Required reporting, doubling fines may stem privacy breaches
The progression from paper files to shared electronic records is a likely reason why Ontario’s provincial government is aiming to put more teeth into legislation to protect patients’ privacy and keep their personal health information confidential, Toronto health lawyer Mary Jane Dykeman tells The Lawyers Weekly.
“The technology has improved, so most heath-care organizations and providers have gone to electronic records,” she says, which makes it easier to track what records employees are accessing.
The province has introduced changes to legislation that’s designed to increase the protection of patients’ health information, as well as improve privacy, accountability and transparency in the health-care system, reports the legal trade publication.
If passed, the new Health Information Protection Act would make it mandatory to report certain privacy breaches to the Information and Privacy Commissioner and to relevant regulatory colleges; it would also remove the requirement that prosecutions must be started within six months of the alleged offence, says the article. It would double the maximum fines from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations, it says.
The new act would update the Quality Care Information Protection Act (QCIPA).
The proposed new legislation comes on the heels of several high-profile privacy breaches in Ontario that involved health-sector employees accessing patient records. It is worth noting that while some of these breaches have occurred at large hospitals, others have occurred in smaller, non-acute care settings. The message is clear: every health-care provider must take privacy seriously.
Dykeman, partner at Dykeman Dewhirst O’Brien LLP, says there are many reasons why employees have accessed records without permission.
“It could be a personal relationship, it could be snooping on someone you know or it could be a public figure,” she tells the magazine. “It runs the gamut.”
In these cases, “it’s difficult to argue today that you didn’t know" the rules in light of some well-publicized breaches, she says.
Dykeman says it’s important for health-care organizations to show due diligence in order to avoid a fine under the act.
“Employ the appropriate safeguards that are required and then let your people know what the expectations are and train them. Not a one-off, but a continual reminder,” she says.
The existing fines, while large, apparently haven’t prevented privacy breaches from occurring, but Dykeman says, “There’s nothing like the doubling of fines to get people’s attention.”
In this new climate of privacy protection, it’s almost certain fines will be levied if individuals continue to snoop, she tells AdvocateDaily.com.