Nearly each Canadian has an Electronic Medical or Health Record (EMR) which has the potential, when used lawfully, to help improve health outcomes and patient safety through preventive care and chronic disease management and save money.“100 per cent of Canadians have at least one hospital clinical report, or their immunization record, available in electronic form, and their authorized clinicians can access this information outside of a hospital and 100 per cent of diagnostic images taken in Canadian hospitals are filmless, and stored in repository for access by authorized clinicians”.
What happens when you find yourself in a position such as I did, when the personal health information stored in the form of an Electronic Health Record (EHR) under the protection of the Health Information Act (HIA) is accessed not by an authorized clinician, but rather by an unauthorized user in contravention of the (Alberta) Health Information Act (HIA).
If this occurs, the individual may find themselves personally investigating a potential ‘privacy breach’. A (health information) privacy breach occurs when Alberta’s HIA has been contravened; for example, where personal health information is stolen, lost, or used or disclosed without authority.
The discovery that my health information was being accessed unlawfully occurred in 2016, when the HIA did not have mandatory reporting requirements as it does now (since August 2018), so it took nearly 500 days for the public body to deliver verification of my health information being accessed by medical professionals other than my chosen healthcare team.
Once the FOIP step is complete, the logs obtained can be used to submit a complaint to the Office of the Information and Privacy Commissioner of Alberta. This is a step that future privacy breach victims will not have to take, as mandatory reporting under the HIA now requires the public body to notify the OIPC as well as the individual via written report. The OIPC investigates issues such as these, along with other complaints of privacy breaches and access to information issues. Commissioner Clayton recently stated in the OIPC 2017-18 Annual Report that, “looking back on 2017-2018…it seems privacy issues may once again be coming to the fore in Alberta, as these issues also garner more attention around the world”.
Under the HIA, charges can be laid and offenders can be prosecuted in an Alberta court. The OIPC did refer my file to the crown prosecutor’s office, which charged the offender with unauthorized access. The courts heard a guilty plea and imposed a fine and a victim surcharge, a first of its kind delivered to an offender for a breach of the HIA. The OIPC closed their files and added this HIA privacy breach investigation to their statistics. The regulatory body conducted a two-year investigation which resulted in intermittent license suspension as a consequence of the offence.
As I progressed to end of the investigation file closures and to official conclusions, I consider the possible gaps in the system which I’ve identified along the way, possibly attributed to viewing it through the lens of an IAPP Professional in training as well as having lost my personal dignity, autonomy, having life interrupted, career kamikaze, intrusion beyond description and after having suffered the embarrassment as a witness of the judicial system.
What I observed and struggled to understand were legislative provisions which desperately require political attention. In fact, I wrote to the Health Minister regarding my concerns around the two-year limitation period in the HIA and encourage more people to do as well as an attempt to establish possible new legislative approaches to offenses under the HIA. The established limitation period for prosecution for the period of two years after the commission of the offence, is flawed if the offender breached EHRs for more than two years or if the breaches of privacy were not discovered until the breaches stopped and too much time had passed to conduct an investigation and press charges. The former health Minister had agreed to hear my concerns at the next review of the HIA.
Breaches come in many other forms. In fact, “Canadians increasingly feel that their ability to protect their information is diminishing”. A recent online survey of 41 respondents, revealed that 46.3% had been a victim of a data/information privacy breach and 17.1% had been victim of identity theft, which is a direct result of information privacy breaches, as information is valuable. Revealing personal information on an online platform or via cloud computing, comes with its associated risks. The way our government and health authority protect personal information of its citizens and employees, should not be risky business.
Intrusion Upon Seclusion
Introducing legal presentence, such as the Tort, Intrusion upon seclusion, currently not recognized in Alberta, is another approach which could be taken to ensure privacy breach victims also have an established course of action beyond the public body and independent OIPC, as the current recourse for information/data privacy breach victims is without impactful substance.
Possible other approaches I would be bold enough to recommend is the utmost importance that access and privacy legislation change to becoming easier for regular citizens to understand, because as it currently stands, the process is too dense and widely misunderstood.