Privacy Torts as the Next Best Alternative
Which laws exist to protect patients from snooping eyes of health care providers?
Disciplinary hearings were held over the past few weeks in Ontario for nurses who looked at patient files without authorization. Despite the knowledge of several of these instances, there has never been a successful conviction of the Personal Health Information Protection Act (PHIPA) since coming into force a decade ago, and some people are starting to ask why.
One of the major challenges is the regulatory regime itself, which is particularly unwieldy and requires prosecution by the Attorney General. The Health Minister has already promised to simplify the process and increase the penalties, if and when a successful prosecution occurs.
The other part of the challenge is the lack of notification of police or other authorities. The College of Nurses of Ontario only refers such cases to the police or the privacy commissioner on a case by case basis, depending on the risk to the public. Marnie Fletcher, chief privacy officer at St. Joseph’s Healthcare, stated,
Sharing patient information with law enforcement officials would itself be a breach of privacy.
Where health records are reviewed without authorization, and there is no subsequent use or disclosure of the information, the patient is often unlikely to discover the breach occurred at all because it’s often very difficult to identify where this may have occurred to begin with.
Ultimately this means that our privacy regime largely fails the interests of the public in protecting their sensitive health information from workers who simply might be curious or nosy. For this reason I suggested last year that the new tort of intrusion upon seclusion may be a better way to ensure proper protections are put in place.
The increased scrutiny over these privacy breaches, and the legislative reform, will create new questions as to whether these alternatives are sufficient or superior to class proceedings as a means of privacy protection.
I’ll be exploring these themes this week at the Western Law Interdisciplinary Graduate Student Conference at a talk titled, “Class Action Intrusions: Helping to develop privacy rights, or an overkill in liability?”
Ms. Fletcher is engaging in what a logician* would consider a “straw-man” argument. The police do not want to know the exact details of the information, they want credible proof that the information *was* shared, and that it should not have been. The victim may well consent to the police or the courts knowing the details: that’s their decision. To not report a putative crime, however, is St. Joseph’s decision, and it’s one that is brought before the courts.
–dave
[* My old sergeant-major had a pithier characterization of this argument: “Bullshit baffles brains”, usually followed by pack-drill for the person who tried to bullshit him]
Responding to the main thrust of your argument, though, I have concerns about using suits as a way of enforcing good behavior.
Our American cousins will sue at the drop of a hat, and then their legislatures will ignore the problem, saying “let the courts figure it out”. They end up with offences that should be crimes, but are only punished when committed against the well-to-do, who can afford to see justice done.
I agree that intrusion upon seclusion indeed may be a better way to ensure proper protections are put in place, but only if it leads to either legislative change, or the courts effectively requiring that all such putative crimes be reported to the police, so that they will be brought before the courts.
I’d be interested in hearing a mini-report on the Conference, or at least your talk.
Thanks for the slideshare, there’s a lot there to think about
http://www.slideshare.net/omarharedeye/intrusion-uponseclusionwesternfinal
David,
Thanks for catching my slides and posting them here. There’s plenty more.
A draft copy of the paper is completed and is posted online. The ideals are far more fully flushed out there, in particular the contrast of discretionary investigations versus judicial economy.
Is there not also a question of appropriate use of public funds, if class actions against publicly funded hospitals go ahead, as the one in Durham is being allowed to do? The public purse risks being out hundreds of thousands of dollars, or more, where no person has suffered any perceptible damage. I understand why the lawyers like this game, but it is a very expensive way to compel good private practice.
John,
The argument can be made, and is in my paper, that the choice is between funding the IPC or strengthening the judiciary.
As it stands, PHIPA is not a sufficient deterrent, even with the proposed amendments to increase the fines.
If there isn’t a financial risk to the organization, there does not appear to be sufficient incentive to change. Reputational harm is obviously bad, but just hasn’t been bad enough to strengthen privacy enough.
Well, “strengthening the judiciary” does not have to involve taking some millions of dollars from the public health care system to pay large sums to lawyers acting in the name of people who have suffered no harm.
By all means, carefully selected and widely publicized prosecutions may be useful, and IPC oversight may be useful, and heads rolling in appropriate places may be useful. It’s just class actions against organizations who don’t feel the pain of a judgment, funded from the public purse, that strike me as undesirable.
John,
The entire premise of my argument is that even a small number of class actions will foster change internally within the organizations, meaning dollars from the public health system will be used to strengthen privacy controls around health records. The entire point is to avoid the money going to lawyers at all.
Class actions have a better deterrent function than alternatives, and there is judicial economy in employing them.
The IPC is not carefully and selectively prosecuting privacy breaches. They’re not prosecuting them at all. Not a single one in over a decade.
See my link to the draft paper above for details.