Canada has several laws in place to protect individuals’ private information, including personal health data. When a person’s privacy is breached, organizations, including hospitals and other health facilities, such as doctors’ offices, should immediately take steps to respond quickly and responsibly. And in order to prevent such breaches, proper policies, procedures and personnel training should be in place.
We have previously written about the importance of having a Privacy Breach Protocol and the necessary elements of same. These elements (which include: identification, internal reporting, containment, notification, investigation, and remediation) remain necessary.
We have also written about the importance of training, audits and other preventative measures. While not all breaches can be prevented, particularly those caused by intentional disregard for policies and procedures for ulterior motives, a recent case underscores that health information custodians (HICs, which are health professionals, providers, and others who collect, use or disclose personal health information for the provision of care to patients) will be responsible for such breaches, particularly where all reasonable steps were not taken to detect and prevent same.
In one recent incident, it was discovered that employees at a hospital disclosed the personal health information of mothers who had recently given birth for the purposes of selling or marketing Registered Education Savings Plans (RESPs).
The Investigations and Findings:
The privacy breach came to light when in 2013, a woman received a phone call from a sales representative of the RESP Company. The woman, who had given birth approximately two months earlier, was told that her information was obtained from the hospital at which she gave birth. The woman filed a complaint with the Office of the Information and Privacy Commission of Ontario (the “IPC”) and it found that the hospital’s employees had inappropriately accessed personal information belonging to maternity patients and then sold such information to an RESP sales representative for the purpose of marketing RESPs to new mothers. Within a span of a year, a second similar breach occurred at the same hospital. The IPC conducted an investigation under Ontario’s Personal Health Information Protection Act, 2004, (“PHIPA”).
As a consequence of the breaches, the hospital notified more than 14,000 current and former patients of the breach. The hospital also investigated and discovered that the audit functionality of its electronic information system was limited, and undertook to address this shortcoming. Audits are important as they can be used to deter and detect collections, uses and disclosure of personal health information that contravene PHIPA (or, in other words inappropriate “snooping”). The IPC found that the hospital’s failure to implement full audit functionality meant that it did not comply with PHIPA.
Also, through the investigation, the IPC discovered that the hospital’s privacy policies, procedures and practices, as well as privacy training and awareness programs were insufficient.
The IPC issued an Order to the hospital requiring it to, among other things, improve its audit system, and revise and improve its privacy policies, procedures, and training.
The hospital initially appealed the Order to the Divisional Court; however, it withdrew its appeal when the IPC and the hospital agreed on a plan of compliance. The plan includes the hospital buying agreed upon software that performs logging and auditing functions on systems that contain personal health data.
This case is a clear message that employers will be held liable for actions of its “rogue” staff members. Personal health information must be protected. HICs must have policies and procedures in place at their facilities, and regular privacy training should be provided to all administrative staff. If a breach occurs, custodians should seek legal advice and be ready to quickly address any deficiencies.
Posted in: Blog