Recent privacy breaches emphasize need for training, education
Several recent high-profile privacy breaches have been widely reported “suggesting that even 10 years after the implementation of health privacy legislation in Ontario, hospital staff still do not fully appreciate their obligations to safeguard hospitals’ personal health information records," says Toronto health lawyer Lonny Rosen.
These recent breaches, including the access of Mayor Rob Ford’s health records by hospital staff, the use of birthing mothers’ hospital records to sell securities and the repeated access by hospital staff of the personal health information of a patient who killed himself at Brampton Civic Hospital, are all examples of how such occurrences happen “all too frequently” and underscore the necessity of appropriate training and education for frontline hospital staff, Rosen says.
“This is a reminder of the importance of training and education so that all staff who have access to personal health information records appreciate the responsibility that comes with that access,” he tells AdvocateDaily.com.
Rosen, partner at Rosen Sunshine LLP, points out that the Office of Ontario’s Privacy Commissioner has highlighted – following previous breach instances – that the necessity of staff training is a way to help ensure a culture of privacy exists within the hospital.
"Frontline staff who collect and use personal health information records must undergo appropriate training on the hospital’s policies and procedures and on PHIPA (Personal Health Information and Protection Act),” he says. “Good policies aren’t sufficient and training and education are required to ensure that the messages from those policies are taken to heart.”
Rosen makes the comments in connection with two recent Toronto Star articles. One reports that a former clerk at Rouge Valley Centenary Hospital was charged by the Ontario Securities Commission (OSC) with the “quasi-criminal” offence of “misusing” as many as 8,300 records, mostly of mothers who gave birth between 2009 and 2013.
Another article notes that in the wake of the suicide of Prashant Tiwari while a patient at Brampton Civic Hospital and the provincial Coroner’s Office’s decision not to order an inquest into the case, 12 individual staff members of the hospital accessed Mr. Tiwari’s record 15 times, despite the fact that they were not authorized to do so or involved in his care. According to The Star article, the patient was under suicide watch at the time of his death.
“That fact likely caused many to question what happened in the case, and staff may have reviewed Mr. Tiwari’s records in an attempt to understand what transpired, or even to improve patient care in the future. But as they had no right to access the patient’s chart, even for education or for the benefit of future patients, staff breached Mr. Tiwari’s privacy when they accessed his records, and faced serious consequences as a result”, Rosen says. “Better education and training around privacy law and the hospital’s privacy policies may have prevented this from occurring.”
The clerk in the Rouge Valley case is accused of creating investor lists from the stolen records of new mothers, providing them to RESP dealers and receiving payment for this without informing the hospital or the patients, according to the OSC. She faces a fine and even jail time. The Information and Privacy Commissioner of Ontario is also investigating this case, and the clerk could face charges under privacy legislation, particularly in light of Acting Privacy Commissioner Brian Beamish’s recent statement to the effect that there should be stiffer penalties for health professionals who break patient confidentiality.
Staff at Mount Sinai, North York General, St. Joseph’s Health Centre, Humber River, Toronto East General and Rouge Valley Health inappropriately provided patient names, ages, lengths of hospital stays, physicians, types of diets and reasons for admission to a maternity imaging company, says the article. The breach involved tens of thousands of new mothers, it says.
As well, a $412-million class action lawsuit was launched against Rouge Valley Centenary after staff there were accused of providing contact information for 8,300 patients to private companies marketing RESP investments.
“It is a Personal Health Information Protection Act offence to collect, use or disclose personal health information, says the acting information and privacy commissioner of Ontario, in an email. Any individual found guilty of the offence can be fined up to $50,000 and any organization, up to $250,000,” says the newspaper.
Rosen’s comments also pertain to a recent Toronto Star report that two Mount Sinai Hospital employees have been accused of “inappropriately” accessing Ford’s health records.
Rosen notes that while steps can be taken to limit access to patient records in hospitals, staff members at most hospitals have access to all patient records.
“It would be unwieldy for access to patient records to be restricted electronically or administratively to only those staff who are involved in the care of a particular patient,” he says. “As such, hospitals rely on their policies and on the law, frankly, to ensure that staff members only access those records that they have to access in order to provide care.”
While PHIPA provides that the custodian of any personal health information record, such as a hospital, has an obligation to disclose to the patient that a breach has occurred, there’s no requirement to publicly disclose the information about the disciplinary action taken and there’s no requirement to alert the privacy commissioner, says Rosen.
He points to a recent case, Hopkins v. Kay (2014 ONSC 321 CanLII), that provides individuals whose personal health information was accessed with an independent right to sue – subject to appeal. Please read more here on that case.
For other information on this topic of health information record breaches, read more.