Ontario’s privacy commissioner wants to see more prosecutions of health-care workers who snoop into patient files, a growing problem in the age of electronic medical records.
But complaints about violations of health privacy legislation rarely make their way to police, even though the attorney general’s ministry says it will only prosecute if police say there’s a strong case.
The College of Nurses of Ontario does not automatically alert police when it becomes aware of snooping cases.
And a survey of 27 hospitals in the GTA and Hamilton has found that the hospitals don’t, either. Some say it’s not their job; one says it’s the job of the privacy commissioner; and another argues that a police complaint would be a privacy violation in itself.
“In my view, the real problem lies with the attorney general's office and its absence of willingness to prosecute PHIPA (Personal Health Information and Privacy Act) cases,” said Ann Cavoukian, Ontario’s former information and privacy commissioner, and now executive director of the Privacy and Big Data Institute at Ryerson University.
The survey of hospitals showed they are inconsistent in how they handle privacy violations.
Some deal with them internally, some notify the privacy commissioner, and some only alert the privacy commissioner if breaches are substantial. (Unlike many other provinces, Ontario legislation does not compel them to do so.)
In cases where hospitals have contacted police, it was to report alleged criminal activity that happened in conjunction with snooping.
The nurses’ college and hospitals are taking disciplinary action against errant employees, including suspensions and firings. But the Office of the Information and Privacy Commissioner of Ontario does not have authority to take the next step and launch prosecutions.
Only the attorney general can do so.
Last week, a Sault Ste. Marie nurse was suspended for 90 days by the nurses’ college after she accessed 338 patient records. The week before, the college began a disciplinary hearing for a Peterborough nurse alleged to have accessed about 300 records. Both nurses were fired by their respective hospitals.
Neither is facing charges under PHIPA, which carries fines of up to $50,000.
Alberta, Manitoba, and Newfoundland and Labrador have had successful prosecutions using health privacy laws. Unlike Ontario, they do not require police involvement, just a recommendation from their privacy commissions.
The result in Ontario is that there has never been a conviction under its 11-year-old privacy legislation.
PHIPA was introduced to keep personal health information confidential and secure, while allowing for the effective delivery of health care. But there have only been two attempts to prosecute.
The first failed in March, after the Crown bungled the case of a North Bay nurse accused of prying into almost 6,000 patient files. The second is ongoing and involves hospital staff snooping into Rob Ford’s cancer-treatment records.
“Why do they need the police to be involved? While I have no problem with involving the police, it is clear that the expertise on determining whether there has been a breach of PHIPA lies with the commissioner's office,” Cavoukian said.
“In the absence of a legal requirement, the (attorney general) should reconsider the need to involve the police and rely on the expertise of the Commissioner's office. Continuing to do nothing is completely unacceptable,” she added.
A spokesperson for the attorney general’s ministry previously told the Star that even if the privacy commissioner investigates a breach and concludes it should be prosecuted, police must do a further investigation to determine if there are reasonable grounds that an offence has been committed.
Asked on Wednesday whether the province is considering reducing the barriers that restrict prosecutions, Health Minister Eric Hoskins said yes.
“That’s something that we are looking at in terms of the steps from the IPC (information and privacy commissioner) to the attorney general and what is required of her in order for a prosecution to move forward. We are looking at all of that and how we can streamline that and make it easier for both the IPC and the attorney general.”
Hoskins said he plans to soon introduce legislation that would make it easier to prosecute snoopers. The legislation would double the fine to $100,000 for those found guilty of an offence and eliminate a six-month time limit for investigations into alleged breaches. (The six-month window makes it difficult to complete all investigations.)
Hospitals surveyed by the Star gave different reasons for not approaching police with alleged breaches.
“WCH (Women’s College Hospital) complies with the Personal Health Information Protection Act and under PHIPA there is no requirement for hospitals to report privacy breaches to police,” said hospital spokesperson Rebecca Cheung.
“Sharing patient information with law enforcement officials would itself be a breach of privacy,” said Marnie Fletcher, chief privacy officer at St. Joseph’s Healthcare in Hamilton.
Privacy commissioner Brian Beamish has previously told the Star he is calling for serious breaches to result in prosecutions under PHIPA.
"We should have more prosecutions, as this would send a strong message to health professionals that this is not OK,” he said.
Beamish’s office declined numerous requests to be interviewed for this story.
A recent article in Canadian Lawyer Magazine quoted Beamish as saying that his office is undergoing an internal review of its processes so that it can better deal with an increasing number of personal health information breaches.
“We need to see some serious movement on prosecutions if these breaches are ever going to be taken seriously. There has to be a real deterrent in order to alter future behaviour, and prosecuting breaches of PHIPA would be an obvious course of action,” Cavoukian said.
- With files from Olivia Carville