The health-care sector needs to change its attitude to patient data if providers want to avoid becoming embroiled in the developing health privacy class action field, according to the general counsel to Ontario’s privacy commissioner.
Speaking at a joint session put on by the Ontario Bar Association’s privacy and health law sections on Nov. 27, David Goodis, director of legal services and general counsel at the Office of the Information and Privacy Commissioner of Ontario, said custodians of patients’ personal information need a “zero-tolerance policy” when it comes to record snooping by employees.
“This is important for both custodians as employers and for employees to understand that this is not something where you say, ‘Oh well, it’s no big deal. You just had a look and didn’t disclose anything to anybody.’ It is a big deal and there needs to be, in my opinion, a culture change in that regard,” said Goodis at the event on hot topics related to privacy in health law.
“There has to be more of a sense of [saying]: ‘Look, this is not going to be tolerated. If you take these kinds of actions, you do this kind of snooping, there’s going to be serious consequences.’”
Timothy Banks, head of the privacy and security practice group at Dentons Canada LLP, says a cultural change in relation to patient privacy would also help combat unintentional data breaches by health authorities since a lax attitude to security often contributes to many exposures of personal information.
“These are not high-tech breaches. We’re seeing garden-variety cases of unencrypted hard drives on stolen laptops and USB keys dropped in the playground.
There’s a culture in which employees are permitted to remove files containing very sensitive information from the premises. I think there’s much that can be done in increasing the level of accountability among employees.”
Newfoundland and Labrador has emerged as a hotbed for class actions related to alleged snooping by employees with three of the province’s health authorities facing claims from disgruntled patients. Western Health is facing a lawsuit by a representative plaintiff on behalf of more than 1,000 class members who allege a clerk improperly accessed their records. The class action against Eastern Health involves 122 patients and alleged misconduct by 11 employees while a similar action is targeting Central Health. None of the allegations have been proven in court.
Goodis’ office offers online training for employees and managers aimed at reducing instances of unauthorized access to patient health information. He says employers can limit the chances of a deliberate breach by implementing access controls for employees depending on their need and logging and auditing access to make sure workers don’t get casual about viewing records unrelated to their work. Appropriate discipline, depending on the circumstances of a breach, can also play a part in driving the message home, he says.
Flags to denote employees and family members who are also patients of the custodian can be a useful extra layer of security, according to Goodis, since interpersonal conflict “seems to be a common theme” in incidents involving wrongful access of patient data.
That was the case in the landmark privacy case of Jones v. Tsige in which the Court of Appeal for Ontario created the new privacy tort of intrusion upon seclusion. In that case, the plaintiff successfully sued the common-law partner of her former husband for inappropriately accessing her banking information 174 times over four years.
At the OBA event, Alex Cameron, the partner at Fasken Martineau DuMoulin LLP who represented the defendant, told the audience a “target was painted” on the health-care sector by the court’s decision when it specifically mentioned intrusions into health records as an example of when a claim may arise.
Although the intrusion must be intentional for a claim to succeed, the court made clear that this includes recklessness, a threshold Cameron says could potentially be a factor in cases involving a failure to keep up with best practices in privacy protection.
“Think about that and your encryption of mobile devices and whatnot,” said Cameron.
“There are a lot of things that are just standard practice and if you’re not up to that level at this point, then you’re going to potentially get a finding of recklessness, I think.”
However, Borden Ladner Gervais LLP class actions partner Barry Glaspell told the gathering that the transience of the law in the area is just one of the barriers to nascent health privacy class actions.
“Eventually, these issues are going to get to the Supreme Court of Canada and we may not have a tort of seclusion or whatever by the time we get to the Supreme Court,” said Glaspell.
Glaspell said the number of class members and the value of each claim rarely reach the scale necessary to get plaintiffs’ counsel interested and noted that in cases with settlements, the terms have generally favoured defendants. For example, in Rowlands v. Durham Region Health, a case involving a lost memory device containing the health records of 85,000 individuals immunized during 2009’s H1N1 flu scare, the settlement required affected patients to show they had suffered a loss as a result of the data breach with the only compensation paid out so far being the $500,000 in counsel fees.
And since any class action settlement will likely come from taxpayer money, Glaspell said health-care defendants will likely get “quite a bit of sympathy” when they get to court. With that advantage in cases lacking egregious circumstances, he said it’s particularly important for custodians to act properly once they discover a breach.
“Good or bad behaviour after the problem arises is crucial from a class action perspective because bad behaviour is what class actions are supposed to work on and post-incident bad behaviour can become the cause of action, not that actual action at the beginning.”