Training, Culture of Privacy May Have Prevented Recent Breaches
Last month marked the tenth anniversary of the enactment of the Personal Health Information Protection Act, 2004 (PHIPA), but a recent spate of privacy breaches in hospitals makes one wonder whether those in the healthcare field are truly aware of their obligations under this legislation a decade later.
In addition to several cases of hospital staff accessing the records of high profile individuals, there have been a number of recent cases in which patient privacy was breached repeatedly.
One such breach occurred at Rouge Valley Hospital. It involved a hospital clerk who used birthing mothers’ hospital records to sell securities. The hospital clerk is accused of accessing new mothers' hospital records in order to create lists of potential investors, and providing such lists to RESP dealers. The Ontario Securities Commission has alleged that the clerk received payment for this information, without informing the hospital or the patients. She faces a fine and even jail time. The Information and Privacy Commissioner of Ontario is also investigating this case.
Under PHIPA, the wilful collection, use or disclosure of personal health information contrary to the provisions of PHIPA (i.e. without consent or authority to do so) is an offence. If convicted, the clerk could face a fine of up to $50,000. It is noteworthy that Acting Privacy Commissioner Brian Beamish recently suggested that there should be stiffer penalties for health professionals who break patient confidentiality.
Another recent case related to a patient who killed himself at Brampton Civic Hospital. It was reported that 12 individual staff members of the hospital accessed the patient's record 15 times, despite the fact that they were not authorized to do so or involved in his care. According an article in The Toronto Star, the patient was under suicide watch at the time of his death.
Each of these hospitals, as health information custodians, had an obligation under PHIPA to take steps that were "reasonable in the circumstances" to ensure that personal health information in the custodian’s custody or control was protected against theft, loss and unauthorized use or disclosure. While it was perhaps reasonable that the hospitals permitted all staff to access all records (i.e. without limiting staff access to the records relating to patients assigned to them), it is unknown what other steps the hospitals took to comply with their obligations under PHIPA. Arguably, these would have included having an effective privacy policy in place, ensuring compliance with same through audits and other measures, and ensuring that all staff received appropriate training with respect to their privacy practices.
These two recent cases were quite different, in that in the first case personal health information records were accessed by a clerk for personal gain, while the staff members' access to records in the second case was likely attributable to curiosity. However, both of these privacy breaches may have been avoided if the hospitals had provided all staff members with education and training, and had instilled a "culture of privacy". Such training and education would have reminded all staff members of their obligations as agents of the hospital at which they worked.In a culture of privacy, staff members would be aware:
of the hospital's obligations to safeguard patients' confidentiality;
of their role in safeguarding patient privacy;
that unless they were involved in a patient's care, they had no right to access his or her records;
of the consequences of a breach of privacy;
that their access to patient records will be monitored through auditing; and
that they will be held to account if they access records respecting patients if they are not involved in the patient's care
Developing a culture of privacy in an institution can help prevent privacy breaches, for in such an environment staff members are encouraged to identify and call out unsafe privacy practices by colleagues. Even if a staff member acts intentionally, a breach can be detected more quickly through a robust system of auditing access to records.
Unfortunately, breaches such as these will continue to occur if hospitals and other health care providers do not take preventative measures and ensure that all of their staff are aware of their obligations to protect patients' privacy.