Is enough being done to stop your health information from going public?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thestar.com/life/health_wellness/2015/05/16/is-enough-being-done-to-stop-your-health-information-from-going-public.html

Ontario’s privacy commissioner wants to see more prosecutions of
health-care workers who snoop into patient files, a growing problem in the
age of electronic medical records.

But complaints about violations of health privacy legislation rarely make
their way to police, even though the attorney general’s ministry says it
will only prosecute if police say there’s a strong case.

The College of Nurses of Ontario does not automatically alert police when
it becomes aware of snooping cases.

And a survey of 27 hospitals in the GTA and Hamilton has found that the
hospitals don’t, either. Some say it’s not their job; one says it’s the job
of the privacy commissioner; and another argues that a police complaint
would be a privacy violation in itself.

“In my view, the real problem lies with the attorney general's office and
its absence of willingness to prosecute PHIPA (Personal Health Information
and Privacy Act) cases,” said Ann Cavoukian, Ontario’s former information
and privacy commissioner, and now executive director of the Privacy and Big
Data Institute at Ryerson University.

The survey of hospitals showed they are inconsistent in how they handle
privacy violations.

Some deal with them internally, some notify the privacy commissioner, and
some only alert the privacy commissioner if breaches are substantial.
(Unlike many other provinces, Ontario legislation does not compel them to
do so.)

In cases where hospitals have contacted police, it was to report alleged
criminal activity that happened in conjunction with snooping.

The nurses’ college and hospitals are taking disciplinary action against
errant employees, including suspensions and firings. But the Office of the
Information and Privacy Commissioner of Ontario does not have authority to
take the next step and launch prosecutions.

Only the attorney general can do so.

Last week, a Sault Ste. Marie nurse was suspended for 90 days by the
nurses’ college after she accessed 338 patient records. The week before,
the college began a disciplinary hearing for a Peterborough nurse alleged
to have accessed about 300 records. Both nurses were fired by their
respective hospitals.

Neither is facing charges under PHIPA, which carries fines of up to $50,000.

Alberta, Manitoba, and Newfoundland and Labrador have had successful
prosecutions using health privacy laws. Unlike Ontario, they do not require
police involvement, just a recommendation from their privacy commissions.

The result in Ontario is that there has never been a conviction under its
11-year-old privacy legislation.

PHIPA was introduced to keep personal health information confidential and
secure, while allowing for the effective delivery of health care. But there
have only been two attempts to prosecute.

The first failed in March, after the Crown bungled the case of a North Bay
nurse accused of prying into almost 6,000 patient files. The second is
ongoing and involves hospital staff snooping into ’s cancer-treatment
recordsRob Ford (open Rob Ford's policard)’s cancer-treatment records.

“Why do they need the police to be involved? While I have no problem with
involving the police, it is clear that the expertise on determining whether
there has been a breach of PHIPA lies with the commissioner's office,”
Cavoukian said.

“In the absence of a legal requirement, the (attorney general) should
reconsider the need to involve the police and rely on the expertise of the
Commissioner's office. Continuing to do nothing is completely
unacceptable,” she added.

A spokesperson for the attorney general’s ministry previously told the Star
that even if the privacy commissioner investigates a breach and concludes
it should be prosecuted, police must do a further investigation to
determine if there are reasonable grounds that an offence has been
committed.

Asked on Wednesday whether the province is considering reducing the
barriers that restrict prosecutions, Health Minister Eric Hoskins said yes.

“That’s something that we are looking at in terms of the steps from the IPC
(information and privacy commissioner) to the attorney general and what is
required of her in order for a prosecution to move forward. We are looking
at all of that and how we can streamline that and make it easier for both
the IPC and the attorney general.”

Hoskins said he plans to soon introduce legislation that would make it
easier to prosecute snoopers. The legislation would double the fine to
$100,000 for those found guilty of an offence and eliminate a six-month
time limit for investigations into alleged breaches. (The six-month window
makes it difficult to complete all investigations.)

Hospitals surveyed by the Star gave different reasons for not approaching
police with alleged breaches.

“WCH (Women’s College Hospital) complies with the Personal Health
Information Protection Act and under PHIPA there is no requirement for
hospitals to report privacy breaches to police,” said hospital spokesperson
Rebecca Cheung.

“Sharing patient information with law enforcement officials would itself be
a breach of privacy,” said Marnie Fletcher, chief privacy officer at St.
Joseph’s Healthcare in Hamilton.

Privacy commissioner Brian Beamish has previously told the Star he is
calling for serious breaches to result in prosecutions under PHIPA.

"We should have more prosecutions, as this would send a strong message to
health professionals that this is not OK,” he said.

Beamish’s office declined numerous requests to be interviewed for this
story.

A recent article in Canadian Lawyer Magazine quoted Beamish as saying that
his office is undergoing an internal review of its processes so that it can
better deal with an increasing number of personal health information
breaches.

“We need to see some serious movement on prosecutions if these breaches are
ever going to be taken seriously. There has to be a real deterrent in order
to alter future behaviour, and prosecuting breaches of PHIPA would be an
obvious course of action,” Cavoukian said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!