Prosecutions Not Necessarily Best Means for Preventing Privacy Breaches

A recent Toronto Star article suggested that privacy violations were rife in Ontario's hospitals, and quoted Ontario's Acting Privacy Commissioner as calling for prosecutions to address hospital privacy breaches. But a review of the types of breaches hospitals experienced show that not all breaches were deliberate or intentional. Indeed, breaches included faxing medical records to the wrong care provider, and using patient information for research without obtaining necessary approval, and may have been due to confusion as to what steps were required in order to use records for the benefit of patients. To be sure, there were well-publicized examples of hospital employees accessing health records of celebrities, hospital staff giving patient information to baby photographers,  hospital staff selling personal health information records to companies selling RESPs, and the case of a technologist who accessed the records of her former spouse's current spouse, which resulted in an Order by the Information and Privacy Commissioner of Ontario. But all of these cases resulted in serious disciplinary action against the staff involved. While prosecution may be appropriate in some cases, it is not the only - or even the best - tool for prevention. Ongoing efforts to remind all staff of the importance of safeguarding personal health information records, and of their obligation to collect, used and disclose personal health information only with consent (or where required by law) may be more effective tools of prevention. Health Information Custodians should ensure they have sound privacy policies, regular audits and enforcement of compliance measures, and education and training of all staff. These measures can help prevent many breaches and foster a "culture of privacy".