There has been much in the media in recent years about employees of various institutions using their positions as employees to gain access to information about people who use those institutions. The cases we have seen in great detail generally involved health care professionals accessing the records of famous or infamous patients, or for personal financial gain.
In Ontario, the Personal Health Information Protection Act, 2004 (PHIPA) sets out rules to protect a patient’s personal health records across the health system. Healthcare providers and organizations in the healthcare sector must follow these rules when collecting, using or sharing a patient’s personal health information. PHIPA contains provisions that allow for the prosecution of those persons who violate the provisions of PHIPA. The first person to be charged under PHIPA was alleged to have snooped into 5800 patient records over the course of six years, however at the time, under PHIPA there was a six month time limit regarding prosecutions. PHIPA was amended in 2016 to remove the time limit, increase the fines, and make mandatory reporting to the Information and Privacy Commissioner. The first two people to be convicted under the amended act were those who snooped into Rob Ford’s records.
In addition to their obligations under PHIPA, healthcare sector employers are increasingly aware of their obligations to undertake investigations into problematic workplace behaviour, either because of Bill 132 (in Ontario) or because of the current media coverage and political climate. Behaviour by employees that results in privacy breaches for patients, clients or even other employees will often be contemplated by internal workplace Codes of Conduct or human resources policies. This means that apart from the employer’s obligation under PHIPA, they also have an obligation to complete their own investigation and even to report to the employee’s regulatory college. Though it may seem duplicative or unnecessary in most cases, there are a number of reasons that may require the employer to complete the investigation including:
- The employer has received a complaint about the behaviour directly from those affected and in the interests of fairness and transparency, must undertake and complete its own investigation, in order to be seen to be taking concerns seriously.
- The employer’s policy may require that an investigation, once started, must or should be completed.
- The behaviour may not be sufficient to constitute a breach of statute or regulatory policy, but is sufficient to constitute a breach of the employer’s own policies or Code of Conduct.
- The behaviour that must be reported to an outside body may only be part of a course of conduct, or one example of problematic behaviour on the part of the employee.
- The employer wishes to ensure that such behaviour is not repeated by other employees.
What all of this means is that employers, particularly in the healthcare sector, have increasingly significant obligations when it comes to reporting and investigations of problematic workplace behaviour by their employees, when it involves the personal information of clients or patients. Employers may be involved in multiple investigation processes in order to satisfy their obligations. Employers in this sector must be mindful that they have, and follow, internal policies that speak to their response to privacy breaches, investigations, and reporting to appropriate bodies. In the absence of applicable and appropriate policies, employers themselves may be subject to fines under the Act and subject to scrutiny in the media.