Education key in fight against medical snooping
Breaches ‘almost unavoidable’ in era of electronic records, privacy commissioner says
The latest case of medical record snooping uncovered in Ontario — in which at least six Mississauga patients had their files probed — highlights the ongoing challenge to protect patient privacy in the digital age, the province’s privacy commissioner says.
Since formally assuming the role in 2015 — in the midst of controversies over a spate of snooping incidents across the province — Ontario privacy commissioner Brian Beamish has emphasized stiffer punishments for what he calls “higherend cases.”
That’s why five of the six snooping cases that have been referred to the attorney general for breaking the province’s health privacy legislation have occurred on Beamish’s watch.
“Snooping was a continuing, recurring problem, and we started to think: what else can we do to reinforce that this is unacceptable?” Beamish told the Star in an interview.
“People expect their health information will have a high level of protection and I think there’s a real feeling of violation when that protection is not respected.”
It’s a message that has resonance elsewhere, too.
On Monday, for instance, the College of Physicians and Surgeons of Ontario held its first disciplinary hearing for one of its members accused of snooping. Dr. Douglas Brooks, a general practice physician in Sault Ste. Marie, was found to have improperly probed the electronic medical records of two non-patients several times, college spokeswoman Kathryn Clarke said in an emailed statement.
Brooks had his college certification suspended for five months, must participate in medical ethics training, and was ordered to pay $5,000 in costs for the hearing, Clarke said.
There are three more discipline hearings scheduled in the coming months for alleged snooping by other doctors.
The College of Nurses of Ontario has also cracked down. Last month, a nurse from North Bay was reprimanded for professional misconduct after she was found to have improperly accessed the personal health records of almost 6,000 patients.
Meanwhile, politicians at Queen’s Park recently passed a bill to beef up the Personal Health Information Protection Act (PHIPA). The legislation now makes it mandatory to report privacy breaches to the privacy commissioner, doubles fines for snooping from $50,000 to $100,000 for individuals and $250,000 to $500,000 for organizations, and removes the requirement for PHIPA charges to be laid within six months of an alleged snooping incident.
While Beamish welcomed these changes, he said the next step involves “education and training” to inculcate a more robust culture of privacy at hospitals and health care practices — especially in light of the ongoing push to make more health records available electronically.
“It’s unfortunately almost unavoidable,” he said of record snooping.
Last month, a Mississauga woman filed a $3-million lawsuit alleging that her patient records were improperly accessed by her sister, who worked at a private ophthalmology practice with access to thousands of patient files from three local hospitals. The proposed class-action accuses the Trillium Health Partners, which oversees the hospitals, and an ophthalmologist of failing to properly monitor and protect patient information. None of the allegations has been proven in court and no statements of defence have been filed. Trillium has confirmed that files of six patients were improperly accessed, including those of the woman who launched the lawsuit.
Responding to a series of questions, Trillium spokeswoman Catherine Pringle said that, over the past four years, the hospital has investigated 212 alleged snooping cases, 20 of which — involving records of 34 people — were confirmed.
Only four of those, however, were reported to the privacy commissioner, the agency responsible for investigating potential PHIPA breaches, Pringle said. Trillium pledges to follow the recently approved new rules and report all breaches in the future.
Since tracking of access began in 2011, Trillium has conducted 363 privacy education sessions with doctors and staff. They give out annual privacy policy material to more than1,200 physicians as well, Pringle said.
Elyse Sunshine, a health-care lawyer in Toronto, said the problem is that a deep sense of propriety around patient records hasn’t sufficiently trickled down from the regulators to the front-line health workers.
“It can always be improved, because we’re still seeing problems,” she said. She added that, in light of the government’s commitment to make more records electronically accessible, the challenge is to balance the desire for health-care efficiency with the need to protect privacy.
David Jenson, a spokesman for the Ontario Health Ministry, said shared electronic health records are key to the transformation of health-care delivery in the province, because they can result in more efficient and higher quality care.
In Ontario, more than 12,000 health-care providers, including more than 80 per cent of family doctors — representing more than 10 million patients — have either implemented or are in the process of setting up electronic medical records, Jensen said. Sharleen Stewart, president of health care for the Service Employees International Union (SEIU), agreed with Beamish and Sunshine that education is the main tool to prevent future snooping. But Stewart also called for greater consistency in how hospitals and health organizations patrol their electronic patient file systems to weed out improper access.
As it stands now, there is a patchwork of patient-record auditing regimes across the province. Trillium Health Partners, for example, says it audits how files are being accessed roughly1,000 times per year, while in 2014, the Star reported that three GTA hospitals did not proactively audit patient records to detect privacy breaches.