Stamping out snooping once and for all

With the rapid adoption of technology and digitization of health services, protecting patient privacy is more vital than ever to maintain Ontarians’ confidence in their health care system. This is why the IPC selected Trust in Digital Health as one of the key strategic priorities to guide our work over the next several years. Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.

While increased use of digital tools in the health care sector require enhanced privacy and security safeguards to mitigate against sophisticated attacks of cyber criminals, other, more traditional causes of breach can still undermine overall trust in our health care system. So it’s important to always keep our eye on the eight ball and stay focused on the end-game.

Last month, the IPC’s annual statistical report revealed that unauthorized access to personal health information — or snooping — by health care workers accounted for over 20 per cent of self-reported health privacy breaches in 2020.

Some of these snooping cases reveal the untamable human instinct to peer into the secret lives of others and feed the production of idle gossip. Others, however, expose a much more sinister attempt to commercially profit from the unauthorized access by providing, and even selling, patient information to others.

Recently, my office issued PHIPA Decision 147, which details an investigation into a privacy complaint filed by a patient who alleged unauthorized use and disclosure of her personal health information. After receiving hospital treatment for injury resulting from a motor vehicle accident (MVA), the patient was contacted by a physician who was not involved in her care, but who claimed to be making a courtesy call to enquire into how she was doing as part of a “quality audit.” The physician recommended the patient attend a physiotherapy clinic for follow up care. When she arrived at the clinic, the patient was met by a personal injury lawyer who began discussing a potential lawsuit and the process for seeking compensation for injury resulting from the MVA. As it turned out, the lawyer was the wife of the physician who had referred her to the clinic in the first place.

Concerned with what appeared to be inappropriate access to, and disclosure of, her personal information, the patient raised the issue with the hospital. After looking into the matter, the hospital discovered that the physician, as well as a hospital clerk — neither of whom was involved in the patient’s care — had accessed the patient’s records of personal health information. The clerk has since been prosecuted and plead guilty to an offence under PHIPA, and our office’s investigation focused more specifically on the physician’s actions, and the hospital’s responsibility for those actions.

Our investigation found that, at the time of the breach, the hospital’s policies and training of physicians in respect of quality audits were not sufficiently adequate to comply with its safeguarding obligations. These have since been remedied to our office’s satisfaction.

As for the physician, the investigation found that his use of the patient’s personal health information for his quality audit was not authorized under the act. While there was insufficient evidence to conclude whether the physician disclosed the patient’s personal health information to his wife in this specific case, the investigation uncovered some troubling suggestions that other MVA patients had faced similar experiences after leaving the hospital. This case should serve as a cautionary tale for all hospitals, reminding them of the potential monetary value of certain personal health information and the strong financial incentives that increase the risk of inappropriate access. Accordingly, hospitals should specifically turn their minds to, and guard against, such risks when taking reasonable steps to protect patients’ personal health information against unauthorized uses and disclosures.

A few parallels can be drawn between this most recent decision and one from a few years back that also involved inappropriate snooping by hospital employees for financial gain. Order HO-013 involved the inappropriate collection of the personal health information of new mothers who had recently given birth at a hospital for the purposes of selling or marketing registered education savings plans (RESPs). In that case, the IPC found that the hospital in question failed to put in place the technical and administrative safeguards needed to protect patients’ personal health information against such misuse by its employees.

Although any case of unauthorized access to medical records can have devastating consequences for patients, health professionals, and the health system as a whole, snooping cases seem all the more reprehensible, especially when done to derive commercial profit. All health care providers in the province must have the necessary safeguards in place to detect and report snooping, and ultimately, to prevent snooping altogether. This includes the use of electronic audit logs that will become mandatory under a new section of Ontario’s health information privacy law, pending the adoption of regulations.

Since PHIPA came into force in 2004, eight cases have been referred to the attorney general of Ontario for prosecution under the act. This has led to convictions against six individuals, and fines of up to $20,000 plus a $5,000 victim surcharge. Recent amendments to Ontario’s health privacy law have increased the maximum fines for offences under PHIPA to $1 million for corporations and $200,000 for individuals and possible imprisonment for those who break the law. Such cases can take a long time to work their way through the courts and whether we will see these maximum fines reached anytime soon to effectively deter snoopers from snooping remains to be seen.

Also under the recent PHIPA amendments, my office will have the power to levy administrative monetary penalties directly against those who contravene Ontario’s health privacy law for the purposes of either encouraging compliance with the act or preventing a person from deriving any economic benefit as a result of the contravention. However, the application of these new administrative penalties also depends on the adoption of regulations.

We await these new regulations with great anticipation and look forward to the day we will finally have the enforceable tools we need to make it too costly and difficult for snoopers to act on temptation.

Let’s curb health privacy breaches by stamping out snooping once and for all.

Patricia