Health Privacy Update – New Risks, New Compliance Measures

This bulletin reviews two key developments in health sector privacy - Bill 119 and Hopkins v. Kay - and discusses potential new compliance requirements and associated risk mitigation measures.

Bill 119 - Proposed Amendments to PHIPA

On September 16, 2015, the Minister of Health and Long-Term Care introduced Bill 119, also known as the Health Information Protection Act, 2015. If passed, the Bill would amend the Personal Health Information Protection Act, 2004 ("PHIPA") among other legislation[1]. For organizations subject to PHIPA, these proposed amendments underscore the need to deploy effective systems, practices, policies and documentation to protect patient privacy and comply with legal requirements.

By way of background, PHIPA governs, the collection, use and disclosure of "personal health information" ("PHI") by "health information custodians" ("HICs"), prescribed entities, prescribed registries, researchers, and their agents. HICs include: hospitals, psychiatric facilities, independent health facilities, long-term care homes, pharmacies, health care practitioners (or a person who operates a group of health care practitioners), community care access corporations, laboratories, and other related persons or organizations.

The stated aim of the proposed amendments is to improve privacy, accountability and transparency in Ontario's health care system. In particular, the privacy aspects of the Bill are intended to increase protection for electronic records and implement stricter punishment for privacy breaches. If passed, the amendments would:

• require HICs to report privacy breaches to the Information and Privacy Commissioner ("IPC") and to relevant regulatory colleges;
• facilitate prosecutions under PHIPA by removing the requirement that they be commenced within six months of the alleged privacy breach;
• double the maximum fines for offences under PHIPA from $50,000 to $100,000 for an individual, and from $250,000 to $500,000 for an organization;
• re-introduce and update the electronic health record privacy framework initially proposed (but not passed due to the dissolution of the legislature) in 2013; and
• allow the Ministry of Health and Long-Term Care to disclose information about a patient's narcotics and monitored drug prescriptions to his or her health care practitioner.

As of the date of this bulletin, the Bill has passed first reading and is currently in its second reading.

We have prepared a blackline version of PHIPA to show the proposed changes in Bill 119.

PHIPA Does Not Preclude Privacy Tort Claims, Class Actions

On October 29, 2015, the Supreme Court of Canada denied leave to appeal to a hospital that had argued that a claimant cannot bring a class action proceeding for damages in tort for the unauthorized access to PHI. The Ontario Court of Appeal previously rejected the argument that PHIPA was an exhaustive regime, and that precluded these sorts of tort claims.

In Hopkins v. Kay[2], the claimant and 280 other patients of the hospital received notices that their privacy had been breached because of an unauthorized access and disclosure of PHI by certain hospital employees. The IPC investigated the matter, and took no further action against the hospital stating that the hospital had acted reasonably by informing the patients of the breach, firing the employees and deploying an educational campaign. A group of affected patients nonetheless launched a class action against the hospital for over $5 million in damages.

The hospital moved to strike the proposed class action on the basis that PHIPA was a comprehensive health privacy code that precluded tort claims.

The Ontario Court of Appeal upheld the decision of the Ontario Superior Court of Justice to dismiss the motion to strike out the claim. With the Supreme Court's denial of leave to appeal, potential certification of the class-action lawsuit over the privacy breaches at the hospital can proceed. 

As a result of this decision, HICs may face significant exposure in damages for privacy breaches, even after taking actions deemed acceptable by the IPC, such as firing employees.

Compliance Measures and Risk Mitigation

HICs and other entities subject to PHIPA should consider how they will address the above requirements under Bill 119 and the principles in Hopkins v Kay. At present, PHIPA imposes a number of administrative requirements on HICs, including that they:

• adopt information practices (e.g., privacy policies and procedures),
• deploy public-facing privacy statements and notices,
• impose privacy requirements on service providers (e.g., by contract),
• conduct regular privacy training for personnel, and
• maintain and use organizational tools to track, monitor and audit privacy compliance – including audit trails to track access, modification or disclosure of PHI[3].

If passed, Bill 119 will impose new compliance requirements on HICs, including the following:

• HICs must take steps to ensure that PHI is not collected without authority. This includes complying with the new requirements concerning electronic health records, which restrict the collection (and further accessing, use and disclosure) of PHI via electronic health records to specified purposes, as may be limited by consent directives made by individuals.
• HICs must ensure that their policies, practices, and systems are responsive to the proposed privacy breach notification requirements:
  
  
  • HICs must notify the IPC if the theft, loss or unauthorized use or disclosure of PHI meets prescribed requirements.
  • HICs must notify the applicable regulatory College (according to prescribed requirements) if a member of that College faces consequences in connection with the unauthorized collection, use, disclosure, retention or disposal of PHI – namely:
    
    
    • If his or her employment with the HIC is terminated, suspended, subject to disciplinary action or resigns; or
    • If his or her privileges or other affiliation with the HIC are revoked, suspended or restricted.
  • HICs must notify both the affected individual and the IPC if PHI is collected without authority by means of an electronic health record. This notice obligation may apply in addition to any notice obligation described above.
• HICs must take reasonable steps to ensure that their agents collect, use, disclose, retain and dispose of PHI as required by PHIPA, as necessary for their duties as agent, and according to any conditions or restrictions imposed by the HICs. This means that HICs must actively review, inspect and/or audit their agents for such compliance on a periodic basis. HICs will need to assess the extent and frequency of the monitoring activities, based on what is reasonable in the circumstances. 

Having a proper privacy framework is important to mitigating risk and reducing liability, both under the current regime and in light of the impending legislation and recent legal proceedings.

[1] Bill 119 replaces the Quality of Care Information Protection Act, 2004 with the Quality of Care Information Protection Act, 2015 (which is intended to clarify the purpose of that Act and reaffirm the right of patients to access information about their health care). The Bill also amends the Regulated Health Professions Act, 1991, the Drug Interchangeability and Dispensing Fee Act, and the Narcotics Safety and Awareness Act, 2010.

[2] Hopkins v. Kay, (2015 ONCA 112).

[3] Commissioner Beamish in HO-013 states on page 33 that the hospital in question should have implemented policies and measures to conduct random audits on all activities in its electronic information systems. Failure to conduct random audits was seen as a contravention of subsection 12(1). In this instance, the hospital was only conducting audits in response to requests and following "suspected incidents" instead of conducting random audits.