The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, August 01, 2006

Ontario Commissioner issues second order under PHIPA 

The Information and Privacy Commissioner of Ontario has issued her second order under the province's new Personal Health Information Protection Act.

The complaint concerns a pretty deplorable situation that took place at the Ottawa Hospital. The complainant was admitted to the hospital and advised that shd did not want her estranged husband and his girlfriend (both were employees of the hospital) to know of her admission or of her situation. Subsequent discussion with her husband demonstrated that he knew about her admission and the patient complained.

An investigation revealed that the girlfriend had accessed the complainant's electronic health record a number of times and disclosed it to the estranged husband. The Commissioner was less than impressed, as demonstrated by the postscript to the executive summary:


This was a truly regrettable situation in which a patient who was admitted to a hospital, made a specific request to prohibit her estranged husband and his girlfriend, a nurse at the hospital, from having any information regarding her hospitalization, only to learn that the exact opposite had occurred.

Despite having alerted the hospital to the possibility of harm, the harm nonetheless occurred. While the hospital had policies in place to safeguard health information, they were not followed completely, nor were they sufficient to prevent a breach of this nature from occurring. In addition, the fact that the nurse chose to disregard not only the hospital’s policies but her ethical obligations as a registered nurse, and continued to surreptitiously access a patient’s electronic health record, disregarding three warnings alerting her to the seriousness of her unauthorized access, is especially troubling. Protections against such blatant disregard for a patient’s privacy by an employee of a hospital must be built into the policies and practices of a health institution.

This speaks broadly to the culture of privacy that must be created in healthcare institutions across the province. Unless policies are inter-woven into the fabric of a hospital’s day-today operations, they will not work. Hospitals must ensure that they not only educate their staff about the Act and information policies and practices implemented by the hospital, but must also ensure that privacy becomes embedded into their institutional culture.

As one of the largest academic health sciences centres in Canada, the Ottawa Hospital had properly developed a number of policies and procedures; but yet, they were insufficient to prevent members of its staff from deliberately undermining them.

See Health Order HO-002 released July 31, 2006. (Executive Summary)

Labels: , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs