It was reported that the government intends to introduce amendments to the existing health privacy law that will impose harsher penalties for people who breach patient privacy. It appears that the proposed amendments will also require hospitals, and possibly other health care providers, to report to the Information and Privacy Commissioner (“IPC”) when a privacy breach has occurred. But will these amendments make a difference?
One of the changes will include raising fines from $50,000 to $100,000 for individuals, and from $250,000 to $500,000 for organizations. For most health professionals, being ordered to pay $50,000 would be absolutely prohibitive. If a $50,000 fine is not already a sufficient deterrent from snooping, it is unclear how raising the fine to $100,000 will make any meaningful difference.
On a similar note, these maximum penalties are never enforced and therefore the penalty is somewhat irrelevant to would-be snoopers.
Another proposed amendment is to remove the requirement that prosecutions under the privacy law be prosecuted within 6 months of the alleged privacy breach. Again, it is unclear that timing is really the issue. While there was one recent case in which prosecution delay led to a case not being heard, it appears that in over 10 years of the privacy law being in force there have been very few attempts to prosecute anyone for violating patient privacy. Amending the 6 month rule is not likely to make a huge impact.
Finally, the amendments would seek to require self-reporting of breaches to the Information and Privacy Commissioner. It is likely there are hundreds of thousands of unreported breaches – from your dentist naming-dropping celebrity clients, your chiropractor keeping patient information open on a screen; your nurse putting information about the wrong patient in your chart; or your mom’s long-term care home speaking to you without her consent. Privacy breaches literally happen every day and it is highly questionable how effective a self-reporting model will really be in terms of protecting patient privacy.
Most problematic is that all of these amendments are retroactive in nature. Privacy breaches can have a significant impact on patients and their families. Breaches can be downright embarrassing. They can make people feel unsafe, violated, and like they have lost control of their own information. They can cause patients to lose trust in their health care providers. And they can damage people’s reputations and result in information being shared that was intentionally kept private.
Fines and prosecutions may punish the wrongdoer, but do not prevent the breach. It would be preferable to see amendments proposed that would work towards the goal of preventing privacy breaches from happening altogether.
The Ontario Legislature has adjourned until September 14, 2015 and so it is unclear when exactly the amendments will be introduced. The amendments will come by way of a bill, which will be debated and voted upon like other legislative amendments. Only time will tell if these amendments will become law, and whether they will truly make any difference to Ontarians.
through a difficult time?