Recent Breaches Spur Renewed Focus on Strengthening Ontario’s Health Privacy Laws
According to a recent news report, Ontario Health Minister Eric Hoskins is looking into re-introducing the Electronic Personal Health Information Act (EPHIPA) and strengthening Ontario’s Personal Health Information Act (PHIPA) following recent health-related privacy breaches.
Although PHIPA was introduced over ten years ago, only one person has ever been charged under the legislation: a nurse who allegedly improperly accessed 5804 individual patient health records over a seven year period and was charged with wilfully collecting and using personal health information without authority. The case was stayed at the end of January of this year for unreasonable delay. Focus has now shifted to the alleged violation of former Toronto mayor Rob Ford’s medical records. Late last month the Office of the Information and Privacy Commissioner of Ontario referred two individuals to the Ontario Ministry of the Attorney General for prosecution for inappropriately accessing these files.
These recent privacy breaches have led to renewed calls for reforms to Ontario’s privacy legislation. Health Minister Hoskins has announced that the government will be re-introducing EPHIPA and strengthening PHIPA.
New Legislation To Address Electronic Information
EPHIPA previously reached second reading but died due to the 2014 provincial election. The previous bill proposed to amend three existing statutes, including PHIPA, to establish rules for health care providers accessing shared electronic health records (EHRs). The intent of EPHIPA was to enable information sharing and coordination among health care providers within a patient’s circle of care, while protecting the privacy and security of personal health information in the EHR. EPHIPA imposed specific obligations on “prescribed organizations” that create or maintain EHRs, including requiring them:
- to take reasonable steps to limit the personal health information they receive;
- ensure employees and third parties comply with privacy obligations;
- make available to the public and health information custodians (HICs) a description of the EHR and safeguards to protect the EHR as well as any applicable directives, guidelines and policies;
- maintain an electronic record of all instances in which the personal health information in the EHR is viewed, handled or dealt with;
- audit and monitor EHRs; perform assessments on risks to the security of personal health information in the EHR and make the assessments available to the HIC and the public; and
- notify the HIC that provided the personal health information for the EHR and the Information and Privacy Commissioner in the event of a breach.
Similar to the “lock-box” provisions under PHIPA today, EPHIPA also allowed an individual to provide to a prescribed organization a consent directive that withholds or withdraws the individual’s consent to the collection, use and disclosure of his or her personal health information contained in the EHR, which can be overridden in defined circumstances. A prescribed organization would be required to audit, log and monitor access to PHI that is the subject of a consent directive and provide notice to HICs where consent directives are overridden. The HIC so notified would be required to notify the individual who provided the consent directive and the Information and Privacy Commissioner.
Finally, EPHIPA proposed to double the fines for offences under PHIPA. For an individual, the maximum fine would have increased from $50,000 to $100,000 and for a corporation, the maximum fine would have increased from $250,000 to $500,000. EPHIPA would also have amended PHIPA such that there would be no limitation period for prosecution under PHIPA, i.e. section 76 of the Provincial Offences Act would not apply to a prosecution under PHIPA.
What the Proposed Amendments Mean for Organizations
We do not have an indication from the government when and in what form EPHIPA will be re-introduced. In its previous form, it is not clear what organizations would be considered to be “prescribed organizations” because they are to be set out in separate regulations. What is clear however, is that organizations that are designated “prescribed organizations” will need to put in place procedures to address any new obligations created under EPHIPA. For the moment, organizations should continue to monitor developments as EPHIPA is reintroduced and consider the implications that EPHIPA will have on a prescribed organization’s privacy policies and practices with respect to personal health information.
health information PHIPA privacy