Hospitals should report privacy breaches to commissioner: Editorial

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thestar.com/opinion/editorials/2015/01/13/hospitals_should_report_privacy_breaches_to_commissioner_editorial.html

Every year privacy violations at Ontario’s 155 hospitals – possibly
numbering in the thousands – go unreported to the provincial Information
and Privacy Commissioner.

That’s the conclusion of acting privacy commissioner Brian Beamish,
following a Star investigation of 218 privacy breaches at eight of
Toronto’s biggest health institutions.

While the Star found that the vast majority of the unreported breaches were
a result of genuine human error, the ones that weren’t were unsettling.

Among them: five staff members snooped into the medical records of 22
patients at the Centre for Addiction and Mental Health last year. An
employee at Sunnybrook Health Sciences Centre disclosed a patient’s
prognosis to the person’s estranged children without consent. And at
Toronto East General Hospital, an employee asked a colleague to access the
records of a friend.

All of these cases would have gone unreported were it not for the Star’s
investigation. That’s why it’s important that the commissioner be made
aware of all serious privacy breaches.

Mandatory reporting would allow the commissioner to identify trends in both
human errors and privacy breaches, investigate specific areas of concern
and help hospitals prevent future incidents.

Still, under a legislative loophole in the Personal Health Information
Protection Act, hospitals can handle such violations internally, including
disciplining and sometimes firing staff, without alerting the commission.

Beamish is calling for a legislative change to force hospitals to report
serious breaches to his office. He is right to do so.

The potential for abuse of health records is enormous and the more
oversight, the better.

Last year, the Star revealed two major hospital privacy breaches involving
thousands of patients. In one case, hospitals provided patient information
to baby photographers. In another, hospitals were handing out patient
contact information to RESP marketers. (In those cases, the hospitals did
notify the commissioner.)

Beamish cites another case in which a nurse accessed the medical records of
her ex-boyfriend’s new partner, and others where health professionals
accessed colleagues’ and neighbours’ records out of curiosity.

And there is the case of nurses improperly peeking at the medical records
of former mayor Rob Ford after his cancer diagnosis.

Clearly there is a need to shine a brighter spotlight on health-care
privacy leaks. Mandatory reporting to the privacy commissioner is one way
to achieve that goal. Health Minister Eric Hoskins should close the
loophole in the privacy act and strengthen the commissioner’s oversight.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!