Introduction
For the first time, the Information and Privacy Commissioner of Ontario ("IPC") has imposed administrative monetary penalties under the Personal Health Information Protection Act, 2004 ("PHIPA") following a privacy breach involving unauthorized access to hospital electronic records.
Background & Facts
In 2024, a breach report was submitted to the IPC on behalf of three Ontario hospitals, about a physician, with privileges at one of the hospitals, using an electronic health record system shared by the hospitals to search for newborn male patients and their parents' contact information. The physician then contacted several of those families to offer circumcision services through a private clinic that he partly owned.
An internal investigation confirmed that the physician conducted 146 targeted searches in the hospitals' shared electronic health record system, accessing the personal health information ("PHI") of up to 831 patients, including names, dates of birth, contact details, and health card numbers.
Preliminary Findings
The IPC determined that PHIPA applied, and that the hospital where the physician had privileges and the physician's private clinic were health information custodians under PHIPA, with the physician acting as the agent of both at the time of the breach.
Issues
The IPC considered whether:
- the hospital and the physician's private clinic took appropriate steps to protect patient information, had proper information practices in place and followed them, and had responded adequately to the breach; and
- monetary penalties, or any other order, should be imposed on the physician and his private clinic.
Findings
Whether Appropriate Steps Were Taken to Protect Patient Information Against Unauthorized Collection, Use, and Disclosure
The IPC considered whether the hospital and physician's private clinic had satisfied their respective obligation under s.17, s. 12, and s. 11.1 of PHIPA, all of which relate to the prevention of unauthorized collection, use, or disclosure by a custodian or its agents.
The IPC concluded that the hospital had reasonable privacy safeguards in place at the time of the breach. The hospital maintained privacy policies and procedures, which were generally acknowledged in by-laws that all appointed physicians had to annually confirm having read, required annual confidentiality agreements and privacy training for staff, and conducted regular audits of access to PHI.
In contrast, the IPC found that the physician's private clinic had no privacy management program, policies, or procedures in place when the breach occurred, and, as a result, the clinic failed to take reasonable steps to protect patient information and had breached its obligations under PHIPA.
Whether Proper Information Practices Were in Place and Followed
Next, the IPC considered whether s. 10 had been complied with by the hospital and the physician's private clinic. Section 10 of PHIPA requires custodians to have in place information practices that comply with the requirements under PHIPA. To satisfy this provision, a custodian must not only have information practices describing when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of PHI, as well as the safeguards with respect to that information, (s. 10(1)) it must also comply with its own practices (s. 10(2)).
Here, the IPC made it clear that having polices and practices in place is not enough to satisfy s. 10, but that custodians must able to show how those policies and practices are complied with. In assessing the "show" requirement, the IPC endorsed the concept of "demonstrable accountability," which it described as follows:
Demonstrable accountability refers to a repeatable and demonstrable system of data governance whereby organizations can show regulators more concretely, backed by evidence, how they meet their legal requirements in practice. This notion of demonstrable accountability is intended for organizations to close the trust gap with regulators and with individuals. The concept of demonstrable accountability has evolved in recent years to extend beyond merely checklist compliance, to being able to show that the accountability mechanisms in place are actually working as intended to provide reasonable protection.
This clearly establishes that the evidentiary burden for compliance with s. 10(2) is not a light one, and that mere statements confirming that policies are followed is likely inadequate. Instead, custodians must actively track compliance and keep records that support those efforts.
The IPC found that while the hospital generally complied with its information practices, it had difficulty providing clear evidence of this compliance. The hospital was encouraged to improve its record-keeping and make privacy obligations more explicit in its policies and by-laws. Specifically, the IPC recommended that the hospital clearly date all policies and procedures, maintain detailed records of staff privacy training, properly document annual renewal of confidentiality agreements, and update its by-laws to explicitly reference privacy and confidentiality obligations.
Whether the Response to the Breach Was Adequate
The IPC found that the hospital responded appropriately to the breach, but that the clinic did not. The IPC found that the clinic was unprepared to handle a breach of this kind, mainly because it lacked a privacy breach response protocol. The IPC recommended that the clinic strengthen its privacy policies and procedures, and that its management and staff receive additional privacy training.
Whether Monetary Penalties or other Orders Should Be Imposed
Since January 2024, PHIPA has provided for the possible imposition of administrative monetary penalties of up to $50,000 for individuals and $500,000 for organizations.
In this case, the IPC imposed administrative monetary penalties of $5,000 for the physician and $7,500 for the physician's clinic for contraventions of PHIPA. One of the key factors the IPC took into account when determining whether to impose administrative monetary penalties was its finding that the physician's actions amounted to personal financial gain. The physician and private clinic were also ordered to securely dispose of records containing PHI obtained from the shared electronic health records system and used to offer circumcision services.
With respect to the clinic, the IPC found that its disregard for patients' privacy rights and its obligations under PHIPA also made this an appropriate case for an administrative monetary penalty. The IPC noted that the clinic opened as a pediatric clinic and began accepting new patients without any privacy management program in place, which violated PHIPA and failed to meet the basic professional duty to protect patient privacy and confidentiality.
To our knowledge, this is the first time a privacy commissioner in Canada has imposed an administrative monetary penalty.
Key Takeaways
This decision reinforces the importance of putting into place strong privacy policies and safeguards, actively enforcing them, and keeping records that evidence that enforcement. Custodians should consider whether the polices and practices that they have put in place are adequate, but also whether they can show that those polices and practices are being followed.
In order to demonstrate compliance, the IPC has provided the following practical recommendations:
- Ensure all policies and procedures have clearly documented dates to show compliance at any given time.
- Conduct annual privacy training.
- Keep detailed records of each staff member's annual privacy training, including required courses, enrollment, completion, and dates.
- Ensure that staff renew their confidentiality commitments on an annual basis.
- Update any related by-laws to explicitly reference privacy and confidentiality obligations.
Based on the facts underlying this decision, which while very serious are less egregious than other documented instances of unauthorized collection, use, and disclosure of PHI, custodians, and their agents, subject to PHIPA should prepare for the imposition of administrative monetary penalties to become more common. This case was adjudicated by the Commissioner herself, Patricia Kosseim, signalling that the use of administrative monetary penalties for enforcement and deterrence may become a more standard practice at the IPC.
Moreover, the quantum of the fines imposed is important to consider. The circumcision services offered were valued at $350 each, with $35 going to the clinic, and only two contacted patients actually received the services. So while the amount of the administrative monetary penalties imposed may appear low, the monetary gain for the physician and the clinic is far outweighed by the amounts of the penalties. The amounts imposed are clearly meant to encourage future compliance by the parties and to deter others from collecting, using, and disclosing patient PHI without authorization and for economic gain. Larger custodians, for example hospitals and care facilities, can expect that any administrative monetary penalties imposed against them for these same purposes will need to be of significantly greater value to have the same effect.
Footnotes
2. PHIPA DECISION 298 at para 61
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
