The premier weekly newspaper for the legal profession in Ontario
Issue link: https://digital.lawtimesnews.com/i/500799
Law Times • aPril 27, 2015 Page 9 www.lawtimesnews.com health privacy issue gaining traction Hospitals urged to boost protection for electronic data as litigation moves forward By miChael mcKiernan For Law Times lawyer representing the alleged victims of a privacy breach at an Ontario hospital says a decision by the Ontario Court of Appeal to allow a class action to proceed could mark a turning point in attitudes towards health record data breaches. A string of high-profile data breach cases has raised public awareness about what Ottawa lawyer Michael Crystal says is the growing problem of unau- thorized access to patient health records. However, he says recent developments have finally raised the prospect of some serious con- sequences for privacy violators. In February, the Ontario Court of Appeal ruled Crystal's clients could make a common law claim under the new tort of intru- sion upon seclusion against the Peterborough Regional Health Centre. In doing so, it dismissed the hospital's argument that the Personal Health Information Pro- tection Act precludes such claims. The following month, On- tario's information and privacy commissioner, Brian Beamish, recommended the prosecution of two individuals accused of snooping on the medical records of former Toronto mayor Rob Ford. The province's attorney general had previously launched just one prosecution under the act that was ultimately unsuc- cessful in the more than 10 years since it came into force. Then, just days later, Ontario Health Minister Eric Hoskins an- nounced he would introduce new legislation later this year aimed at increasing privacy protection for patients' electronic health records. "One thing fuels the other, and we've got a perfect storm now for this issue to be ad- dressed," says Crystal. "I am hoping that the system will correct itself with better soft- ware, higher standards, more vig- orous prosecutions, and greater penalties so that we won't see the continuation of these hospital breach cases. We all want our per- sonal health information to be available to our doctors to get the best health care. Now we have to have protection in sync with where the technology stands." Crystal says that in the early days of the act, many observers seemed not to care about health data breaches. "A lot of people would ask, 'Who cares if a nurse outside the circle of care peeps into some gall bladder results?'" he says. As the cases kept coming, he says the general public's view has hardened with the motives of the snoopers in some cases ap- pearing insidious. "Patients are seeing that when you have this type of activity, it doesn't just affect the immediate players; it undermines the system itself and it destroys the patient/ health-care provider relation- ship," says Crystal. "People go into hospital not because they want to but be- cause they have to. If there's a free-for-all on their private information, that can be dev- astating, especially in a smaller community. If you've got open season on notes about suicidal thoughts and abortion records, people's lives can be destroyed." Crystal acts for some of the 280 patients who received noti- fications from the Peterborough hospital about improper ac- cess to their health records. The $5.6-million claim relies on the tort of intrusion upon seclusion, a cause of action recognized by the Court of Appeal in its 2012 deci- sion in Jones v. Tsige. The hospital, backed by the Ontario Hospital Association, moved to dismiss the claim. It argued the act is an exhaustive code that precludes a common law claim for intrusion upon se- clusion. However, a motion judge sided with the plaintiffs, a deci- sion a three-judge panel of the Court of Appeal for Ontario up- held on Feb. 18. "The language of [the act] does not imply a legislative inten- tion to create an exhaustive code in relation to personal health information. [The act] expressly contemplates other proceedings in relation to personal health information. [The act]'s highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. Given the nature of the elements of the common law action, I do not agree that allowing individuals to pursue common law claims conf licts with or would undermine the scheme established by [the act], nor am I satisfied that the review procedure established by [the act] ensures that individuals who complain about their privacy in personal health information will have effective redress," wrote On- tario Appeal Court Justice Robert Sharpe on behalf of the unani- mous panel in Hopkins v. Kay. Elyse Sunshine, a founder of Toronto health law boutique Rosen Sunshine LLP, expects a wave of new class actions in the wake of the Hopkins decision and says prevention of privacy breach- es should be among the top priori- ties of holders of health records. "It's a very big issue for any health information custodians, especially given the increas- ing calls for significant action against people who violate indi- vidual privacy," she says. According to Sunshine, de- liberate breaches by determined employees will always be dif- ficult to prevent. However, she says institutions should be able to cut the frequency of a second class of breach that's generally more innocent and often due to a lack of understanding about custodians' privacy obligations. "This legislation has been around now since 2004, so there really isn't much excuse," says Sunshine. "I don't think it's about a lack of policy because most institu- tions, especially large ones, do have privacy policies. Some- times, it may be attributable to a lack of training of front-line people. I think everyone should be revisiting not just their poli- cies but also how they are imple- mented from a practical per- spective. It's wonderful to have a good one, but if people are not complying or it's not making sense for a particular institu- tion, then that can result in in- advertent breaches." However breaches occur, Sunshine says the institution's reaction is critical. Blanket de- nials or suggestions of a coverup can turn a relatively benign situ- ation toxic, she says. "Things sometimes just hap- pen, and it's important that the institution acknowledges and deals with the problem as soon as possible, depending on the nature of the breach," she adds. In January, the office of the information and privacy com- missioner for Ontario released its own guidance for health record custodians in a report on detecting and deterring un- authorized access to personal health information. Identifying unauthorized ac- cess as a "growing problem in the health sector" that may actually cause patients to "withhold or falsify personal health informa- tion," the report included the fol- lowing tips for record holders: • Develop and apply privacy policies and procedures that set out the expectations and obligations of all agents for the protection of personal health information. • Develop and apply a privacy training and awareness pro- gram for employees from the start of their employment and only grant access to per- sonal health information once the training is complete. Ongoing privacy training should follow annually. • Require all agents to sign confidentiality and end-user agreements annually ac- knowledging the privacy ex- pectations and obligations of the custodian. • Implement password and search controls to limit access to personal health informa- tion to particular employees based on the need-to-know principle. LT FOCUS Get the inside story on Canadian securities litigation Securities Litigation and Enforcement, Second Edition Joseph Groia, B.A., J.D., and Pamela Hardie, B.A., LL.B. In the second edition of this groundbreaking work, the authors, Joseph Groia and Pamela Hardie give you insight, advice and expertise gleaned from handling the country's most high profile cases in this exploding area of litigation. Offering a balance between a broad overview for the general litigator, and a comprehensive study for the sophisticated specialist, this insightful tool provides guidance on criminal, quasi-criminal, administrative, and civil proceedings. Available risk-free for 30 days Order online at www.carswell.com Call Toll-Free: 1-800-387-5164 In Toronto: 416-609-3800 Order # 985021-65203 $185 Softcover April 2012 approx. 480 pages 978-0-7798-5021-1 Shipping and handling are extra. Price(s) subject to change without notice and subject to applicable taxes. 00228TY-A49659 A 'I think everyone should be revisiting not just their policies but also how they are implemented from a practical perspective,' says Elyse Sunshine.