Significant amendments to Ontario’s health privacy legislation announced
It’s a significant step forward that Ontario’s Ministry of Health and Long-Term Care announced today amendments to its health privacy legislation, under the Health Information Protection Act, says Toronto health lawyer Mary Jane Dykeman. Legal Feeds
The changes include mandatory breach notification (as newly defined) to the Information and Privacy Commissioner of Ontario and applicable health regulatory Colleges; broadening the timeframes within which an Attorney General prosecution must be started and doubling fines for offences to $100,000 for individuals and $500,000 for health information custodians.
If passed, the bill would also update the Quality of Care Information Protection Act (QCIPA) to clarify what information about critical incidents must be made available from those affected; reinforce patients’ rights of access to their health information; and institute a five-year review of QCIPA by the Minister of Health and Long-Term Care.
The bill is in part due to an increase in unauthorized access to patient health records by health-care workers, despite the fact that those who “snoop” face a myriad of consequences, says Dykeman, partner at Toronto health law boutique Dykeman Dewhirst O’Brien LLP.
“Privacy commissioners across Canada, the United States and worldwide have run out of patience as many jurisdictions are beefing up their privacy legislation and an increasing number of health-care workers are being prosecuted for breaching the laws,” she tells AdvocateDaily.com.
Dykeman notes that in Ontario, Attorney General prosecutions are now proceeding under the Personal Health Information Protection Act (PHIPA), a law that has been in force for nearly 11 years but is only recently being utilized in this capacity. The new bill removes the requirement that they be commenced within six months.
“As well, the Supreme Court of Canada will decide any day now whether to hear Hopkins v. Kay, 2014 ONSC 321 (CanLII), a Peterborough Regional Health Centre case involving unauthorized access by multiple staff to the health records of hundreds of patients,” she says. “The case will determine whether an individual affected by a privacy breach is required to first pursue a remedy under PHIPA, or whether he or she may proceed directly to a civil action. The case will test the relatively recently established common law tort of intrusion upon seclusion established in Jones v. Tsige, 2012 ONCA 32 (CanLII).”
Dykeman points to the recent Ontario Securities Commission prosecution against two former employees of Rouge Valley Health System — for allegedly accepting money in exchange for providing the names of new mothers and babies to Registered Education Savings Plan (RESP) brokers — that is now before the courts. One of those employees, Shaida Bandali, 61, who worked at Rouge Valley until 2014, has pleaded guilty to accessing confidential maternity ward records and selling the private information for between $1 and $2.75 each to salespeople of RESPs, according to an agreed statement of facts, says the Toronto Star. Though she hasn’t been charged criminally, she is also accused under the Ontario Securities Act for unregistered trading, for which the maximum penalty is five years less a day in jail and a fine of $5 million.
Registered nurse Esther Cruz, who worked in the maternity department at the hospital, has been charged with six Criminal Code offences, including two counts of accepting a secret commission, two counts of breach of trust by a public officer and two counts of theft under $5,000, reports CBC.
“The time for complacency has long since passed on these issues for health-care workers, as the outcomes for non-compliance become more significant and more public,” Dykeman says.