PHIPA DECISION 264

A public hospital reported a privacy breach under PHIPA to the Office of the Information and Privacy Commissioner of Ontario (IPC). The breach involved a radiologist with privileges at the hospital who accessed patients’ health records without authorization. The affected patients included the radiologist’s sister-in-law, who brought the privacy breach to the attention of the hospital, as well as members of her family.
As an agent of the hospital, the radiologist’s actions were an inappropriate use of personal health information by the hospital contrary to section 29 of PHIPA which sets out limits on and requirements for the use of this information.
In response, the hospital took steps to investigate, contain and remediate the breach. The hospital also provided the appropriate notification in the circumstances, disciplined the radiologist and reported him to the College of Physicians and Surgeons of Ontario.
Despite this, the IPC had concerns about the hospital’s ability to detect and deter unauthorized access to patients’ health records in relation to its EHR systems. These systems were not built from a privacy audit perspective and the hospital only became aware of the breach because of a privacy complaint made by the radiologist’s sister-in-law to another regional hospital about him.
At the time of the breach, the hospital’s EHR systems had inherent limitations and, generally, did not display a privacy notice or warning flag. For these reasons, the investigator finds that the hospital did not take steps that are reasonable in the circumstances for the security of personal health information against unauthorized use as required by section 12 of PHIPA. However, given the hospital’s response to the breach and implementation of privacy warning flags in its EHR systems, the investigator finds that a formal review of this matter under Part VI of PHIPA is not warranted.