They were ordered to pay $12,500 over the unauthorized use of patients’ data for financial gain
The Office of the Information and Privacy Commissioner of Ontario has slapped a doctor and a private clinic with the first administrative monetary penalty (AMP) under the Personal Health Information Protection Act (PHIPA).
This is the first time a Canadian privacy commissioner has issued an AMP. On August 27, the doctor was fined $5,000 over the unauthorized use and access of patients’ hospital records for personal financial gain; the clinic was ordered to pay $7,500 for non-compliance with basic PHIPA obligations.
The matter was raised to the IPC on May 31, 2024 by Windsor Regional Hospital (WRH), Chatham-Kent Health Alliance, and Erie Shores HealthCare. The hospitals claimed that WRH physician Dr. Omar Afandi accessed their shared electronic health record systems to find information on newborn males for the purpose of offering their parents circumcision services via his private pediatric clinic WE Kidz Pediatrics.
A formal investigation was launched by commissioner Patricia Kosseim on March 6. Afandi’s WRH privileges were since rescinded, and in addition to the AMPs, Afandi and WE Kidz Pediatrics were ordered to delete all inappropriately obtained records.
The penalty is a warning to health information custodians and their agents to comply with the health privacy law, according to the IPC. It also emphasizes the need for essential privacy management program elements to be implemented before the launch of a health-related business.
“Unauthorized access to personal health information erodes trust in the health care system and can cause harm to individuals — be it physical or emotional. AMPs are an important regulatory tool to encourage compliance with PHIPA and to prevent persons from deriving economic benefit as a result of contravening the act or its regulations,” the IPC said in a statement.
The commissioner recommended that WE Kidz Pediatrics improve its privacy policies and procedures and that its management and staff should be subject to further privacy training. The IPC also recommended that WRH enhance its its record-keeping and information practices to improve its compliance with PHIPA obligations.
