Canadian Underwriter

Ontario health privacy breach notification bill passes third reading

May 10, 2016   by Canadian Underwriter

Print this page Share

An Ontario government bill proposing to increase fines, to $500,000, for health privacy violations recently passed third reading at Queen’s Park in Toronto.

Bill 119 proposes some changes to Ontario’s Personal Health Information Protection Act (PHIPA).

Secure Medical Records“These amendments would make it mandatory to report certain privacy breaches to the Information and Privacy Commissioner and to the relevant regulatory college of the person responsible for the breach,” Liberal MPP Indira Naidoo-Harris, parliamentary assistant to Health Minister Eric Hoskins, told the legislature May 4. “It would also strengthen the process to prosecute offences under PHIPA by removing the requirement that prosecutions must be commenced within six months of when the alleged offence occurred. This allows more time for a proper investigation and closes a loophole that would have allowed those who commit a security breach to go unpunished.”

The bill passed third reading May 4.

“The amendments would double the maximum fines for offences under the Personal Health Information Protection Act,” Naidoo-Harris said. “Penalties would increase from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for an organization.”

The bill was subject to hearings before the Standing Committee on Justice Policy. One speaker was Brian Beamish, Ontario’s Information and Privacy Commissioner. Beamish was asked about the proposal to double the fines.

“It’s unlikely that someone’s going to get a $100,000 fine for this kind of action, but it sends a signal,” Beamish told the committee March 3. “It says, ‘This is serious activity. You shouldn’t be engaged in it, and if you are, there will be consequences.'”

Beamish was also asked about the six-month limitation period.

“The likely scenario is not that someone’s going to be found having snooped eight years ago; our experience is that someone is found to have done it now, and when an audit is done of their access to the system, there can be a trail going back years that they have been engaged in this kind of activity,” Beamish said. “The six-month limitation period means that anything beyond six months cannot be used for prosecution purposes. In my view, that trail of activity should be something that is brought to the attention of a judge to indicate a pattern of behaviour. So I think that’s an important piece of this.”

Related: Debate continues on Ontario health privacy breach law

Chantal Leonard, chief executive officer of the Canadian Nurses Protective Society, was one speaker with concerns about the bill.

“There can be many reasons to access personal health information that are legitimate, other than the direct provision of care,” Leonard told the justice policy committee March 3. “Nurses who work in the emergency room, for example, may be called upon to make inquiries with respect to patients who are in different areas of the hospital, not only in the emergency room. But the emergency room tends to be a hub, and so sometimes a physician may call and ask a nurse to look at the record of a patient to see if a lab result has come in so that they can prescribe the right medication. That would be an example of a circumstance where a nurse could be called upon.”

During debates on Bill 119 in late 2015, France Gélinas, health critic for the New Democratic Party, cited several examples of health privacy breaches in Ontario.

“In 2013, a secure USB data key was lost at Montfort Hospital containing information on 25,000 people,” Gelinas said at the time. “The personal information of 25,000 Ontarians was lost because a USB key was lost.”

She was referring to Hôpital Montfort, an Ottawa hospital at which an employee had lost a USB memory stick containing unencrypted records of 25,692 patients.

Gelinas also referred to Rob Ford, former mayor of Toronto, who was treated for cancer.

“While he was undergoing chemotherapy for his cancer, hundreds of people accessed his records,” Gelinas said in November of Ford, who died March 22, 2016. “Those people had no right to access his records, but yet, not a single one of them has been prosecuted or held to account because our laws are too weak. Bill 119 would hopefully allow us to do that.”

In addition to the Personal Health Information Protection Act, Bill 119 also proposes to change the Regulated Health Professions Act, the Drug Interchangeability and Dispensing Fee Act and the Narcotics Safety and Awareness Act, Naidoo-Harris told the legislature May 4.