Legislation doubling fines for medical privacy breaches before Ontario legislature

A bill before the Ontario legislature proposing to require health care providers to report privacy preaches to the province’s information and privacy commissioner got some support last week by politicians from the opposition benches.

“We hope this legislation actually gets through so that we can catch up to the other provinces,” Progressive Conservative Health Critic Jeff Yurek said this past Thursday of Bill 119, the Health Information Protection Act.

If passed into law, the bill would make it mandatory “for health care providers to report certain privacy breaches to the Information and Privacy Commissioner, and to relevant regulatory colleges under certain circumstances,” Liberal Health Minister Eric Hoskins said Nov. 19 when he tabled the legislation for second reading.

Bill 119 proposes numerous changes to the Personal Health Information Protection Act “to provide for the development and maintenance of the electronic health record and for the collection, use and disclosure of personal health information by means of the electronic health record,” the government stated in an explanatory note to the draft legislation.

It also proposes to repeal and replace the Quality of Care Information Protection Act, 2004.

Debate on Bill 119 was adjourned Dec. 3.

With the bill, the ruling Liberals are proposing to remove “a serious barrier” to prosecutions under PHIPA, Hoskins said Nov. 19.

“Currently, there is a six-month limitation period from when a breach is alleged to have occurred to when a prosecution must commence,” Hoskins said at the time. “This has often left very little time to conduct a proper investigation. We are proposing an amendment that, if passed, will remove that six-month limitation period, which will give us more time to investigate the circumstances surrounding privacy breaches that could lead to successful prosecutions.”

He added that Bill 119 also proposes to require the consent of the Attorney General to start a PHIPA prosecution, “rather than requiring the Attorney General to actually start the prosecution herself,” Hoskins added. “To further reduce the occurrence of privacy offences in the first place, we propose to double the maximum fines for PHIPA convictions from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations.”

Yurek referred Thursday to several privacy breaches in the Ontario health care sector, one of which involved Toronto city councillor (and former Mayor) Rob Ford, who is being treated for cancer.

“Last year, stories were breaking about his cancer treatment records,” Yurek said. “These records were breached on four separate occasions at three hospitals: Humber River, Mount Sinai and the Princess Margaret Cancer Centre. As of July, three of those workers have been charged, thankfully.”

France Gélinas, health critic for the New Democratic Party, echoed Yurek’s concerns.

“Don’t get me wrong, I’m not a big fan of Rob Ford, never have been and probably never will be,” Gélinas said. “But while he was undergoing chemotherapy for his cancer, hundreds of people accessed his records. Those people had no right to access his records, but yet, not a single one of them has been prosecuted or held to account because our laws are too weak. Bill 119 would hopefully allow us to do that.”

She suggested the NDP is hoping to make some amendments before Bill 119 is passed into law.

One of Gélinas’ concerns is patient care being provided outside of hospitals.

“As more and more procedures and services that used to be done in our hospitals are now done in those out-of-hospital clinics, none of what we’re talking about applies to them,” Gélinas’ said Dec. 2 during debate on Bill 119. This has to be corrected. You can expect the NDP to bring amendments forward to make sure that the out-of-hospital clinics will be covered by those new and amended pieces of legislation that we are putting forward.”

Gélinas’ cited several examples of privacy breaches.

“In 2013, a secure USB data key was lost at Montfort Hospital containing information on 25,000 people,” she noted. “The personal information of 25,000 Ontarians was lost because a USB key was lost.”

Both Gélinas and Yurek cited the leak in 2014 of maternity patients’ information at Scarborough Rouge Valley Centenary Hospital in Toronto.

A former clerk for the hospital, Shaida Bandali, pled guilty in October to one count of unregistered trading, contrary to section 25(1) of the Securities Act (Ontario), the Ontario Securities Commission stated in a release.

Bandali – who was sentenced to two years’ probation, including 300 hours of community service, and a $36,000 fine – acknowledged in court that “between January 1, 2010 and March 31, 2014, she engaged in the business of trading in securities without being registered to do so,” OSC stated in its press release Aug. 31. This included “repeatedly breaching the confidentiality policies of her employer, the Rouge Valley Hospital, by accessing, copying, or distributing confidential personal data of maternity patients to one or more Registered Education Savings Plan (RESP) dealer representatives,” OSC added.

In 2014, 439 privacy breaches were reported to the Information and Privacy Commissioner’s office, said Gila Martow, PC MPP for Thornhill, during a debate Dec. 2 on Bill 119.

“What’s interesting is that, since reporting isn’t currently mandatory and this bill is going to address that, which is obviously very necessary, we don’t really know what that number is if it’s not mandatory,” Martow said.

With Bill 119, the government also proposes to require that in any case where a healthcare professional has collected, used, or disclosed personal health information without authorization, that the “custodian” of that information inform the individual’s professional college.

“There are 27 regulated health professions in Ontario: think physio, OT, physicians, nurses, midwives, pharmacists,” Gelinas said. “So if you hold a licence, your college will know about it” if there is a privacy breach.