Province vows to toughen laws on health privacy
Proposals would force hospitals to report security breaches and double fines for snoopers
Sweeping changes to provincial health privacy laws will soon cut down the red tape preventing authorities from prosecuting snoopers and force hospitals to declare all breaches of patient records to the privacy watchdog.
After a series of Star investigations highlighted serious shortfalls in the Personal Health Information Protection Act (PHIPA), Health Minister Dr. Eric Hoskins announced a string of proposed legislative changes on Wednesday.
Ontario’s privacy act has seen zero successful prosecutions since it came into force more than a decade ago and the government has vowed to roll out multiple legislation amendments to rectify this.
Under the proposed changes, the prosecution process would be streamlined, the six-month deadline to lay charges would be wiped out and the potential fine for snoopers would be doubled from $50,000 to $100,000.
Hospitals would also be forced to report all breaches to regulatory colleges and the provincial privacy commissioner — a move almost all other jurisdictions have already made.
Ontario’s privacy act has seen zero successful prosecutions since it came into force more than a decade ago.
Speaking at a press conference at Queen’s Park Wednesday morning, Hoskins said the changes would boost accountability across the whole health sector.
Hoskins said he became convinced the law needed to change after recent high profile breaches, such as the violation of former mayor Rob Ford’s records and the anti-abortion activist who allegedly snooped into 414 abortion files.
“Over the course of the past year, there have been a number of high profile breaches that have occurred in hospital environments of Ontarians. All of them completely unacceptable,” he said.
The ministry held multiple indepth discussions with Information and Privacy Commissioner Brian Beamish and Hoskins said he was “proud to be acting on” every single one of the commissioner’s recommendations to strengthen PHIPA.
“These are the steps we intend to take to keep Ontario at the forefront of protecting patient privacy. It’s what Ontarians expect, and quite frankly, it’s what Ontarians deserve,” Hoskins said.
The Star has revealed major flaws in the health privacy legislation since January; when an investigation uncovered thousands of health-related breaches go unreported to the privacy commissioner every year.
Additional stories outlined how Ontario, which used to lead Canada in health privacy laws, was now lagging behind other jurisdictions that had enforced mandatory reporting due to a significant increase in snooping cases.
On Wednesday, Hoskins kick-started his announcement of the proposed changes to PHIPA by saying: “First and foremost, we intend to move forward with mandatory reporting of all privacy breaches to the information and privacy commissioner.”
He went on to add that the government was eager to remove a “serious barrier to prosecuting breaches of patient privacy.”
Under current law, a prosecution can only be commenced by the attorney general within a six month window from the date the breach occurred — a strict regulation that was labelled as a “double-whammy” at a recent International Association of Privacy Professionals conference in Toronto.
Hoskins vowed to eliminate that barrier.
“Currently there is a deadline of six months from when a breach occurs to commence a prosecution and that has made it, as we have seen, extremely difficult to conduct an investigation, and has made prosecutions very rare,” he said.
However, he said this proposed amendment would not retroactively apply to the two snooping cases the privacy commissioner referred to the Ministry of the Attorney General for prosecution earlier this year, which means less than a month remains for charges to be laid over the violation of Ford’s records at the University Health Network.
The entire prosecution process under PHIPA, which has been criticized as unwieldy by experts in the Star, is also set to change.
The new amendments seek to allow charges to be laid with just the consent of the attorney general — rather than requiring the attorney general to commence the prosecution herself, Hoskins said.
This means anyone, including police or the privacy commissioner, could request consent from the attorney general and then commence the proceedings themselves.
Beamish told the Star Wednesday afternoon that he was “pleased” with the government’s decision to significantly improve the privacy act.
“I feel like it’s a really good step. It improves the law and it’s good for the people of the province,” Beamish said.
As the health sector shifts toward electronic records, Beamish said this development would no doubt benefit the delivery of health care, but it also goes hand in hand with heightened risks to patient privacy.
On Wednesday, Hoskins also re-introduced the Electronic Personal Health Information Protection Act (EPHIPA), which the government tried to pass last summer.
If enacted, this legislation will further safeguard patient medical records by creating security requirements for health custodians to handle and disclose personal health information, he said.
Progressive Conservative justice critic Sylvia Jones said in a statement Wednesday that the proposed changes were better late than never.
“The government is finally taking steps to better protect the privacy of the people of Ontario, though it comes only after months of headlines exposing breaches of patient information,” Jones said.