Ontario tables new patient privacy law

Ontario tabled amendments this morning that will strengthen the privacy of health-care information across the province through measures such as mandatory reporting of breaches, loosened rules around prosecution, and a doubling of fines for health-care workers caught snooping.

 Small private practices will be given the same consideration as hospitals and other large organizations, says Mary Jane Dykeman.Small private practices will be given the same consideration as hospitals and other large organizations, says Mary Jane Dykeman.

Bill 119, which seeks to amend the 11-year-old Personal Health Information Protection Act, comes more than a year after the Rouge Valley scandal in which Toronto hospital workers were caught selling information about new parents to brokers of registered education savings plans.

“The Rouge Valley case was a tipping point,” says Mary Jane Dykeman, a lawyer at Toronto-based DDO Health Law. “It received a lot of media attention and it changed the issue in a somewhat sinister way to suggest that someone might profit from the information. This was beyond snooping for the sake of curiosity, which is also not acceptable.”

As it stands, health-care organizations that compile information about patients need to report privacy breaches to the patients themselves but not to the province or regulatory authorities.

The amended act will change that. Hospitals, long-term care facilities, and even doctors running their own offices will have to report privacy breaches to their respective medical colleges as well as to the information and privacy commissioner.

What qualifies as a reportable breach remains uncertain, but the amendments suggest that specific criteria will be spelled out in the regulations. There’s also a possibility that regulations may follow the lead of the federal Personal Information Protection and Electronic Documents Act that defines reportable breaches in a more general context.

In addition, the bill lifts a six-month statute of limitations on commencement of actions against privacy violations, a narrow window that left little time for Crown prosecutors to gather proper evidence. The new law removes that impediment entirely, giving regulators and prosecutors time to assess the breach before laying charges.

Finally, the new law will double fines for privacy violations. Individuals can be fined up to $100,000 for a violation, whereas information custodians such as health-care organizations and private medical practices can be fined $500,000.

Dykeman notes that under the amendments, small private practices will be given the same consideration as hospitals and other large organizations. As a result, it’s imperative that doctors and office managers train staff to understand their obligations under the act.

“If I'm a physician in private practice, I’m the custodian. I have all the same duties as the large hospital,” she says. “So I should be sure that I train the people for whom I'm responsible and have proof that I've done that. That's where the focus has to be.”