In a recent case out of Goderich, Ontario a $20,000 fine, the highest of its kind in Canada, was handed out for a health privacy violation.
Between September 9, 2014 and March 5, 2015, a Masters of Social Work student accessed the personal health information of 139 individuals including family, friends, and local politicians, among others, without authorization while on placement with a family health team. The student was ordered to pay $25,000 total, which included a $20,000 fine and a $5,000 victim surcharge after pleading guilty to wilfully accessing the personal health information of five individuals.
The Information and Privacy Commissioner of Ontario (the “IPC”) recently reported that this was the fourth person convicted under the Personal Health Information Protection Act (“PHIPA”). Under s. 72 of the PHIPA, it is an offence to wilfully collect, use, or disclose personal health information. This and the other offences enumerated in s. 72(1) of the PHIPA are punishable by a fine of up to $100,000 for individuals and $500,000 for institutions. The $20,000 fine imposed in this most recent case is far from the upper limit in the PHIPA, but a signals an increasing willingness to hand out hefty fines for violations.
From the news release issued by the IPC (available here), it is apparent that deterrence of this type of snooping into the private medical affairs of individuals is being treated seriously and is seen as a necessary safeguard to maintain patient confidence in the health care system.
The unauthorized access to private health records is an ongoing issue for health care organizations which has had an increasing impact on individuals and the organizations they work for, as evidenced by the Goderich case. Given the responsibility of organizations to ensure that private health records remain protected, and the potential institutional fines associated with breaches of the relevant privacy legislation, it is incumbent on health care and related organizations to ensure that its employees are properly trained and are fully aware of the implications of a privacy breach, even if there is no malicious intent. It is also imperative that everyone who has access to these private records, including staff, students, volunteers, and interns, are fully apprised of their obligations and the consequences for breaches, including snooping.
There is similar legislation in other provinces which provides for serious monetary penalties for breaching health privacy. In British Columbia, a breach of the E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c 38 could net a fine of up to $200,000. Alberta and Manitoba legislation authorizes fines of up to $50,000 for improper access and disclosure of health information (Health Information Act, RSA 2000, c H-5; Personal Health Information Act, CCSM c P33.5). A breach of Saskatchewan’s Health Information Protection Act, SS 1999, c H-0.021 could carry a fine of up to $50,000 for individuals and $500,000 for corporations, with an added penalty of one year imprisonment on summary conviction. Other Canadian jurisdictions authorize fines ranging from $10,000 to $50,000 for individual offenders, and some carry additional imprisonment penalties.
In addition to the fines that could be issued for health legislation violations, some provinces also allow claimants to advance court actions for invasion of privacy torts. In Ontario, the courts have expressly acknowledged that the PHIPA contemplates other proceedings in relation to personal health information. The Ontario Court of Appeal has stated that the PHIPA is well-suited to deal with systemic issues while recourse for individual wrongs can be found in the recently recognized privacy torts (see Hopkins v Kay, 2015 ONCA 112). In Manitoba, there is also dual recourse to privacy legislation and tort actions (see the comments of Monnin JA in Grant v Winnipeg Regional Health Authority et al, 2015 MBCA 44).
Notably, British Columbia has declined to recognize the privacy torts of intrusion upon seclusion and public disclosure of embarrassing private facts since the BC Privacy Act “covers the field” (see Ladas v Apple, 2014 BCSC 1821 at para 76). Alberta courts have also indicated that an action for breach of privacy relating to information in the control of an organization must proceed before the Commissioner appointed under the Personal Information Protection Act, SA 2003, c P-6.5 before recourse may be had to the courts (see Martin v General Teamsters, Local Union No 362, 2011 ABQB 412 at paras 45-48).