BC’s privacy commissioner calls for big penalties

VICTORIA – Just after Island Health announced it was notifying 196 patients that their health records were breached by two non-clinical support staff, B.C.’s privacy commissioner urged the B.C. government to strengthen its privacy laws and impose fines of up to $50,000 for healthcare workers found snooping.

“It’s a significant issue of public trust when one or more individuals access electronic health records without authorization,” B.C. privacy commissioner Elizabeth Denham (pictured) told the Times Colonist newspaper, adding that the province’s privacy laws are outdated when it comes to protecting electronic health records.

In 10 provinces and territories – Quebec and Nunavut are the other exceptions – the unauthorized collection or use of personal information, snooping, is an offence.

“The public needs to be assured that the staff will take their confidential requirements seriously and that there will be serious sanctions and penalties when they fail to do so,” Denham said.

B.C. Health Minister Terry Lake said in a statement that patients should expect their privacy to be protected when they access healthcare services. “I am concerned to learn of this breach and the ministry is following up with Island Health to understand why and what specific measures they are going to put in place to prevent more incidents,” Lake said.

“I am confident that in this case, Island Health is taking the appropriate steps to ensure patient privacy is protected.”

Denham applauded Island Health for its proactive auditing. The privacy breaches, found to go back at least 16 months, were discovered by Island Health in early April as part of a routine audit that looks for suspicious patterns.

The Island Health employees’ access privileges were immediately revoked and Denham was notified. Once the breaches were confirmed, the employees were fired.

Last month, the special committee reviewing B.C.’s privacy act wrapped up, endorsing Denham’s recommendation in November to strengthen the province’s privacy laws by making snooping an offence with a corresponding penalty.

“When staff abuse their access privileges, it’s a serious matter – whether it’s just for curiosity to see what VIPs might be in care, or whether it’s intentional and malicious and for their own purposes,” Denham said.

The Finance Ministry, responsible for the Freedom of Information and Protection of Privacy Act, said all suggested proposals for recommended changes to the act are given careful consideration. “Government continuously appraises suggestions for improvements, and appropriate amendments will be brought forward at the next possible opportunity,” said Jamie Edwardson, Finance Ministry spokesman.

Most British Columbians would be surprised to know that while it is an offence to disclose personal information in an unauthorized manner, it is not an offence to improperly access or use personal information, Denham said.

“B.C. is falling behind other jurisdictions on this issue – not only do other jurisdictions have relevant offences and penalties in place, but prosecutions have begun,” Denham said.

Ontario started prosecuting people in 2013 when a nurse at North Bay Regional Health Centre was charged with wilfully collecting, using or disclosing the health information of patients in 48 instances in a manner not authorized by Ontario’s Personal Health Information Protection Act, said the privacy commissioner.

More recently, the Toronto Star reported that three hospital workers in Ontario were prosecuted for snooping into the health information of late Toronto mayor Rob Ford.

Saskatchewan recently made it an offence for healthcare workers to snoop at someone’s personal records when they don’t need the information. Saskatchewan reacted after thousands of medical records were discovered in a Regina dumpster in 2012.