May 4, 2012
Information and Privacy Commissioner Ed Ring Releases First Report under the Personal Health Information Act (PHIA)
Commissioner Ed Ring is pleased to announce the release of his first report under the Personal Health Information Act (PHIA) [pronounced fee-ah]. In this report, the commissioner determined that a registered massage therapist had lost a file containing the personal health information of the complainant, who was a patient of the massage therapist. The commissioner determined that the massage therapist had breached several sections of PHIA by failing to properly safeguard the personal health information in her possession, failing to develop and implement the proper policies and procedures, and failing to provide to patients or post the appropriate notice materials as required by PHIA. The commissioner recommended that the massage therapist take steps to become compliant with PHIA, and to complete the PHIA on-line training program. The commissioner indicated that his office would be following up on the recommendations after 60 days to check for compliance.
Commissioner Ring commented that custodians of personal health information, including registered health professionals such as doctors, pharmacists, dentists, and massage therapists, as well as the regional health authorities, have had over a year to become compliant with PHIA: “Custodians of personal health information have had ample opportunity to become compliant with PHIA. In the past year we have worked to deal informally with complaints resulting from privacy breaches under PHIA, and we will continue to do so when appropriate, but the issuance of this Report demonstrates that we do have another tool in our toolbox to ensure compliance with the act.”
Commissioner Ring added that “As this is my first such Report under PHIA, I have omitted the name of the massage therapist, but in future reports, custodians of personal health information will be named. Any custodians who are not PHIA compliant should take immediate steps to rectify that situation. All of the resources to do so are available through the Department of Health and Community Services website, and officials of my office as well as the department are more than willing to assist custodians who need help in understanding the basic elements of compliance with PHIA.”
Commissioner Ring further advised that “education of custodians and the general public will always be one of the purposes behind the issuance of a report of this nature, and as time moves on, there will be greater expectations in terms of compliance by custodians. To that end, it is important to recognize that PHIA contains relatively stiff penalties for the commission of an offence, with fines of up to $10,000 and jail terms of six months. In such instances, there will be an offence investigation and a prosecution before a court of law. Although we have not pursued this avenue to date, I expect that the need may eventually arise, based on the experience with health privacy laws in other provinces.”
To view the report in its entirety, please go to www.oipc.nl.ca/PHIAprivacyreports.htm.
- 30 -
Media contact:
Ed Ring
Information and Privacy Commissioner
709-729-6309
2012 05 04 1:35 p.m.