Few provinces report health data breaches

Brian BeamishTORONTO – Four provinces still have no mandatory reporting to privacy commissions when there are serious breaches of patient health information, according to the Toronto Star, which contacted all healthcare jurisdictions across Canada.

Each of the provinces – Ontario, British Columbia, Saskatchewan and Manitoba – is currently considering the issue but has no well-defined strategy in place.

The Star found that eight jurisdictions have passed legislation, or have legislation in progress, to force hospitals to report breaches to the relevant privacy body.

According to the Toronto Star survey, the jurisdictions that have mandatory breach notification laws are:
• Newfoundland and Labrador on serious breaches
• New Brunswick on all health breaches
• Nunavut on serious breaches
• Nova Scotia on minor breaches

Jurisdictions with legislation changes in progress:
• Prince Edward Island
• Alberta
• Northwestern Territories
• Yukon

Jurisdictions that have formally requested law changes:
• Quebec

Jurisdictions with no mandatory reporting:
• Ontario: Held discussions with the Ministry of Health on privacy legislation
• British Columbia: “Carefully considering” calling for mandatory reporting
• Saskatchewan: Will lobby government for mandatory reporting this year
• Manitoba: Will raise mandatory reporting in a statutory review this year

Ontario, which has the largest population in the country, has no plans for such a legislative change. A province that was once a leader in health information privacy laws is now trailing as other provinces move to stricter reporting.

A recent Star investigation found hundreds of serious health-related privacy breaches were going unreported to Ontario’s privacy commission because a legislative oversight allows hospitals to handle such violations internally.

When the Star notified Brian Beamish (pictured), the province’s acting information and privacy commissioner, of some of the unreported breaches, he said he would like to see legislative change to force Ontario hospitals to report serious violations to his office.

Beamish told the Star that he discussed amending health privacy laws with senior Health Ministry staff recently. “The government knows how we feel and are well aware of our position. We have been very clear on that,” he said. “We think we should come up to the level of other jurisdictions on this particular issue.”

Privacy commissioners from across the country told the Star they have seen a worrying increase in healthcare professionals snooping into private medical records with wilful, malicious intent. This trend, they said, highlights the importance of the recent legislative changes.

One case in Alberta involved a female office clerk who was looking into the records of the wife of the man with whom she was having an affair – the wife was also a cancer patient.

In another incident, a pharmacist in a dispute with fellow congregants at her church opened their medical records to pull information about their birth control prescriptions and posted it on Facebook.

A recent high-profile Ontario privacy breach involved an anti-abortion activist who pried into more than 400 abortion patient files.

Health Minister Dr. Eric Hoskins said in a written statement to the Star that he recently met with Beamish to work on strengthening the province’s patient privacy protections. He did not provide further details and would not respond to questions about why Ontario had fallen behind other jurisdictions on the issue.

Back in 2004, the province brought into force one of the country’s first health information privacy laws: the Personal Health Information Protection Act (PHIPA). Under PHIPA, hospitals can investigate privacy breaches, notify affected patients and sack staff members without alerting the commission.

Many provinces modelled their health privacy laws on PHIPA, but there has been a move in other provinces to update such legislation, and Ontario is now lagging rather than leading.

Edward Ring, privacy commissioner for Newfoundland and Labrador, said his province largely copied PHIPA when it came up with its own legislation but added one adjustment: mandatory reporting of health-related breaches to the privacy office.

“We viewed that as an important improvement,” Ring said.

Each jurisdiction in Canada has its own health privacy legislation and those that have enforced mandatory reporting have different thresholds for notifying the privacy commissioner.

Nova Scotia’s legislation says the privacy review officer must be notified of breaches only when the affected patients are not informed. Usually these incidents are minor, such as a misdirected fax message.

However, in New Brunswick, the privacy office is notified of every single health-related privacy breach, said privacy portfolio officer Lucrece Nussbaum.

She pointed to a recent spike in cases in which physicians inappropriately access information out of curiosity or for malicious reasons. One instance involved a doctor who snooped into 141 women’s medical records, including gynecology reports.

Brian Hamilton, Alberta’s privacy spokesman, said medical records are about as sensitive as it gets, and as patient files are rapidly uploaded into the online world, the potential for privacy violations increases, making this legislative change even more critical.

Hamilton, the director of compliance and special investigations at the Information and Privacy Commission of Alberta, said people could be hurt or humiliated if someone pried into their health records.

A new legislative change in Alberta, set to come into force this spring, will make it obligatory for hospitals to notify the privacy commission of serious health-related breaches.

Hamilton viewed this legislation change as a huge improvement to the current system, citing a rising number of cases in which doctors had been caught snooping into the records of new lovers or ex-partners.

“A number of the breaches we often see relate to relationships, custody disputes or personal disputes,” he said.

Alberta currently receives about 60 notifications of health-related privacy breaches every year. With the new legislation in place Hamilton estimates they will receive thousands.

Mandatory reporting will “put some power back into the hands of citizens,” he said.

Saskatchewan Privacy Commissioner Ron Kruzeniski has only been in the role for six months and has already flagged this issue as a shortcoming in the provincial legislation.

Hospitals should not be able to quietly cover up privacy breaches and deal with them internally. “They should be reported to an independent body to prevent it happening again,” he said.

Written by Editor

1 Comment responses

  1. Avatar
    March 20, 2015

    How about with respect to Data Breaches within Medial Clinics? Specifically: I know of a few in-town with less-than-adequate technical infrastructures, which can easily be penetrated. If I were to approach those firms, offer a security assessment outlining their shortcomings, would they then be considered breached upon display of their faults?


Leave a comment