Whether you are an insurance company, hospital or patient, a medical information privacy case in Canada last month illustrates how important is the quality of an organisation’s compliance infrastructure and its response to any breach of such sensitive personal information.

In the Ontario case, a hospital reported to the privacy commissioner three separate medical information privacy breaches under that province’s version of Bermuda’s Personal Information Protection Act 2016. Each involved unauthorised access to a patient’s personal medical information by employees of the hospital who had, in the words of the privacy commissioner, “snooped” those records for non-work-related purposes.

The number of such distinct wrongful access incidents suffered by the hospital aroused the privacy commissioner’s concern that such surreptitious snooping might be systemic across the hospital’s staff so she agreed to hear the complaint against the hospital.

By comparison, under Pipa, all such medical information is defined as sensitive personal information which must be used only for the consented purposes for which it was collected by the retaining organisation.

It must be securely kept to a standard of “safeguard” from unauthorised access that must take into account the likelihood and severity of the harm threatened by any such unauthorised access or misuse, the sensitivity of such personal information and the context in which it is held.

A possible contextual consideration for any hospital is the reasonable patient expectation of confidentiality for such sensitive medical information.

The Ontario privacy commissioner considered whether the hospital had taken reasonable steps to protect the health information, which must include the implementation of administrative and technical measures or safeguards — including policies, procedures, practices, audits, training and awareness programmes.

She also undertook a thorough review, if not audit, of all the hospital’s privacy compliance infrastructure.

Because the hospital in that case had responded diligently when those breaches arose, had taken disciplinary measures against the perpetrators, had increased its staff training on those issues, and had otherwise diligently complied with the security and other measures required by Ontario’s health information protection statute, the Ontario privacy commissioner was “… satisfied that the hospital has adequately addressed the privacy concerns raised by the three breaches … a [conduct] review [of the hospital] is not warranted”.

Although Bermuda and Ontario have different health information privacy laws, they are very similar in their treatment of personal medical information. Certainly, such employee snooping would likely be a violation of Pipa’s medical information privacy protections.

The decisions of the Ontario privacy commissioner are in no way binding in Bermuda, but the case may be instructive about how important preparatory compliance measures can be.

Whether sensitive medical information is in the hands of your healthcare providers, a hospital or your insurance company, the preparatory quality of the organisation’s compliance infrastructure and the diligent nature of its responses to a breach incident may well influence and inform a determination as to whether an organisation has contributed to, or even enabled, such breaches to occur.

First Published In The Royal Gazette, Legally Speaking, May 2023

Share
Twitter LinkedIn Email Save as PDF
More Publications
10 Jun 2024

Bankruptcy & Restructuring – Planning for Failure

The sudden collapse of Lehman Brothers in September 2008 sent shockwaves around the globe. As the la...

4 Jun 2024

Bermuda’s cybersecurity law transformation is well underway

We are almost six month into 2024, and this year has already been transformative for IT and cyber se...

23 May 2024

Regulatory oversight is key for Bermuda’s insurance sector

Bermuda’s thriving insurance and reinsurance sector requires effective regulatory oversight if it ...

9 May 2024

It is all about the data

All successful enterprises have a voracious appetite for data. The advanced abilities of IT systems ...

3 May 2024

Best Practices for Conducting Investigations into Employee Grievances

Grievance procedures are very important, but often overlooked, procedures that all employers should ...

25 Apr 2024

Trusts, and how they came to be

What traces its history through Ancient Rome and the Crusades, can have many de facto owners, none a...

8 Apr 2024

Electronic dissemination of corporate communications by Hong Kong listed issuers from an offshore perspective

In June 2023, The Stock Exchange of Hong Kong Limited published consultation conclusions to its cons...

3 Apr 2024

Bermuda: Lack of New Players Is Supporting Strong Interest in ILS

All signs point to another very strong year for the catastrophe bond and related insurance-linked se...

2 Apr 2024

Choosing the right structure for your business in Bermuda

Anyone seeking to set up a business in Bermuda has a variety of options, depending on the nature of ...

25 Mar 2024

PIPA Compliance is Not Just a Domestic Affair

As organizations in Bermuda prepare for the full application of the Personal Information Protection ...