Every year privacy violations at Ontario’s 155 hospitals – possibly numbering in the thousands – go unreported to the provincial Information and Privacy Commissioner.
That’s the conclusion of acting privacy commissioner Brian Beamish, following a Toronto Star investigation of 218 privacy breaches at eight of Toronto’s biggest health institutions.
While the Star found that the vast majority of the unreported breaches were a result of genuine human error, the ones that weren’t were unsettling.
Among them: five staff members snooped into the medical records of 22 patients at the Centre for Addiction and Mental Health last year. An employee at Sunnybrook Health Sciences Centre disclosed a patient’s prognosis to the person’s estranged children without consent. And at Toronto East General Hospital, an employee asked a colleague to access the records of a friend.
All of these cases would have gone unreported were it not for the Star’s investigation. That’s why it’s important that the commissioner be made aware of all serious privacy breaches.
Mandatory reporting would allow the commissioner to identify trends in both human errors and privacy breaches, investigate specific areas of concern and help hospitals prevent future incidents.
Still, under a legislative loophole in the Personal Health Information Protection Act, hospitals can handle such violations internally, including disciplining and sometimes firing staff, without alerting the commission.
Beamish is calling for a legislative change to force hospitals to report serious breaches to his office. He is right to do so.
The potential for abuse of health records is enormous and the more oversight, the better.
Last year, the Star revealed two major hospital privacy breaches involving thousands of patients. In one case, hospitals provided patient information to baby photographers. In another, hospitals were handing out patient contact information to RESP marketers. (In those cases, the hospitals did notify the commissioner.)
Beamish cites another case in which a nurse accessed the medical records of her ex-boyfriend’s new partner, and others where health professionals accessed colleagues’ and neighbours’ records out of curiosity.
And there is the case of nurses improperly peeking at the medical records of former mayor Rob Ford after his cancer diagnosis.
Clearly there is a need to shine a brighter spotlight on health-care privacy leaks. Mandatory reporting to the privacy commissioner is one way to achieve that goal. Health Minister Eric Hoskins should close the loophole in the privacy act and strengthen the commissioner’s oversight.