PRACTICE PARTNER
The lawsuit alleged the doctor “ enabled and facilitated ” the alleged privacy breaches because “ such behaviour occurred in his professional premises ”
$ 500,000 for organizations , and removes the requirement for PHIPA charges to be laid within six months of the alleged incident . The Information and Privacy Commission ( IPC ) has urged health information custodians – such as doctors – to educate their staff members in order to foster a more robust culture of privacy within their health-care practices . IPC notes that this is especially important in light of the ongoing push to make more health records available electronically . Technology , for example , has made it possible to access a broader range of health records – records which may not even belong to the particular physician ’ s practice . Last year , an Ontario woman filed a $ 3-million lawsuit alleging that a relative – who worked in a specialist ’ s private practice – invaded her privacy , by accessing personal health records via a hospital channel through the doctor ’ s office . The woman was never a patient of this particular specialist , but did attend a nearby hospital whose patient records were accessible to the doctor ’ s office . The hospital confirmed that its own internal investigation found six patients ’ files had been breached , and all patients had been notified .
The lawsuit was brought not only against the relative but also the hospital and the specialist for whom the relative worked . The lawsuit alleged the doctor “ enabled and facilitated ” the alleged privacy breaches because “ such behaviour occurred in his professional premises .” This case makes the point that not only do physicians need to ensure that their staff members understand and follow privacy law in respect to records when the physician is the custodian , but also in instances when the physician is not the custodian . “ Where an employee is acting as an agent of a health information custodian ( physician ), the custodian is responsible for any personal health information accessed by that agent , even if that information is in a database in the custody or control of another custodian ( e . g ., a hospital ),” stated the IPC .
Comprehensive privacy training , says the IPC , is an essential tool to reduce the risk of unauthorized access to personal health information . Custodians should ensure agents are provided with and are required to undergo initial and ongoing privacy training . Custodians are required by PHIPA to establish information practices that comply with PHIPA . As well , custodians should take steps to foster a culture of privacy and raise awareness among agents of their responsibilities under PHIPA and its regulations and the privacy policies and procedures implemented .
For more information , please access the IPC ’ s document , “ Detecting and Deterring Unauthorized Access to Personal Health Information ” at www . ipc . on . ca . MD
48
DIALOGUE ISSUE 3 , 2017