Privacy Circus in Ontario

One of the mandates of Information and PrivacyCommissioner Ann Cavoukian’s Office is to review the decisions and practices of health information custodians in regard to personal health information and ensure compliance with the Personal Health Information Protection Act (PHIPA).

One would think that IPC, after receiving complaints about a health provider who is negligent, would review the practices of this provider and as a government regulator do something to protect individuals. Complaints such as:

  • privacy breaches – sending another patient’s records to an individual
  • systemic failure – wrong diagnostic codes used for patients for many years without a physician’s knowledge

But that’s not the case. The IPC office did some investigation, invoked their “breach protocol process”, but at the end – dismissed the complaint! I suppose the health provider can continue mixing patients health records and sending them anywhere, put wrong diagnoses in their files.  All without fear of Commissioner Ann Cavoukian’s action.

Many people can be hurt by this kind of negligence and can suffer substantial damages.

“Privacy policies that are not reflected in actual practice through strong implementation, training, and auditing will fail to safeguard personal information against privacy risks” – Ann Cavoukian

So what is a real ‘privacy breach’ for Commissioner Cavoukian?

Greater attention is paid in a case where information akin to that contained in a telephone book is made public. Like with Elections Ontario’s “unprecedented privacy breach” when 2 USB sticks went missing. These USB sticks contained basic information, as you can find in any telephone book, with the exception of birth date.

Is there more concern that the public may discover who is on the voters list, or is it of greater concern that a patient’s private health information is compromised?

Commissioner Cavoukian and her Office should start practicing what she advocates and writes about. As she said in the “A Policy is Not Enough: It Must be Reflected in Concrete Practices”,  there should be some action taken not just empty words.