On the heels of Island Health’s largest privacy breach of medical records, B.C.’s privacy commissioner is calling on the province to step up its privacy laws and impose fines of up to $50,000 for health-care workers found snooping.
“It’s a significant issue of public trust when one or more individuals access electronic health records without authorization,” B.C. privacy commissioner Elizabeth Denham said in an interview on Wednesday.
B.C.’s privacy laws are outdated when it comes to protecting electronic health records from general snooping, Denham said.
In 10 provinces and territories — Quebec and Nunavut are the other exceptions — the unauthorized collection or use of personal information — snooping — is an offence.
“The public needs to be assured that the staff will take their confidential requirements seriously and that there will be serious sanctions and penalties when they fail to do so,” Denham said.
Island Health is notifying affected patients this week after two non-clinical support staff snooped through the files of 198 family, friends and prominent people.
B.C. Health Minister Terry Lake said in a statement on Wednesday that patients should expect their privacy to be protected when they access health-care services. “I am concerned to learn of this breach and the ministry is following up with Island Health to understand why and what specific measures they are going to put in place to prevent more incidents,” Lake said.
“I am confident that in this case, Island Health is taking the appropriate steps to ensure patient privacy is protected.”
Denham applauded Island Health for its proactive auditing.
The privacy breaches — found to go back at least 16 months — were discovered by Island Health in early April as part of a routine audit that looks for suspicious patterns.
The Island Health employees’ access privileges were immediately revoked and Denham was notified. Once the breaches were confirmed, the employees were fired.
Last month, the special committee reviewing B.C.’s privacy act wrapped up, endorsing Denham’s recommendation in November to strengthen the province’s privacy laws by making snooping an offence with a corresponding penalty.
“When staff abuse their access privileges, it’s a serious matter — whether it’s just for curiosity to see what VIPs might be in care, or whether it’s intentional and malicious and for their own purposes,” Denham said.
The Finance Ministry, responsible for the Freedom of Information and Protection of Privacy Act, said all suggested proposals for recommended changes to the act are given careful consideration.
“Government continuously appraises suggestions for improvements, and appropriate amendments will be brought forward at the next possible opportunity,” said Jamie Edwardson, Finance Ministry spokesman.
Most British Columbians would be surprised to know that while it is an offence to disclose personal information in an unauthorized manner, it is not an offence to improperly access or use personal information, Denham said.
“B.C. is falling behind other jurisdictions on this issue — not only do other jurisdictions have relevant offences and penalties in place, but prosecutions have begun,” Denham said.
Ontario started prosecuting people in 2013 when a nurse at North Bay Regional Health Centre was charged with wilfully collecting, using or disclosing the health information of patients in 48 instances in a manner not authorized by Ontario’s Personal Health Information Protection Act, said the privacy commissioner.
More recently, the Toronto Star reported that three hospital workers in Ontario were prosecuted for snooping into the health information of late Toronto mayor Rob Ford.
Saskatchewan recently made it an offence for health-care workers to snoop at someone’s personal records when they don’t need the information. Saskatchewan reacted after thousands of medical records were discovered in a Regina dumpster in 2012.
Meanwhile, a Powell River nurse fired by Vancouver Coastal Health after she accessed medical files of co-workers and people she knew — including her ex-father-in-law after a suicide — was reinstated in March. An arbitrator had ruled in her favour after the B.C. Nurses’ Union filed a grievance citing precedents, the Province newspaper reported. The health authority is appealing.
Under the Freedom of Information and Protection of Privacy Act, unauthorized disclosure of personal information is an offence, but B.C.’s legislation does not impose a general penalty for unauthorized collection or use of personal information.
In some cases, individuals whose private information has been breached can seek legal action using the privacy act, the Finance Ministry noted.
Snooping is the act of intentionally viewing personal information for one’s own purpose — whether out of curiosity, concern or for personal gain — in a database that an individual otherwise has a right to legitimately access.
The subjects of snooping can be family members, colleagues, neighbours, an ex-spouse or partner, or a high-profile individual.
All health authority staff are required to review privacy policy and sign declarations that they understand the importance of maintaining patient confidentiality, says the B.C. Health Ministry. Privacy training is available to staff in every health authority.
Still, many provinces have strengthened their privacy law to make such snooping an offence, punishable by fines.
Seven of 10 provinces have an offence provision for unauthorized collection or use of personal information/snooping in their health statutes:
• Alberta
• Saskatchewan
• Manitoba
• Ontario
• New Brunswick
• Nova Scotia
• Newfoundland and Labrador
One province has an offence provision for unauthorized collection or use of personal information in their Freedom of Information and Protection of Privacy Act:
• PEI
Two provinces do not appear to have offences for unauthorized collection or use of personal information/snooping:
• B.C.
• Quebec
Two of three territories have an offence for unauthorized collection or use of personal information/snooping in their health statutes:
• Northwest Territories
• Yukon
Snooping through confidential files for the victim can lead to stigmitization, descrimination, alienation and other harms, says B.C.’s office of the privacy commissioner.
Source: Office of the Information and Privacy Commissioner
