Ontario IPC Levies Second AMP Under PHIPA for Snooping in Health Records

The Information and Privacy Commissioner of Ontario (“IPC”) has recently issued its second administrative monetary penalty (“AMP”) since the expansion of its enforcement powers for violations of Ontario’s health privacy legislation, Personal Health Information Protection Act, 2004 (“PHIPA”), in PHIPA Decision 334.[1]

As in the case of the first AMP issued by the IPC in PHIPA Decision 298, the IPC’s latest penalty has been issued against an individual who worked at hospital and was caught snooping numerous patient records without authorization.

Background

The matter arose from events at the Children’s Hospital of Eastern Ontario (“CHEO”), where a nurse employed by the hospital appeared to know details about care provided to her stepchild, despite not being the child’s legal guardian. CHEO conducted an investigation into recent accesses to the child’s personal health information that was stored in the hospital’s electronic medical record system (“EMR”) and determined that a patient services clerk that worked with the nurse had accessed the child’s personal health information without authorization.

Following this determination, CHEO conducted additional audits of the clerk’s activity in the hospital EMR. Through this investigation, CHEO concluded that the clerk’s unauthorized activity in the EMR was much broader than the initial incident and that the clerk had been snooping in a significant number of patient records.

CHEO ultimately determined, and informed the IPC, that between March 1, 2024, and September 23, 2024, the clerk abused the permissions granted to her and accessed the personal health information of 436 patients without authorization, including her own records, those of her family members and other adult and pediatric patient records.

Given the seriousness of the allegations, the IPC commenced a formal review of the incident to consider CHEO’s privacy practices at the time of the incident as well as the clerk’s conduct and to determine whether the imposition of an AMP was warranted in the circumstances.

The IPC’s Findings Against the Hospital

The IPC first considered whether CHEO, as the health information custodian responsible for the protection of patient personal health information, met its obligations under PHIPA. The IPC specifically considered whether CHEO met its obligations to:

• safeguard personal health information (s.12(1));
• ensure that individuals acting on behalf of the hospital (agents) only collect, use, disclose and otherwise process personal health information in accordance with their statutory obligations (s. 17(3));
• ensure that personal health information is not collected without authority (s. 11.1); and
• maintain and comply with information practices that comply with the requirements of PHIPA (s. 10).

The IPC emphasized that in order to meet PHIPA’s requirements to maintain and comply with information practices, custodians must be able to demonstrate, with evidence, that they have in fact complied with them.[2]

In respect of CHEO’s response to the incident, the IPC found that CHEO responded in a timely, methodical and responsible manner, and took immediate steps to contain the breach, determine its scope, notify affected individuals, report the breach, investigate the cause of the breach and undertake remedial measures to mitigate the chances of such a breach recurring.[3]

Although the IPC did not endorse any specific practice implemented by CHEO, the IPC also determined that CHEO’s privacy practices were generally reasonable in the circumstances, and compliant with the hospital’s obligations under PHIPA, which included:

• informing personnel that they can only access patient records to perform their job duties;
• requiring personnel to sign a confidentiality agreement upon hire and renew it annually;
• providing privacy training at the time of onboarding and on an ongoing basis thereafter;
• displaying a reminder when personnel access the EMR that they may only access records as needed to fulfil workplace duties;
• implementing alerts/flags on patient records that are at higher risk of inappropriate access;
• maintaining role-based access controls based on a personnel’s job deion;
• limiting search functionality in the EMR to minimize unnecessary exposure to personal health information;
• conducting proactive and reactive monitoring and auditing to detect and deter unauthorized activity; and
• maintaining written privacy policies and procedures, including a Personal Health Information Protection Policy, Access Control to Information Systems Policy, Acceptable Use of Information Systems Policy, Privacy Auditing in Epic Policy and Privacy Breach Protocol.

However, the IPC found that CHEO could not demonstrate that the clerk renewed her confidentiality commitments on annual basis and completed privacy training every year while employed by the hospital, and recommend that CHEO implement measures to (a) ensure that personnel renew their commitments and complete training annually and (b) track completion of such processes.[4]

The IPC’s Findings Against the Clerk

The IPC also considered whether the clerk met her privacy obligations as an agent of CHEO. Based on the evidence, the IPC determined that the clerk was made well aware of her privacy and confidentiality obligations when carrying out her duties and found that the privacy breaches at issue were the result of the clerk “disregarding the instructions that CHEO provided to her as its agent, rather than an inadequacy of CHEO’s information practices, training materials, or supervision […]”.[5]

The IPC found that it was clear that the clerk received training, signed a confidentiality agreement, and was warned of the potential consequences of a privacy breach, but these measures were insufficient to encourage compliance with PHIPA.[6]

In these circumstances, the IPC held that imposing an AMP against the clerk would be an appropriate measure that reflects the seriousness of snooping into patients’ health records and would serve to further encourage compliance with privacy obligations within the health sector.

Ultimately, the IPC decided to impose an AMP of $2,000 against the clerk, having considered that:

• the clerk’s conduct was a significant departure from PHIPA and entirely preventable;
• the clerk took no steps to mitigate the harm caused by her contraventions but rather provided information that was inconsistent with the evidence submitted;
• while there was no evidence of specific harm resulting from the clerk’s contraventions, the IPC received a complaint about the incident and the complainant stated that they found the incident to be “very upsetting”;
• a significant number of patients were impacted;
• there was no evidence to suggest that the clerk derived, or might have expected to derive, any economic benefit from her contraventions; and
• the clerk was ultimately terminated from her position and has suffered significant financial consequences for her actions and will likely suffer further reputational damage as a result of the IPC’s public decision that identifies her.[7]

Key Takeaways

Snooping in health records remains one of the most prevalent types of health privacy breaches reported to the IPC year over year. This decision serves as a reminder to health information custodians that they are not immune from scrutiny when personnel defy their workplace instructions and that the custodian’s privacy practices, and evidence supporting that such practices exist, will be carefully assessed by the IPC when snooping incidents are reported. Further, given that both instances where the IPC has used its AMP powers have involved personnel snooping, custodians should anticipate that similar incidents involving significant snooping by personnel will likely result in a formal investigation by the IPC that culminates with a public decision.

Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.