Always consider privacy rights when implementing tech: Rosen
By AdvocateDaily.com Staff
Health professionals can minimize the risk of reputational damage by focusing on privacy when implementing technology, says Toronto health lawyer Lonny Rosen.
A recent decision shows the Office of the Information and Privacy Commissioner (IPC) began investigating a Toronto cosmetic surgery clinic after CBC’s Marketplace reported concerns about its network of video surveillance, which included examination rooms.
While IPC decided no order was necessary following steps taken by the clinic to amend its practices, Rosen, a partner with Rosen Sunshine LLP, says the damage may have already been done.
“The media attention that the clinic received when the issue came to light may have had a greater impact than any order by the IPC,” he tells AdvocateDaily.com. “The takeaway from this case is that carefully managing a privacy complaint or investigation can help to avoid an order, but the reputational harm that comes from media attention on a privacy breach is much harder to prevent.
“Careful implementation of any technology with an eye towards privacy compliance is the best means of prevention,” Rosen adds.
According to the IPC ruling, the clinic explained that its extensive 24-hour camera network operated for the purpose of security — not health care — and covered examination rooms, the operating room, pre-operative room, reception areas, hallways, administrative offices, a computer workroom, and the staff kitchen.
The footage was retained for 30 days and was also available to the clinic owner through an application on his phone, though it was not held in patients’ medical records and would not be used, disclosed or accessed unless a specific issue or need arose.
While the clinic posted notices about the surveillance at its entrance and other areas inside, it acknowledged that consent to record was not obtained from patients.
“The blanket use of surveillance cameras for non-health care purposes in this context (particularly in pre-operative, operating and examination rooms where a patient is most vulnerable and has a higher expectation of privacy) is unacceptable,” the commissioner wrote, finding that the clinic’s former practices were in violation of the Personal Health Information Protection Act.
“The lesson to be taken from this case is that clients and patients have the right to privacy with respect to their personal health information,” Rosen says. “This includes the right to control who can see and use their information and to know what information is being collected and how it is used.”
Those who wish to proceed with video recording to satisfy security concerns must first consider less-intrusive measures, he adds.
“As suggested by the IPC, that would include the use of chaperones or a significantly limited video surveillance system,” Rosen says. “They must also ensure adequate notice to clients who then have the opportunity to opt-out or to withdraw consent to the collection of this information.”
Despite finding a breach of the law, IPC concluded that it was satisfied no formal review was necessary in this case because the clinic took the following steps to address the issues raised:
- responding initially with a complete explanation of the steps taken, and the rationale for them, as well as the shortcomings in their approach
- notifying all patients over the last two years about the cameras before being directed to do so
- providing IPC with emails from patients about the cameras
- ceasing collection of personal health information through the camera system
- reducing the size of the camera network and its hours of operation
- securely destroying all prior recorded footage
The clinic implemented a new security system, which consists of just two cameras, located at the reception desk on each level, which are programmed to operate only after regular office hours. In addition, because of the angle of the cameras, they do not capture the faces of any patients who may attend the clinic at these times, the decision states.
New signs have also been installed with larger font, disclosing the presence of the cameras, while the clinic committed to amending its privacy policies and consent forms.
"The immediate steps taken by the clinic to demonstrate recognition of its shortcomings and efforts to become privacy compliant likely went a long way towards avoiding action by the IPC," Rosen says. "This case provides lessons for health providers faced with an IPC investigation."