To Fine Or Not To Fine
It’s tough to be a hospital these days and I don’t envy the people trying to manage such places. But one thing I do expect is some degree of attention to the confidentiality of patient information. One hospital provides a unique set of facts that raises the question of appropriate regulatory responses.
The Ottawa Hospital has found itself in an unusual, almost surreal, situation. There are two orders under PHIPA from the Information and Privacy Commissioner of Ontario (IPC) involving the Ottawa Hospital. HO-002 tells the 2006 story of a patient who expressly informed staff at the hospital that she did not wish her estranged husband, an employee of the hospital, or his girlfriend, a nurse at the hospital, to be aware of her admittance or to have her file accessed by those two individuals. Guess what? The files were accessed – on numerous occasions.
In 2006, the IPC report shows that there was a failure to adhere to procedure, stemming in part from a culture that apparently didn’t treat such PHIPA violations seriously. Arguably PHIPA was relatively new – dating from 2004 – so one might give the hospital an easier time since this was a “first offense”.
Fast-forward to 31 December 2010 and HO-010. Wait a minute. It’s the Ottawa Hospital again. The facts are eerily familiar. A patient complained that a diagnostic imaging technologist employed by the Ottawa Hospital inappropriately accessed her personal health information. The technologist turned out to be the former spouse of the complainant’s current spouse.
“…I conclude that although existing policies were reviewed and revised, new policies developed, and further efforts were made by the hospital to educate agents of their obligations under the Act following the issuance of Order HO-002, it is apparent that, as in Order HO-002, some of the hospital’s own policies were not followed in the circumstances of this complaint.
I also conclude that the actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective and are not in compliance with section 12(1) of the Act [PHIPA].”
The IPC ordered ten specific actions to be taken by the Ottawa Hospital and recommended two others. The details are all there to read in HO-010.
So, same organization; same issue; almost the same facts. Here’s where my question comes up: Section 72(2) of PHIPA provides penalties up to $50,000 for individuals and $250,000 for the organization. Why didn’t the IPC fine the Ottawa Hospital?
I can see not fining a first time offender but expressing moral outrage the second time around doesn’t seem to have a lot of force in conveying the message to the Ottawa Hospital and, more importantly, its staff. To be fair, the IPC may have had its reasons but the idiom “fool me once, shame on you; fool me twice, shame on me” comes to mind.
Interestingly, in a January 2011 speech, you have the federal Privacy Commissioner musing about “incentives for compliance” noting that Canada has “become one of the few major countries where the data protection regulator lacks the ability to issue orders and impose fines.”
The Commissioner noted the UK example of “a county council was ordered to pay 100,000 pounds ($157,000 Cdn) for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. One case involved information about child sex abuse, the other, domestic violence.”
Most tellingly, Commissioner Stoddard noted “hefty fines get just about any company to sit up and take notice – and to place a greater importance on compliance.”
It seems we have one Commissioner with the power to fine but reluctant to do so while another wants to fine but can’t because she doesn’t have the power to do so.
The economics of privacy is a topic for another day but I have to agree with Commissioner Stoddard’s conclusion: at the end of the day, money talks. If you’re going to get organizations to pay attention to the protection of personal health information then there has to be an incentive for them to do so. If you read the HO-010 it’s clear this isn’t just about a rogue employee, it’s about a systemic failure to monitor and audit on the part of the institution. That’s what an “incentive for compliance” should address.