Ontario to strengthen health privacy legislation
Toronto health lawyer Mary Jane Dykeman says proposed amendments to the Personal Health Information Protection Act (PHIPA), if enacted, will deter those who break the rules and breach patient health information privacy.
Minister of Health and Long-Term Care Dr. Eric Hoskins announced on June 10 that the Ontario government will introduce the amendments to PHIPA. More than a decade since it became law in Ontario, the act governs how health information custodians such as physicians in private practice, hospitals and long-term care homes collect, use and disclose personal health information.
Dykeman, partner at Dykeman Dewhirst O’Brien LLP, says that while the act contains a requirement to safeguard this information, a series of recent privacy breaches have prompted the Information and Privacy Commissioner of Ontario (IPC), Brian Beamish, to recommend significant changes to increase these protections. The health minister made clear that he is acting on every single one of the IPC's recommendations. Read Toronto Star.
Mandatory reporting of breaches to the IPC (and in some instances, to health regulatory colleges), in particular, should act as a deterrent to those who inadvertently or intentionally break the rules, Dykeman tells AdvocateDaily.com.
Although no fines under the existing legislation have been levied to date, if the amendments become law, fines will be doubled from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations.
This is also "a wake-up call" for health-care providers, she says.
“At this point in Ontario, given the amount of attention that has been focused on privacy breaches, nobody working in the health sector should be able to say they didn’t know better,” she says.
Dykeman says legislative changes relating to electronic records were proposed in 2013 but were put on hold due to the provincial election. Those changes will now form part of the proposed amendments.
“Privacy breaches are a continual presence in the media,” she says. “Whether it is the charges recently laid by the Ontario Securities Commission against former hospital employees and RESP providers for securities fraud, or cases before the courts."
Other changes that will be introduced include: 1) strengthening the process to prosecute offences under PHIPA by removing the requirement that prosecutions must be commenced within six months of the alleged privacy breach; and 2) clarifying the authority under which health-care providers may collect, use and disclose personal health information contained in electronic health records.
AdvocateDaily.com has confirmed with the health minister’s office that the amendments to PHIPA will be tabled in the legislature in the fall. The provincial legislature is now on a break until Sept. 14.
Dykeman says health-record privacy is an issue with which every health-care provider and institution has to contend.
She is presenting with Manuela DiRe, director of legal services at the Information and Privacy Commissioner of Ontario, at Osgoode Professional Development’s June 17 nursing risk management conference. Their presentation is entitled "Ensuring Patient Privacy: How to Deal Appropriately with Confidential Information."