Hundreds of hospital privacy violations go unreported

Privacy Commissioner Brian Beamish calls for changes in law to require hospitals to reveal breaches to his office.

Vince Talotta / Toronto Star Order this photo

 

Brian Beamish, Ontario's acting privacy commissioner, is calling for changes in legislation to make it harder for hospitals to handle privacy breaches internally without reporting them to the privacy office. 

By: Olivia Carville Staff Reporter, Published on Tue Jan 13 2015

 

Five staff members snooped into the medical records of 22 patients at the Centre for Addiction and Mental Health last year.

A clinician from St. Michael’s Hospital posted an inappropriate comment on Facebook about a patient’s behaviour during a healthcare procedure.

While standing in line for pizza, a Toronto East General Hospital doctor chatted on his cellphone about the private details of a patient, unaware the patient’s relative was in the same line.

These are just three examples among what may be thousands of serious health-related privacy violations that go unreported each year to the provincial Information and Privacy Commissioner.

Nearly all of the 218 privacy breaches uncovered in documents obtained by the Star — which occurred at just eight of Toronto’s biggest health institutions — were not reported because of a legislative loophole that allows hospitals to handle such violations internally.

When the Star provided some examples of unreported cases to acting privacy commissioner Brian Beamish, he called for a legislative change to force hospitals to report serious breaches of personal health information.

“I definitely think it’s worth looking at. People are very protective of their health information, and when this type of thing happens it’s a very personal intrusion — people feel violated,” Beamish said.

Michael Crystal, a lawyer currently representing thousands of patients in five major privacy class actions against Ontario hospitals, backed the commissioner’s call for legislative change.

“This is a very, very significant problem that is common in many Ontario hospitals,” he said.

Privacy breaches can range from loose lips in the coffee line to more odious examples, where hospital employees maliciously access sensitive medical information relating to abortions, suicide attempts or queries into sexual re-assignment surgery, Crystal said.

Some of Crystal’s clients have been “devastated” to learn that their records were inappropriately accessed, he said.

One patient was in hiding from her abusive husband and believed he had bribed a hospital employee to access her personal information and learn which shelter she was staying in. Some of Crystal’s clients have even been reluctant to return to the hospital for much-needed care after being told that staff members had looked at their records without authorization.

Crystal said it should be “mandatory for hospitals to report all privacy leaks,” especially as the aging population grows more dependent upon healthcare providers.

Under the Personal Health Information Protection Act (PHIPA) hospitals may handle privacy violations internally, including disciplining and sometimes sacking staff members, without alerting the commission.

The three serious privacy breaches listed above all resulted in disciplinary action. Four of the snooping staff members from CAMH were suspended without pay, the documents show. A fifth received a disciplinary letter.

If hospitals were obligated under law to report privacy violations, the commission would be able to identify trends, investigate specific areas of concern and help hospitals prevent future incidents, Beamish said.

There are 155 hospitals in Ontario, and every year the commission receives roughly 400 notifications of health-related privacy breaches.

The Star’s request under the Freedom of Information Act unveiled 218 violations in just eight Toronto institutions, so “the math tells you [the number of unreported violations] is going to be in the thousands,” Beamish said.

Last year, the Star unveiled two major hospital privacy breach cases involving thousands of patients. In one case, hospitals inappropriately provided patient information to baby photographers. In another, hospitals were handing out patient contact information to RESP marketers. The commission was notified of both of these privacy breaches, probably because they affected thousands of patients and because the hospitals were seeking guidance as to how to respond, Beamish said.

A St. Michael’s Hospital spokesperson said in the Facebook incident, the commission wasn’t notified because “we consult with the privacy commissioner’s office as guidance is required … or to ensure we are in continuing compliance with the law.” The hospital didn’t feel it needed such advice in this case.

In the documents obtained by the Star, Sunnybrook Health Sciences Centre reported 27 privacy breaches where patient information was either stolen, lost, provided to the wrong people or disclosed without consent — and it notified the commission of none.

In one case, an employee disclosed a patient’s prognosis to the person’s estranged children, without consent, and in another the parents of an infant arrived at the neonatal intensive care unit carrying a different baby’s medical report.

Toronto East General Hospital reported 16 privacy violations whereby personal health information was inappropriately accessed or shared without consent. It notified the commission on only two occasions.

The hospital’s unreported incidents included the clinician who discussed a patient’s treatment options while waiting for pizza, an employee who asked a colleague to access the records of a friend, and a staff member who called the wrong family to tell them to come to the hospital to say goodbye to a “declining patient.”

A Star review found the majority of the 218 hospital privacy breaches were the result of genuine human error, but one in five cases were intentional and resulted in serious disciplinary action, the documents show.

Beamish said such violations, where clinicians “knew they shouldn’t be doing what they were doing and they still went ahead and did it anyway,” were the worst.

He was aware of one “love triangle” case where a nurse accessed the medical records of her ex-boyfriend’s new partner, and others where health professionals accessed colleagues’ and neighbours’ records out of curiosity.

Two similar, high-profile examples are that of former mayor Rob Ford, whose medical records were improperly read by hospital staff after his shocking cancer diagnosis, and the dozen staff members at Brampton Civic Hospital who were caught prying into the medical file of a 20-year-old man who committed suicide under hospital care.

Beamish fears that if such breaches aren’t contained, the public might lose confidence in the health sector’s ability to protect confidential information in the future.

This could lead to patients withholding information from doctors and hinder public acceptance of a shift toward electronic health records.

Online health records could be very beneficial to patients, but “people need to have confidence in the system,” he said.

Medical records are “incredibly personal” and hospitals should give as much prominence to protecting privacy as they do to hygiene campaigns, Beamish said.

“You can see a lot of signs and posters about making sure you wash your hands in hospitals, but they should take that same approach for privacy,” he said.

The University Health Network (UHN), which is responsible for four major hospitals in Toronto, reported 132 privacy incidents in 2014.

These included giving patients wristbands with the wrong identification, a staff member leaving a “detailed” message for a patient on the wrong voicemail, and the posting of two images to UHN’s public Facebook album containing patient names and medical record numbers.

Other examples:

UHN called a funeral home to ask them to search the morgue for a deceased patient’s misplaced medical chart

A clinical trial investigator unintentionally hit “reply all” on a confidential email, sending it to non-hospital staff

A staff member disclosed the date and time of a hospital appointment to the patient’s employer.

Health-related privacy violations are governed under PHIPA, legislation that allows for fining individuals up to $50,000 and institutions up to $250,000 if found guilty.

Only one prosecution has been logged so far under the act, which was introduced in 2004, and last year Beamish told the Star he wanted serious breaches to result in more prosecutions to deter nosy health professionals.

Since then, the commission has met with the Ministry of Health and Long Term Care to discuss the issue and work out who is responsible for “getting the prosecutions going,” Beamish said.

He hopes to have a prosecution plan in place within the next few months.

Minister of Health and Long Term Care Dr. Eric Hoskins said last year’s election stalled the government’s attempt to pass the Electronic Personal Health Information Act, legislation that would further safeguard patient information.

“We promised during that election to reintroduce the bill, and we’ll be doing just that,” he told the Star via email.

The new legislation would provide considerable opportunities to strengthen privacy protection over health records.

“Even one privacy breach is too many, and we will continue to work across the health sector to ensure that the personal health information of Ontarians is protected,” Hoskins said.

Olivia Carville can be reached at ocarville@thestar.ca 


Source: http://www.thestar.com/life/health_wellness/2015/01/13/hundreds_of_hospital_privacy_violations_go_unreported.html#