Electronic Health Records Bring the Risk of Health Data Breaches

 Health records are some of the most intimate data a person has. They are personal, invasive, and often uncomfortable. These data contain information that can be used against you in many ways - you can be embarrassed, discriminated against, or even blackmailed private health data fall into the wrong hands. We need to trust that these records are being vigorously protected by those who control them. We as patients have a right to decide when, how, and to who our personal health records are disclosed. 

 With the increased use of electronic health records, privacy breaches are a real threat. Health providers often fail to protect private health data due to a lack of sophistication in data privacy and poor regulatory enforcement. Their systems are outdated and accessible by hospital staff who are often outside of the circle of care. 

 In 2019, three major Canadian hospitals fell victim to ransomware attacks in which hackers held electronic medical records hostage, demanding the organizations pay a large sum of money to regain access [1].  In December of 2019, the leading medical laboratory testing company, LifeLabs, suffered a similar cyberattack which compromised the health data of 15 million people [2]. This data included patient names, addresses, phone numbers, email, and most importantly, their most private health information. Imagine the last time you had a blood test - would you want that information available and sold on the dark web?

This problem is not restricted to Canada. Since 2016, the U.S. has seen 172 ransomware attacks, affecting the medical records of 6.6 million Americans [3]. It’s clear that a solution is needed to better protect your health data privacy. 

 One solution is to look to national and international leadership to take action in implementing health data privacy laws and holding institutions to higher legal, technological, and ethical standards of privacy. 

 Health Data Laws Worldwide Vary in their Protections and Penalties 

 Canada – PIPEDA and Provincial Legislation

 In Canada, the federal legislation that governs the protection of personal information is called the Personal Information Protection and Electronic Documents Act (“PIPEDA”). However, this applies to private, for-profit organizations. Health care in Canada is governed by each province independently. This means that each province is permitted to have its own version of PIPEDA when applying it to health data. Many provinces have legislation similar to PIPEDA but it is not nationally consistent. In Canada’s most populous province, Ontario, the health privacy legislation is called the Personal Health Information Protection Act (PHIPA). A 2020 amendment of the legislation will make mobile application developers also subject to these regulations [4]. 

Until 2018, PHIPA did not require health care providers to disclose all breaches of privacy to patients. Thankfully, current Ontario legislation requires that all breaches be communicated to the patient. The provider must also report it to the Information and Privacy Commissioner of Ontario (IPC), who collects the statistics on such breaches. In 2018 alone, there were 11,278 reported instances of health care privacy beaches. Of those cases, 5% constituted “Unauthorized Use” and 90% constituted “Unauthorized Disclosure”. The remaining percent of cases constituted lost or stolen records, inclusive of cyberattacks[5]. However, health care providers are only responsible for taking “reasonable steps” to protect your data. As such, if they are determined to have taken “reasonable steps”, the institutions will not be penalized.

 The penalty for a privacy breach is not a criminal offense governed by the Criminal Code of Canada. Instead, it is a fine under the specific legislation. In Ontario, PHIPA has recently been amended to increase the fine for hospitals to up to $1,000,000. However, some suggest that amending the Criminal Code to render privacy breaches a crime would better protect the health records of the public[6]. This would mean that a breach of privacy would then subject the offender to imprisonment or other penal sanctions. Regardless, PHIPA and PIPEDA do not prevent the victim of a breach from bringing their own private legal action on the basis of invasion of privacy, which allows the victim to receive monetary compensation for the breach[7].

Not every Canadian province has legislation requiring mandatory breach notification. In British Columbia (B.C.), the legislation applying to health providers is called E-Health (Personal Health Information Access and Protection Privacy) Act. This act does not require the health provider to notify the privacy authorities nor does it require notification to the person affected. Guidelines for B.C. physicians show that they must only “consider” whether to disclose privacy breaches to the relevant parties. The Privacy Commissioner of B.C. stated in an article that he believes the province’s legislation should be amended to include mandatory breach notification. This article sheds light on possible breaches of patient data via an unsecured pager system which could be intercepted by radio frequencies[8].

 Clearly, the Canadian privacy laws aren’t appropriately protecting us from breaches of our health information nor are they imposing harsh enough penalties for those who contravene the rules.  

United States – HIPAA

In the U.S., the primary legislation governing the privacy of health data is the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Contrary to Canada, this legislation applies to the entire country, providing a more consistent approach to healthcare data privacy than Canada’s provincial structure.

Under HIPAA, entities subject to the legislation are required to notify of breaches of “unsecured” health information. Also, the Federal Trade Commission (“FTC”) enforces a “Health Breach Notification Rule” for vendors responsible for health records and third-party service providers. This rule requires mandatory disclosure of breaches both to the person affected by the breach and to the FTC, in addition to notifying the media in some cases[9].

