HomeNews Privacy Breach Ontario Releases Virtual Health Privacy and Security Guidelines

Apr 22, 2021 in News --> Privacy Breach

Ontario Releases Virtual Health Privacy and Security Guidelines

doctor in front of laptop

In February, as Ontario approached the one-year anniversary of COVID-19 in the province and braced for a ‘third wave’ of infections, the province’s Information and Privacy Commissioner released new guidelines for protecting the privacy and security of patients participating in virtual healthcare sessions.

The pandemic has accelerated the adoption of virtual care, which can include secure messaging, telephone consultations, and videoconferencing. As medical malpractice lawyers know, this shift has prompted privacy, security, and cybersecurity concerns.

Maintaining the security of medical records is an important part of the duty of care owed to patients by healthcare providers. In 2017, we discussed how privacy breaches could lead directly to medical malpractice claims and highlighted a class action lawsuit against Scarborough’s Rouge Valley Health System. Medical malpractice lawyers representing 14,450 plaintiffs sought $412 million in damages for “breach of contract, breach of warranty, breach of confidence, intrusion upon seclusion, negligence, and conspiracy,” according to the statement of claim. 

The Information and Privacy Commissioner’s guidelines make clear that the Personal Health Information Protection Act (PHIPA), Ontario’s health privacy law, applies equally to virtual and in-person care. Custodians of patient information, the document states, ‘must comply with the provisions of PHIPA, in addition to all other applicable laws and regulations, as well as guidance issued by relevant professional regulators.’

The guidelines highlight the following PHIPA requirements:

  • Data minimization: Custodians of patient information ‘must not collect, use or disclose personal information if other information service the purpose of the collection, use, or disclosure.’ They also ‘must not collect, use, or disclose more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure.’
  • Safeguarding: ‘Custodians must take steps that are reasonable in the circumstances to ensure that personal health information is protected against theft, loss, and unauthorized use or disclosure and that records are protected against unauthorized copying modification, and disposal.’ Also, ‘custodians must ensure that records are retained, transferred, and disposed of securely.’

In other words, it is the responsibility of the custodians of patient information – the parties that collect and maintain the info – to reduce as much as possible the amount of information they collect; to avoid collecting unnecessary information; and to safeguard that information against theft, loss, or unauthorized use.

The Privacy Commissioner’s guideline also lists steps to enhance the privacy and security of virtual healthcare. The full document can be viewed here.

Ontario’s healthcare system has struggled to cope with repeated surges of critically ill COVID-19 patients. During the ongoing third wave, ICUs have reached capacity and doctors are grappling with the possibility of implementing triage measures. Virtual care is critical to reducing the in-person burden on healthcare providers; however, it too presents unprecedented challenges.

At Neinstein, our medical malpractice lawyers are committed to representing plaintiffs experiencing all types of losses due to the negligence of malpractice of healthcare providers. Contact us today to learn more.


Image: Shutterstock