The Star contacted every health jurisdiction in Canada this week and found eight have passed legislation — some as recently as last year — to force hospitals to report breaches to the relevant privacy body.
But Ontario, which has the largest population in the country, has no plans for such a legislative change. A province that was once a leader in health information privacy laws is now trailing as other provinces move to stricter reporting.
A recent Star investigation found hundreds of serious health-related privacy breaches were going unreported to Ontario’s privacy commission because a legislative oversight allows hospitals to handle such violations internally.
When the Star notified Brian Beamish, the province’s acting information and privacy commissioner, of some of the unreported breaches, he said he would like to see legislative change to force Ontario hospitals to report serious violations to his office.
“The government knows how we feel and are well aware of our position. We have been very clear on that,” he said. “We think we should come up to the level of other jurisdictions on this particular issue.”
Privacy commissioners from across the country told the Star they have seen a worrying increase in health care professionals snooping into private medical records with wilful, malicious intent. This trend, they said, highlights the importance of the recent legislative changes.
In another incident, a pharmacist in a dispute with fellow congregants at her church opened their medical records to pull information about their birth control prescriptions and posted it on Facebook.
Health Minister Dr. Eric Hoskins said in a written statement to the Star that he recently met with Beamish to work on strengthening the province’s patient privacy protections.
He did not provide further details and would not respond to questions about why Ontario had fallen behind other jurisdictions on the issue.
Back in 2004, the province brought into force one of the country’s first health information privacy laws: the Personal Health Information Protection Act (PHIPA). Under PHIPA, hospitals can investigate privacy breaches, notify affected patients and sack staff members without alerting the commission.
Many provinces modelled their health privacy laws on PHIPA, but there has been a move in other provinces to update such legislation, and Ontario is now lagging rather than leading.
Edward Ring, privacy commissioner for Newfoundland and Labrador, said his province largely copied PHIPA when it came up with its own legislation but added one adjustment: mandatory reporting of health-related breaches to the privacy office.
“We viewed that as an important improvement,” Ring said.
Each jurisdiction in Canada has its own health privacy legislation and those that have enforced mandatory reporting have different thresholds for notifying the privacy commissioner.
Nova Scotia’s legislation says the privacy review officer must be notified of breaches only when the affected patients are not informed. Usually these incidents are minor, such as a misdirected fax message.
However, in New Brunswick, the privacy office is notified of every single health-related privacy breach, said privacy portfolio officer Lucrece Nussbaum.
She pointed to a recent spike in cases in which physicians inappropriately access information out of curiosity or for malicious reasons. One instance involved a doctor who snooped into 141 women’s medical records, including gynecology reports.
Brian Hamilton, Alberta’s privacy spokesman, said medical records are about as sensitive as it gets, and as patient files are rapidly uploaded into the online world, the potential for privacy violations increases, making this legislative change even more critical.
Hamilton, the director of compliance and special investigations at the Information and Privacy Commission of Alberta, said people could be hurt or humiliated if someone pried into their health records.
A new legislative change in Alberta, set to come into force this spring, will make it obligatory for hospitals to notify the privacy commission of serious health-related breaches.
Hamilton viewed this legislation change as a huge improvement to the current system, citing a rising number of cases in which doctors had been caught snooping into the records of new lovers or ex-partners.
“A number of the breaches we often see relate to relationships, custody disputes or personal disputes,” he said.
Mandatory reporting will “put some power back into the hands of citizens,” he said.
“They should be reported to an independent body to prevent it happening again,” he said.
Jurisdictions with mandatory breach notification laws:
Jurisdictions with legislation changes in progress:
Jurisdictions that have formally requested law changes:
Jurisdictions with no mandatory reporting: