Recent case highlights need for careful management of privacy breach

It’s important for privacy officers and all health information custodians to obtain legal advice and to tread carefully when dealing with privacy breaches or investigations, says Toronto health lawyer Lonny Rosen.

“Mistakes will occur. Dealing with mistakes in a forthright and responsible manner will mitigate the harm caused by those mistakes,” he tells AdvocateDaily.com. “Any behaviour that suggests any type of coverup or denial of responsibility, or an attempt to avoid accountability could really exacerbate the harm caused by the mistake.”

“Health information custodians and privacy officers should obtain legal advice as early as possible when managing a privacy breach, particularly when dealing with the privacy commissioner’s office.”

Rosen, partner at Rosen Sunshine LLP, says recent news coverage around a Trillium Health Centre privacy analyst, who is being investigated by Ontario’s privacy commissioner and his own hospital over allegations that he tried to block a probe into a privacy breach, is a reminder about the responsibilities of health information custodians and the importance of handling mistakes around privacy properly. “Even if a case seems straightforward, the reality is that an outside advisor, such as a lawyer, can provide perspective and can assist in managing the breach and dealing with third parties, which can help in mitigating the harm done," he says. The probe involving Trillium Health Centre goes back to a privacy breach that occurred when the health facility mistakenly mailed a patient record on two separate occasions to a wellness clinic in Halton Region, reports the Toronto Star.

The clinic’s office manager, who opened both letters, has alleged that a Trillium Health Centre privacy analyst “later accused her of beginning a time-consuming complaint to the privacy commissioner and told her to withdraw the complaint because he ‘has more important things to do,’” says the newspaper. Ontario's Information and Privacy Office and Trillium Health Centre have confirmed the privacy breach and told the newspaper they are both looking into the allegations, says the article.

Without commenting on the specifics of this matter, Rosen says it’s important to emphasize that the manner in which privacy officers and health information custodians deal with mistakes around privacy issues will often determine the consequences of those errors.

“And this applies to all health information custodians – not just hospitals, but health professionals and clinics, providers of mental health services and operators of long-term care homes,” he says.