Privacy & Security
Tougher penalties needed for privacy breaches
November 5, 2014
TORONTO – More than 400 health-related privacy violation complaints were lodged with the Ontario Information and Privacy Commission in 2012, and then again in 2013. However, because Ontario hospitals are not legally obliged to notify authorities, thousands of violations could be going unreported every year, Ontario’s acting privacy commissioner, Brian Beamish (pictured), told the Toronto Star.
Hospital workers in Toronto have been disciplined, and some fired, for taking photos of patients without their consent, losing health records or inappropriately prying into a patient’s file when they are not involved in their care.
Earlier this year, several Ontario hospitals were embarrassed to find that patients’ records were being given to baby photographers and product marketers.
Beamish is calling for these serious breaches to result in prosecutions under the Personal Health Information Protection Act (PHIPA) – legislation that has resulted in only one prosecution in the past 10 years.
“People know generally they shouldn’t be doing this. They need to know they will be found out and that there will be consequences,” he said.
Recently, two hospitals admitted staff members inappropriately accessed former mayor Rob Ford’s medical records.
According to the Toronto Star, the University Health Network (UHN), which is responsible for four major hospitals in Toronto, started capturing privacy data through the middle of the 2012/13 financial year. Since then, it has logged 258 privacy incidents, which include:
- Taking photographs of a patient without consent.
- Using patient information for research without consent or hospital approval.
- Faxing medical records to the wrong care provider.
- Accessing medical records without being involved in the patient’s care.
- Storing unencrypted patient information on personal laptops.
These willful breaches of hospital policies and medical codes of conduct have resulted in staff members being disciplined, suspended without pay and some sacked, UHN spokeswoman Gillian Howard told the Star.
Since Ford’s cancer diagnosis, both Mount Sinai and Humber River hospitals have admitted that staff members snooped into his medical files. Mount Sinai has reported about 20 privacy breaches every year since 2010.
All health professionals use personal and traceable log-in pass codes that leave an electronic fingerprint on every record they access, hospital spokeswoman Sally Szuster said.
The hospital performs regular audits to monitor unauthorized access of medical files, and it ramps up the auditing process when high-profile patients such as Ford are admitted.
When an audit raises a red flag, it is immediately investigated, Szuster said.
“Upon confirmation of a breach, as per our code of conduct and privacy policies, disciplinary action is taken, up to and including termination.” This type of privacy breach is “as serious as you can get – it’s horrific,” Beamish said of the Ford incidents.
Health professionals “knew they didn’t have the right to look and that there was a chance they would be found out – but they still went ahead and did it,” he said.
Health-related privacy violations are governed under the PHIPA, which allows for fining individuals up to $50,000 and institutions up to $250,000 if found guilty.
Only one prosecution has been lodged so far under the act, which was introduced in 2004, Beamish said. This violation occurred in North Bay, where medical staff are alleged to have inappropriately accessed medical records.