New Breach Disclosure Details — Ontario
Information & Privacy Commissioner Released a Summary indicating that organizations are to disclose “disciplinary actions” affecting employees found responsible for breaches.
It goes without saying that we take the protection of privacy very seriously. It is, after all, one of the primary reasons why our office exists. On the other hand, we also believe very much in the importance of transparency and accountability. Inevitably, there are situations when privacy and transparency/accountability must be balanced.
In particular, there have been cases where health professionals have accessed patient records without consent, and in breach of health privacy legislation. This leads to the question of how much the affected individuals should be told about what happened and who was involved. While health care organizations may apologize and assure an affected individual that “disciplinary action” has been taken, it is not enough.
Health care organizations may understandably be reluctant to provide such details, and the old standby of “standard practice” is not an acceptable reason. In fact, we have stated in the past that an individual whose privacy has been breached should be told who accessed their records and the details of any disciplinary action.
This level of transparency is necessary for a few reasons. First, accessing records without authorization can seriously jeopardize an individual’s privacy and security. Individuals should be given a complete account of what happened so they can take any remedial steps to protect themselves, if necessary. Secondly, the individual should be able to make an informed decision on whether the health care organization has responded adequately to the breach. Third, for others who work with health records, knowing that the details of a disciplinary action will be disclosed can serve as a strong deterrent. Additionally, for some individuals there can be no sense of resolution and closure unless all of the details are disclosed. Being told that “everything is okay” is a small comfort when intimate details of your life may have been exposed to strangers.
Given the seriousness of a privacy breach, our office will weigh heavily in the interests of the individual whose privacy was violated. The burden of complying with provincial health legislation is the responsibility of the health care provider, not the patient.