[BreachExchange] Ontario health privacy breach notification bill passes third reading

Wed May 11 20:42:00 EDT 2016

http://www.canadianunderwriter.ca/insurance/ontario-health-privacy-breach-notification-bill-passes-third-reading-1004091046/

An Ontario government bill proposing to increase fines, to $500,000, for
health privacy violations recently passed third reading at Queen’s Park in
Toronto.

Bill 119 proposes some changes to Ontario’s Personal Health Information
Protection Act (PHIPA).

“These amendments would make it mandatory to report certain privacy
breaches to the Information and Privacy Commissioner and to the relevant
regulatory college of the person responsible for the breach,” Liberal MPP
Indira Naidoo-Harris, parliamentary assistant to Health Minister Eric
Hoskins, told the legislature May 4. “It would also strengthen the process
to prosecute offences under PHIPA by removing the requirement that
prosecutions must be commenced within six months of when the alleged
offence occurred. This allows more time for a proper investigation and
closes a loophole that would have allowed those who commit a security
breach to go unpunished.”

The bill passed third reading May 4.

“The amendments would double the maximum fines for offences under the
Personal Health Information Protection Act,” Naidoo-Harris said. “Penalties
would increase from $50,000 to $100,000 for individuals and from $250,000
to $500,000 for an organization.”

The bill was subject to hearings before the Standing Committee on Justice
Policy. One speaker was Brian Beamish, Ontario’s Information and Privacy
Commissioner. Beamish was asked about the proposal to double the fines.

“It’s unlikely that someone’s going to get a $100,000 fine for this kind of
action, but it sends a signal,” Beamish told the committee March 3. “It
says, ‘This is serious activity. You shouldn’t be engaged in it, and if you
are, there will be consequences.'”

Beamish was also asked about the six-month limitation period.

“The likely scenario is not that someone’s going to be found having snooped
eight years ago; our experience is that someone is found to have done it
now, and when an audit is done of their access to the system, there can be
a trail going back years that they have been engaged in this kind of
activity,” Beamish said. “The six-month limitation period means that
anything beyond six months cannot be used for prosecution purposes. In my
view, that trail of activity should be something that is brought to the
attention of a judge to indicate a pattern of behaviour. So I think that’s
an important piece of this.”

Related: Debate continues on Ontario health privacy breach law

Chantal Leonard, chief executive officer of the Canadian Nurses Protective
Society, was one speaker with concerns about the bill.

“There can be many reasons to access personal health information that are
legitimate, other than the direct provision of care,” Leonard told the
justice policy committee March 3. “Nurses who work in the emergency room,
for example, may be called upon to make inquiries with respect to patients
who are in different areas of the hospital, not only in the emergency room.
But the emergency room tends to be a hub, and so sometimes a physician may
call and ask a nurse to look at the record of a patient to see if a lab
result has come in so that they can prescribe the right medication. That
would be an example of a circumstance where a nurse could be called upon.”

During debates on Bill 119 in late 2015, France Gélinas, health critic for
the New Democratic Party, cited several examples of health privacy breaches
in Ontario.

“In 2013, a secure USB data key was lost at Montfort Hospital containing
information on 25,000 people,” Gelinas said at the time. “The personal
information of 25,000 Ontarians was lost because a USB key was lost.”

She was referring to Hôpital Montfort, an Ottawa hospital at which an
employee had lost a USB memory stick containing unencrypted records of
25,692 patients.

Gelinas also referred to Rob Ford, former mayor of Toronto, who was treated
for cancer.

“While he was undergoing chemotherapy for his cancer, hundreds of people
accessed his records,” Gelinas said in November of Ford, who died March 22,
2016. “Those people had no right to access his records, but yet, not a
single one of them has been prosecuted or held to account because our laws
are too weak. Bill 119 would hopefully allow us to do that.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160511/5273c741/attachment.html>