Duo convicted for snooping into Rob Ford’s files

Brian-BeamishTwo health workers who snooped into late mayor Rob Ford’s electronic health records have become the first in Ontario to be convicted under the province’s health privacy law. Mohammad Rahman and Debbie Davison both pleaded guilty under the Personal Health Information Protection Act (PHIPA) to “willfully collecting, using or disclosing personal health information,” while working at the University Health Network (UHN) Princess Margaret Cancer Centre in January 2015. Each was fined $2,505.

There is no evidence they used the information for anything or shared it with anyone. But under the act, looking at even a single healthcare record of a patient not under one’s care is a crime.

Their convictions come as changes to Ontario’s health privacy act, passed in the legislature, make it easier to prosecute these types of cases and mandatory for hospitals to report privacy breaches to the information and privacy commissioner.

UHN spokesperson Gillian Howard said she could not discuss the individuals in question due to privacy concerns.

It’s not clear whether the two are still employed at Princess Margaret or faced internal discipline after the privacy breach, which took place as Ford was being treated for cancer.

Ann Cavoukian, executive director of the Privacy and Big Data Institute at Ryerson University, called the two convictions “long overdue,” and said the ruling will act as a warning to other health-care workers.

“They broke the law. If there aren’t consequences, then what’s to prevent others from doing it?” she said. People may think looking at private records is “just snooping” and “no big deal,” she added.

She said she hopes the high-profile nature of the case does not send a message that “we only explore these matters legally when it involves VIPs, or high-profile individuals. Everyone’s privacy matters.”

The bill amending PHIPA makes reporting breaches to the information commissioner and regulatory colleges mandatory, increases the range of fines and scraps the six-month time limit for beginning a prosecution.

Other healthcare workers whose professional regulatory body found they had committed professional misconduct by snooping into hundreds and even thousands of patient files have not been convicted under the act.

So far there have been four completed prosecutions under PHIPA, including the two that resulted in convictions and one that was withdrawn, according to an emailed statement by the Ministry of Health and Long-Term Care.

The other was North Bay nurse Melissa McLellan, the first person ever charged under the act. Her charges were stayed by a judge in January 2015, effectively dismissing the case, but she was found to have committed professional misconduct by the College of Nurses of Ontario after snooping into nearly 6,000 patient files.

The College of Nurses of Ontario’s disciplinary panel also recently found registered nurse Mandy Edgerton had committed professional misconduct by looking at nearly 300 patient records at a Peterborough hospital over two years. Edgerton was not charged.

In an interview, Information and Privacy Commissioner Brian Beamish (pictured) said snooping is a persistent issue, but changes to the act should be a “significant step” towards prosecuting the most serious cases.

“The electronic files can contain really sensitive information, and I know the people that have had this happen, many of them feel very violated by it,” he said, speaking generally.

“It’s not always just a stranger who’s looking in these files; it could be a neighbour, it could be an ex. It could be someone who knows who you are and is looking at your health records.”

Source: The Toronto Star