Ontario wants higher fines for health-care data breaches
By Keith Leslie The Canadian PressNews
Ontario’s Liberal government is promising legislation this fall to double the fines for people who access patients’ medical records without authority, and make it easier to prosecute offenders.
“There are few things as individuals, and as a society, that we hold more precious than our privacy,” said Health Minister Eric Hoskins. “The government has an incredibly important role to play in securing and ensuring that privacy is upheld.”
There have been cases of health-care workers inappropriately accessing patients’ private records at hospitals in Peterborough, Sault Ste. Marie, Brantford, Toronto, Sarnia and elsewhere, with reports the data were sometimes sold to marketing companies offering education savings plans or photography services. Workers at several hospitals accessed the medical records of former Toronto mayor Rob Ford.
“It is often the high profile cases and individuals by the nature of the breach that may get more attention,” said Hoskins. “I don’t want to speak to the specifics that are already out there in the public domain, given that a number of them are being investigated and may be prosecuted.”
Hoskins said the new legislation will double fines for violations of patients’ privacy to $50,000 for individuals and $500,000 for the hospital or organization. It would also scrap a rule requiring that prosecutions start within six months of the alleged privacy breach, which Hoskins called “a serious barrier” to prosecuting offenders.
“That has made it extremely difficult to conduct an investigation and has made prosecutions very rare,” he said.
Only three cases of breaching private medical records have ever been referred for prosecution, and there has never been a successful prosecution under the Personal Health Information Protection Act since it was introduced in 2004. One case was unsuccessful and the two others are still under consideration by the Attorney General’s office.
The proposed bill would make it mandatory to report privacy breaches to Ontario’s Information and Privacy Commissioner and to the relevant regulatory colleges that govern health-care professionals. The privacy commissioner can’t launch prosecutions, and can only refer the cases to the Attorney General.
“We are proposing in this legislation changes that will require mandatory reporting from a health-care custodian in a hospital, for example, if any human resource action takes place as a result of a breach,” said Hoskins.
Potential privacy breaches increase with the growing use of electronic medical records, although security protocols are much more stringent than under the old paper files, added Hoskins, who said it’s not just a hospital problem.
“I think that is part of the advantage of mandatory reporting of all breaches, is we are going to have a better understanding where these breaches occur,” he said.
The Progressive Conservatives said the proposed legislation should make it mandatory to report serious breaches of patients’ privacy to police.
“The government is finally taking steps to better protect the privacy of the people, though it comes only after months of headlines exposing breaches of patient information and does not guarantee police involvement for serious cases,” said PC attorney general critic Sylvia Jones.
The Ontario Court of Appeal ruled earlier this year that patients can sue hospitals if their privacy was breached.
Print this page