To Fine Or Not To Fine
It’s tough to be a hospital these days and I don’t envy the people trying to manage such places. But one thing I do expect is some degree of attention to the confidentiality of patient information. One hospital provides a unique set of facts that raises the question of appropriate regulatory responses.
The Ottawa Hospital has found itself in an unusual, almost surreal, situation. There are two orders under PHIPA from the Information and Privacy Commissioner of Ontario (IPC) involving the Ottawa Hospital. HO-002 tells the 2006 story of a patient who expressly informed staff at the hospital that she did not wish her estranged husband, an employee of the hospital, or his girlfriend, a nurse at the hospital, to be aware of her admittance or to have her file accessed by those two individuals. Guess what? The files were accessed – on numerous occasions.
In 2006, the IPC report shows that there was a failure to adhere to procedure, stemming in part from a culture that apparently didn’t treat such PHIPA violations seriously. Arguably PHIPA was relatively new – dating from 2004 – so one might give the hospital an easier time since this was a “first offense”.
Fast-forward to 31 December 2010 and HO-010. Wait a minute. It’s the Ottawa Hospital again. The facts are eerily familiar. A patient complained that a diagnostic imaging technologist employed by the Ottawa Hospital inappropriately accessed her personal health information. The technologist turned out to be the former spouse of the complainant’s current spouse.
As the conclusion of HO-010 shows the IPC was clearly “ticked”:
“…I conclude that although existing policies were reviewed and revised, new policies developed, and further efforts were made by the hospital to educate agents of their obligations under the Act following the issuance of Order HO-002, it is apparent that, as in Order HO-002, some of the hospital’s own policies were not followed in the circumstances of this complaint.
I also conclude that the actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective and are not in compliance with section 12(1) of the Act [PHIPA].”
The IPC ordered ten specific actions to be taken by the Ottawa Hospital and recommended two others. The details are all there to read in HO-010.
So, same organization; same issue; almost the same facts. Here’s where my question comes up: Section 72(2) of PHIPA provides penalties up to $50,000 for individuals and $250,000 for the organization. Why didn’t the IPC fine the Ottawa Hospital?
I can see not fining a first time offender but expressing moral outrage the second time around doesn’t seem to have a lot of force in conveying the message to the Ottawa Hospital and, more importantly, its staff. To be fair, the IPC may have had its reasons but the idiom “fool me once, shame on you; fool me twice, shame on me” comes to mind.
Interestingly, in a January 2011 speech, you have the federal Privacy Commissioner musing about “incentives for compliance” noting that Canada has “become one of the few major countries where the data protection regulator lacks the ability to issue orders and impose fines.”
The Commissioner noted the UK example of “a county council was ordered to pay 100,000 pounds ($157,000 Cdn) for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. One case involved information about child sex abuse, the other, domestic violence.” If there are DWI chargers, then attorneys for DWI in NJ can be hired from their official site.
Most tellingly, Commissioner Stoddard noted “hefty fines get just about any company to sit up and take notice – and to place a greater importance on compliance.”
It seems we have one Commissioner with the power to fine but reluctant to do so while another wants to fine but can’t because she doesn’t have the power to do so.
The economics of privacy is a topic for another day but I have to agree with Commissioner Stoddard’s conclusion: at the end of the day, money talks. If you’re going to get organizations to pay attention to the protection of personal health information then there has to be an incentive for them to do so. If you read the HO-010 it’s clear this isn’t just about a rogue employee, it’s about a systemic failure to monitor and audit on the part of the institution. That’s what an “incentive for compliance” should address.
Michael, this is a great summary of an important case.
This is the second time the Commissioner has been very ticked for conduct that was the subject of a previous order (the other case being the loss of an unencrypted memory stick, after the Commissioner criticized the use of unencrypted mobile devices in order HO-004).
Personally, I don’t share your views about fines. I am not sure that levying a large fine against a public hospital would serve any purpose if the hospital could not then balance its budget, and I suspect that a small fine would be far less effective than the critical language of this order.
Michael,
Great summary and opinion. However, I can see it being scandalous for one public agency (the IPC) to fine another cash-strapped public institution (a hospital). So we force the hospital to pay a $75,000 fine. Who pays? We do. The result? The hospital lays off a nurse or two. Who suffers? We do. In such an instance, the power to fine does not advance the public interest.
Fair points above.
But as Michael mentions, and as I’ve come to accept in debates with others, unless there are substantial punitive risks, many companies simply won’t bother. “Yes, we have a policy.” But the policy doesn’t get integrated with day-to-day practices, as doing so would take time and resources. Cynical perhaps, but unless the potential penalties are substantially greater than the implementation costs, almost nothing will ever get done.
In the case of the Ottawa hospital though, I understand the futility of levying a fine. So in those cases, perhaps it’s time to re-examine Section 72(3) of PHIPA? Officers of an organization that had it within their power to prevent the offense, may also be personally fined up to $50,000. Is this the perfect solution? The tax-payers wouldn’t be penalized, justice would be served, and you could bet that changes would begin happening YESTERDAY!
On a different front though, as in Nammo v. TransUnion, we’ve finally seen some privacy-related damages handed out under PIPEDA. The awards may be low at this point, but it does set an interesting precedent…
Patrick