Under HIPAA, individuals also have the right to access their health information, however, such information is often inaccessible and difficult to request. More importantly, your health data is still held and controlled by health care bodies. Even with mandatory disclosure laws, this does not mean that the data is safer, only that you’ll know when it has been breached. 

 Unlike in Canada, HIPAA violations are categorized based on their severity. Less severe violations will result in fines; however, severe violations are open to criminal penalties and jail terms[10]. For example, willfully violating HIPAA for personal gain or with malicious intent can result in 10 years in jail. In this way, HIPAA provides a more severe scheme than the Canadian provinces. However, HIPAA does not provide the option for victims to bring private legal action directly under federal legislation. The victim of a privacy breach can bring a claim under the Office of Civil Rights or bring a private claim in negligence, depending on the law of their given State. Both options require the victim to show that the organization infringed on their rights or were negligent in handling their information.  

Europe - GDPR

In Europe, the primary legislation governing health data is the General Data Protection Regulation (GDPR). This legislation provides protection for European citizens both within the EU and outside of the UK. It is especially innovative in that it introduces strict governing rules and standards that help to protect citizens’ private information.

 The GDPR requires mandatory reporting of breaches to the country’s representatives within three days[11]. This has been praised as a positive change to decrease the turnover time in reporting and investigating breaches[12]. It provides an especially onerous system with a broad scope, applying to a large range of companies. 

The GDPR provides a right to data portability, which allows the subject to request a transfer of their data to another similar platform. It also provides a clear right to be forgotten, requiring that their data be erased. It allows the right to information regarding the processing system upon which their data is stored and the right to object to using personal data for direct marketing[13]

The penalties under the GDPR include hefty fines up to $20,000,000 Euros and the option to pursue private legal action towards those responsible for the breach, including a right to compensation (Article 83 of GDPR) and ability to bring class actions lawsuits. 

The GDPR is without a doubt the most citizen-focused legislation striving to provide the most thorough protection and remedies. Bowhead believes in thorough data protection by developing tools to best protect your privacy in harmony with each country’s health data laws. We empower you to own and control your health data.

 Sources

[1] Thomas Daigle, (2019), CBC News, “Here’s what we know about the ransomware that hit 3 Ontario hospitals”, retrieved from https://www.cbc.ca/news/technology/ransomware-ryuk-ontario-hospitals-1.5308180

[2] Maham Abedi, (2019), Global News, “LifeLabs hack: What Canadians need to know about the health data breach”, retrieved from https://globalnews.ca/news/6311853/lifelabs-data-hack-what-to-know/ 

[3] Paul Bischoff, (2020), Comparitech, “172 ransomware attacks on US healthcare organization since 2016 (costing over $157 million)”, retrieved from https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/

[4] Daniel Fabiano and Sophie MacRae, (2020), Fasken Martineau DuMoulin LLP, “Significant Changes to Ontario’s Health Privacy Law: New Enforcement Powers and Technology Requirements”, retrieved from https://www.fasken.com/en/knowledge/2020/03/significant-changes-to-ontarios-health-privacy-law/#authors-content

[5] Roberto Ghignone (JD), (2019) A Review of Mandatory Reporting of Health Sector Privacy Breaches in Ontario, Borden Ladner Gervais LLP, “BLG”, retrieved from https://www.blg.com/en/insights/2019/12/a-review-of-mandatory-reporting-of-health-sector-privacy-breaches-in-ontario?provinceCode=Qc 

[6] Annelise Harnanan, (2019), McGill Journal of Law and Health, “Electronic Health Records: a Glimpse Into the Legal Framework”, retrieved from https://mjlh.mcgill.ca/2019/02/15/electronic-health-records-a-glimpse-into-the-legal-framework/

[7] Jones v Tsige, 2012 ONCA 32; Hopkins v. Kay, 2015 ONCA 12. 

[8] Francesca Fionda, CTV News, (2019), “Pager systems used in healthcare could be exposing patient data across Canada”, https://www.ctvnews.ca/health/pager-systems-used-in-healthcare-could-be-exposing-patient-data-across-canada-1.4727129

[9] Federal Trade Commission, (2020), “Health Breach Notification Rule, retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/health-breach-notification-rule

[10] American Medical Association, (2020), “HIPAA violation & enforcement”, retrieved from https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement 

[11] General Data Protection Regulation (EU) 2016/679, retrieved from https://gdpr-info.eu/art-33-gdpr/

[12] Micheal Nadeau, (2020), “General Data Protection Regulation (GDPR): What you need to know to stay compliant”, retrieved from https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html

[13] Ryan Berger, Caroline Deschenes, and Amanda Ferriss, (2018), Norton Rose Fullbright Canada LLP, retrieved from https://www.nortonrosefulbright.com/en/knowledge/publications/db9b8e2b/what-should-canadian-businesses-know-about-gdpr