Incident: Ontario patient files found in dumpster

The Ontario Information and Privacy Commissioner is investigating after old medical records were found in a dumpster behind a coffee shop by a retiree. The affected patients will have to be notified as the information is subject to PHIPA, which contains Canada's only mandatory breach notification. See: TheSpec.com - Local - St. Joe's patient files found in dumpster.

Ontario's Commissioner recommends PHIPA to Americans

Last week's New York Times had an editorial on Safeguarding Private Medical Data:

... These are good steps, but a larger solution is needed. There should be a federal law imposing strict privacy safeguards on all government and private entities handling medical data. Congress should pass a bill like the Trust Act, introduced by Representative Edward Markey, a Democrat of Massachusetts, imposing mandatory encryption requirements and deadlines for notifying patients when their privacy is breached. As the N.I.H. has shown, medical privacy is too important to be left up to the medical profession.

In today's edition, Ontario's Information and Privacy Commissioner responds:

Ontario’s Example on Privacy - New York Times

To the Editor:

Re: Editorial: Safeguarding Private Medical Data (March 26, 2008)

I couldn’t agree with you more. In Ontario, we take privacy very seriously, especially when it comes to medical data.

Four years ago, we passed the Personal Health Information Protection Act, or Phipa, and haven’t looked back. This law provides solid privacy protection for health data but doesn’t act as a barrier to the delivery of health services. It doesn’t interfere with health care but ensures that it comes wrapped in a layer of privacy.

As privacy commissioner of Ontario, I can investigate complaints and issue orders if Phipa is breached. One order I issued requires that any identifiable health data must be encrypted if removed from a health care facility on a laptop or any other medium.

Medical privacy is far too important to be left to chance, or to the well intentioned. Strong legislated safeguards are needed.

Take a look at Phipa, which could serve as an excellent model.

Ann Cavoukian

Toronto, March 27, 2008

Hospitals must encrypt patient data on portable devices

The Information and Privacy Commissioner of Ontario yesterday released order HO-004 under the Personal Health Information Protection Act following the theft of a laptop containing confidential personal health information on 2,900 patients at the Sick Kids hospital in Toronto.

The order requires the hospital

• to develop or revise and implement policies and procedures the ensure that records of personal health information are safeguarded
• to develop a corporate policy that prohibits the removal of identifiable personal health information in from the premises. If identifiable personal health information must be removed in electronic form, it must be encrypted;
• to develop an encryption policy for mobile computing devices, a policy relating to the use of virtual private networks, a privacy breach policy, and to educate staff regarding the policies how to secure the information contained on mobile computing devices.
  
  

While the order directly relates to a hospital, it would applyl to all health information custodians in the province of Ontario and will likely serve as guidance to all health care providers in the country.

For more info, see
TheStar.com - News - Sick Kids ordered to encrypt all electronic patient files.

Anne Cavoukian's perspectives

The Winter 2007 edition of the Ontario Information and Privacy Commissioner's Perspectives was just released. It includes a look at some of the major projects relating to privacy or freedom of information that her office has been working on.

The newsletter also contains reviews of recent significant orders issued under the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, or the Personal Health Information Protection Act, information about recent IPC publications, upcoming presentations and more.

Ontario court quashes adoption disclosure law

Earlier this week, the Ontario Court of Justice struck down the opening of adption records in that provice under the Adoption Information Disclosure Act. The decision is here.

The Information and Privacy Commissioner of Ontario has issued a press release about the decision:

IPC - Office of the Information and Privacy Commissioner/Ontario

News Release September 19, 2007

Court ruling strikes down privacy-invasive provisions of adoption disclosure law: Commissioner Cavoukian

TORONTO – Today’s court decision quashing the opening of past adoption records through Ontario’s Adoption Information Disclosure Act confirms the importance of an individual’s right to privacy, said Ontario Information and Privacy Commissioner, Ann Cavoukian.

The ruling declares that the law is unconstitutional – it breaches section 7 of the Canadian Charter of Rights and Freedoms and thus, the sections of the Act relating to access to birth registration information “are declared invalid and of no force and effect.” As the Court noted, the Charter, “… is intended primarily to protect individuals and minorities against the excesses of the majority.”

The Commissioner constantly urged the government to amend the legislation to protect the privacy of past adoptions, giving birth parents and adoptees the right to file a “disclosure veto,” which would allow them the option of blocking access to their birth registration information. While this would provide much-needed protection for the minority, it would, as the Court noted, “… in fact allow the vast majority to get the information they were seeking.”

“While I supported the overall thrust of this Act, I fought long and hard to convince the Ontario government to introduce a crucial amendment that would provide much-needed protection for a number of deeply worried birth mothers and adoptees. Some literally feared that the Act – without the amendment I proposed – would shatter their lives. Now their prayers have been answered.”

Commissioner Cavoukian did not object to the opening of future records, but repeatedly cautioned that changing the rules retroactively, and exposing the identities of birth parents who entered into the adoption process in an era when secrecy was the norm, could have major repercussions. Despite the passing of the Act last year, the Commissioner continues to receive heart-wrenching letters, e-mails and calls from birth parents and adoptees expressing their concern – and in some cases great fear and despondency.

This court ruling will mean that Ontario residents no longer have less privacy protection than persons in the three other Canadian provinces that have adoption disclosure laws where the legislation is applied retroactively. Each of those provinces – unlike Ontario – passed laws with a provision for a disclosure veto for those who were involved in adoptions prior to the new legislation. “This is what should have happened here” says Commissioner Cavoukian.

In the words of the Court, “People expect, and are entitled to expect, that the government will not share [confidential personal] information without their consent. The protection of privacy is undeniably a fundamental value in Canadian society, especially when aspects of one’s individual identity are at stake.”

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.