'Culture of privacy' needed at health organizations

Two recent health-information privacy breaches in Ontario are reminders of the importance – and responsibility – of health-care organizations to have effective privacy policies, to enforce them and to regularly train staff in order to cultivate a "culture of privacy," says Toronto health lawyer Lonny Rosen.

"The Information and Privacy Commissioner of Ontario is investigating both of these breaches – no doubt the commissioner's office will review the policies and procedures in place at the facility," he tells

"If their policies cannot withstand scrutiny or are not adequately enforced or taught to staff, then they're going to have a problem – even if the custodian, their staff and agent are careful to safeguard personal health information they collect."

Rosen, partner at Rosen Sunshine LLP, points to how both recent breaches have the common and concerning theme of for-profit enterprises seemingly obtaining personal health records and using the information for a business purpose.

"The apparent common link in these cases is that personal health information has been attempted to be used by individuals or businesses, and in both cases personal health information records were provided to an outside party without the consent of the individual to whom the information relates," he says.

In one case, a Sarnia woman was contacted by a private cosmetic surgery clinic that offered to perform a procedure she had already booked at a public hospital, reports the Toronto Star.

Patricia Pede told the newspaper that the Centric Health plastic surgery clinic called in March to try to convince her to switch her procedure to the private facility. She refused the offer and when she asked how the clinic obtained her personal information, the caller hung up, says the article.

Pede doesn't know how the private clinic got her information and, according to a letter the company sent her, neither does Centric, a publicly traded medical company with 10,000 employees in almost 1,000 locations across Canada, says The Star.

The Personal Health Information Protection Act, passed in 2004, stipulates that except where permitted or required by law, medical records cannot be divulged without the patient’s consent, whether under public or private health care and this includes doctors, hospitals, laboratories, and the Ministry of Health.

Rosen says it's important to note that it's alleged in that case, the health information of one person was attempted to be used by a third party, while in another health information privacy breach reported in recent days that appears to have affected many more people in a "systematic approach, was apparently used to provide personal health information records to an outside party."

In that case, a Scarborough hospital is being investigated by the provincial privacy commissioner after the personal information of thousands of new mothers was leaked by hospital employees who were being paid by outside companies, reports The Star.

The name, address and phone numbers of many as 8,300 patients were turned over to private companies selling Registered Education Savings Plans by two staff members at Rouge Valley Centenary hospital, says the newspaper.

The patients affected were mainly mothers who gave birth at the hospital between 2009 and 2013, it states. The personal information of the new parents and their families was used by the companies to try to sell them RESP investments, says The Star.

Rosen says that even if the "employees believed they were assisting the patients by helping them to receive information that might be of benefit to them, the patients' personal health information obviously was not collected for that purpose and is not permitted under health-privacy law to be used for that purpose."

The lawyer says both instances appear to have involved intentional privacy breaches.

"It may well be that the hospital in the recent case and the clinic in the other case had appropriate privacy policies and procedures in place, but if there's not a culture of privacy such that every staff member understands the importance of safeguarding personal health information records that they maintain and if those privacy policies aren't enforced or training on those policies isn't provided, then it's unfortunately easy for breaches to occur," he says.

A custodian of personal health information records will be well-placed to respond to breaches if they are able to show that they have policies and procedures in place that are appropriate, that they have trained all of their staff and agents on those policies and practices and that they have enforced them, including by auditing the access to records, says Rosen.

He recommends annual training for staff at health organizations on existing privacy policies and procedures to "ensure that the message is not forgotten, as well as to enhance the culture of privacy that's necessary within a health-care setting.

"Educating and training not only senior management but frontline staff who collect, use and disclose personal health information is vital," says Rosen.

To Read More Lonny Rosen Posts Click Here