Number of Breaches Unknown
“The total number of intentional health-related privacy breaches in Ontario is unknown because of legislation allowing hospitals to handle such violations internally and report them at their own discretion. The commission is notified of about 400 health-related privacy breaches every year and a Star investigation of eight Toronto health institutions unveiled 218 privacy violations last year, the majority of which went unreported to the commission”. (c) So, the majority of privacy “breaches” you won’t hear about because they are being unreported (covered up), or, as in BC, legalized; and I believe it is the same in all provinces.
Mandatory Reporting of Breaches (or Not)
“Michael Crystal, a lawyer currently representing thousands of patients” said it should be ‘mandatory for hospitals to report all privacy leaks.” (a) “69.5 percent of Canadian respondents stated that there should be a public listing hosted by the Canadian government that lists which hospitals have had breaches of patient health records”. (c) I suggest this should include “minor” breaches that are not reported to the privacy commissioner and the so-called “major” ones that are reported to the privacy commissioner. Otherwise, we will be hearing a lot of “we didn’t think this was serious” excuses. We should be informed as to what defines minor vs major breaches.
“If hospitals were obligated under law to report privacy violations, the (privacy) commission would be able to identify trends, investigate specific areas of concern and help hospitals prevent future incidents, Beamish said” (Ontario privacy commissioner Brian Beamish). (a) This will also help reduce the number of cases that the medical/government organizations can cover-up without being caught. This must also include any breaches by people/organizations with whom our information is shared.
We, the people, need this transparency to ensure accountability.
For the status on your province on mandatory reporting see Ontario lags other provinces in updating health privacy laws, Olivia Carville, 06 Feb 2015, Toronto Star
Identify with whom our information is shared
The medical/government business in Ontario is discussing making changes so it looks like, to use a metaphor, they are trying to lock the front door (hospital violations), so people don’t notice that the backdoor is being left wide open (the researchers, suppliers, and other organizations, etc. with whom our information is being shared). We need to know exactly with whom our information is being shared, under what circumstances, whether our consent has been obtained (real not manufactured), what are the conditions that these “others” must meet to protect our information and are these conditions being met.
We need on-going audits of all people/organizations that handle our information to ensure that our privacy is protected. The audits must be done by people not appointed by the medical/government system. ‘In the US, the government has taken several steps to encourage health care providers to improve the security of their information technology systems. In addition to requiring public disclosure of breaches — an incentive in the form of the proverbial “wall of shame” — the US government will be dropping in on some health care providers” to “check compliance with privacy requirements”. “Under their privacy act, health organizations are required to have conducted a risk analysis and implemented policies to protect patient privacy. The maximum annual penalty for violating the act is US$1.5 million.” (e)
Suing for Privacy Breach
“The Ontario Court of Appeal ruled earlier this year that patients can sue hospitals if their privacy was breached.” (d) This should be the law in all provinces and include any people/organizations who have our information.
“Beamish told the Star he wanted serious breaches to result in more prosecutions to deter nosy health professionals” and the other people/organizations with our information. (a) But we also need to hold accountable those who are suppose to protect our privacy – the politicians, healthcare executives… We need to know why they aren’t doing their job. And we need to be able to prosecute them.
In some provinces the health ministry may refer a serious breach to the privacy commissioner who investigates. If the privacy commissioner believes there are grounds for prosecution they refer it to the attorney general, who may refer it to the police to reinvestigate.
So much wasted time and effort because somewhere along the line the case gets dropped.
“Privacy commissioner Brian Beamish has previously told the Star that confusion over the roles of the attorney general, the Health Ministry and the privacy office have also hamstrung potential prosecutions.” (b) All these years and nothing has been done to fix the situation. No wonder there has been zero prosecutions in Ontario, where thousands of privacy violations happen every year. But, I’m sure the politicians have been far too busy going to photo-ops, or lining their pockets, to make adjustments. Or is it just “convenient” to have it this way.
“Ontario is not alone. British Columbia, New Brunswick, Saskatchewan, Prince Edward Island and Yukon have not seen any prosecutions under health privacy laws.” (b)
“Alberta has had three successful prosecutions, Manitoba has had one and Newfoundland and Labrador has had two.” (b) Considering the extent of the problem, this is a farcical record in any province.
Covering up the extent of breaches, or sharing of information, so patients will trust the medical business is not an answer. Eventually patients find out and trust is lost, possibly forever. Withholding information is just another form of lying to patients.
After all the lying, the cover-ups, the conning, “trust us” just doesn’t work any more.
(a) Hundreds of hospital privacy violations go unreported – Olivia Carville, 13 Jan 2015, The Star
(b) Ontario government under fire over inaction on health privacy law – Olivia Carville, 05 Mar 2015, Toronto Star
(c) Canada: How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes – December 2011, New London Consulting
(d) Fines to double for breach of Ontario patients’ medical records – Keith Leslie, 10 June 2015, CTV News
(e) Medical privacy breaches rising – Roger Collier, 06 Mar, 2012. vol. 184 no.4, Canadian Medical Association Journal (CMAJ)