information and Privacy Commissioner of Ontario (IPC) \u2013 for more information refer to the IPC\u2019s\u00a0<a href=\"https:\/\/www.ipc.on.ca\/en\/health-organizations\/phipa-complaint-process\/our-phipa-processes\" target=\"_blank\" rel=\"noreferrer noopener\">PHIPA complaint process<\/a>.<\/li>\n\n\n\n<li>The organization reviewed their privacy policies and procedures, explored learning needs and opportunities for staff, and implemented additional safeguards in their electronic health records system. This included alerting staff to the potential risks associated with using the copy and paste function.<\/li>\n\n\n\n<li>Manuel used this situation as an opportunity to improve his practice. To mitigate risks Manuel has eliminated using copy and paste between client files and has built in time to complete a thorough review of all documentation, ensuring it is correct before applying a signature and the occupational therapist designation.<\/li>\n<\/ul>\n\n<\/div>\n    <\/div>\n<\/div>\n\n\n\n<div class=\"content-section-block has-fade-in-up  align wp-block-acf-content-section\" id=\"section-conclusion\">\n    <div class=\"section-header \">\n        <h2>Conclusion<\/h2>\n            <\/div>\n\n    <div class=\"content-section\" aria-hidden=\"false\">\n        <div class=\"acf-innerblocks-container\">\n\n<p>Be aware when copying and pasting documents. With the growing use of electronic documentation systems, occupational therapists are reminded of their professional responsibility to protect client privacy and safeguard personal health information. Occupational therapists should be aware of any potential privacy pitfalls that they may encounter with their documentation processes or systems used. Occupational therapists should know and understand their responsibilities as either the health information custodian or the agent and be familiar with organizational procedures for responding to and managing a privacy breach.\u00a0<\/p>\n\n<\/div>\n    <\/div>\n<\/div>\n\n\n\n<div class=\"content-section-block has-fade-in-up  align wp-block-acf-content-section\" id=\"section-resources\">\n    <div class=\"section-header \">\n        <h2>Resources<\/h2>\n            <\/div>\n\n    <div class=\"content-section\" aria-hidden=\"false\">\n        <div class=\"acf-innerblocks-container\">\n\n<p>For additional learning, watch the College\u2019s presentation on\u00a0<a href=\"https:\/\/www.youtube.com\/watch?v=63zHr5bMSBs\" target=\"_blank\" rel=\"noreferrer noopener\">Privacy Legislation and Occupational Therapy Practice<\/a>.<\/p>\n\n<\/div>\n    <\/div>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"contact\"><strong>Contact<\/strong><\/h3>\n\n\n\n<p>If you have any questions about this case, or have any ideas or requests for future cases, contact the Practice Resource Service: 1-800-890-6570\/416-214-1177 x240 or&nbsp;<a href=\"mailto:practice@coto.org\">practice@coto.org<\/a>.<\/p>\n\n\n\n<p>Want more case studies?&nbsp;<a href=\"http:\/\/bit.ly\/COTOsignup\" target=\"_blank\" rel=\"noreferrer noopener\">Sign up<\/a>&nbsp;to stay up to date and receive the latest cases when they\u2019re released.&nbsp;&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Contact If you have any questions about this case, or have any ideas or requests for future cases, contact the Practice Resource Service: 1-800-890-6570\/416-214-1177 x240 or&nbsp;practice@coto.org. Want more case studies?&nbsp;Sign up&nbsp;to stay up to date and receive the latest cases when they\u2019re released.&nbsp;&nbsp;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"template":"","meta":{"_acf_changed":false,"advanced_seo_description":"Read our case study about managing a privacy breach as an occupational therapist.","jetpack_seo_html_title":"Managing a Privacy Breach","jetpack_seo_noindex":false,"footnotes":""},"resource-audience":[19,17],"resource-topic":[41,35],"resource-type":[6],"class_list":["post-2034","resource","type-resource","status-publish","hentry","resource-audience-employers","resource-audience-registrants","resource-topic-privacy","resource-topic-working-as-an-ot","resource-type-case-studies"],"acf":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/resource\/2034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/types\/resource"}],"author":[{"embeddable":true,"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/users\/1"}],"version-history":[{"count":3,"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/resource\/2034\/revisions"}],"predecessor-version":[{"id":4270,"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/resource\/2034\/revisions\/4270"}],"wp:attachment":[{"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/media?parent=2034"}],"wp:term":[{"taxonomy":"resource-audience","embeddable":true,"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/resource-audience?post=2034"},{"taxonomy":"resource-topic","embeddable":true,"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/resource-topic?post=2034"},{"taxonomy":"resource-type","embeddable":true,"href":"https:\/\/www.coto.org\/wp-json\/wp\/v2\/resource-type?post=2034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}