“Snooping” is when someone accesses personal health information without the proper authorisation. Snooping is included in the offences set out in the Personal Health Information Protection Act (“PHIPA”).
Snooping continues to be a live issue in the field of digital health. In light of this, punishments for snooping have increased. Bill 188 was introduced in March 2020, amending PHIPA to double the size of the maximum fine that could be given. An individual guilty of snooping could face up to a $200,000 fine, up to a one-year term of imprisonment, or both; meanwhile, a corporation can face up to a $1,000,000 fine.
Despite this, the IPC’s annual statistical reports reveal that the incidence of snooping by healthcare workers is on the rise. Snooping accounted for 18.44% of self-reported privacy health breaches in 2019, and increased to 20.1% in 2020 and to 20.9% in 2021. In the IPC’s own words:
Although any case of unauthorised access to medical records can have devastating consequences for patients, health professionals, and the health system as a whole, snooping cases seem all the more reprehensible, especially when done to derive commercial profit. All health care providers in the province must have the necessary safeguards in place to detect and report snooping, and ultimately, to prevent snooping altogether.
It is clear that more will be required to prevent snooping. Future amendments to PHIPA and its regulations will (1) increase monitoring by mandating the use of electronic audit logs and (2) expand the IPC’s powers to hand out administrative monetary penalties to encourage compliance with PHIPA and prevent any person from deriving an economic benefit through snooping.
In addition to any penalties doled out for committing a PHIPA offence, civil justice my be available to a victim of snooping. In Jones v Tsige, a 2012 decision of the Ontario Court of Appeal (“ONCA”), the plaintiff brought an action for damages against a bank employee who had accessed her banking records 174 times over a four-year period without the requisite authorisation to do so. Accordingly, the ONCA recognised a new tort of “intrusion upon seclusion”, and awarded the plaintiff $10,000 in damages.
According to the ONCA, liability in intrusion upon seclusion will be imposed where snooping can be described as “highly offensive” if viewed objectively on the reasonable person standard. Liability would not be restricted to the unauthorised access of financial information, and encompasses matters “such as one’s … health records, sexual practices and orientation, employment, [and] diary or private correspondence.”
Furthermore, a healthcare worker guilty of snooping may face criminal sanctions under the Criminal Code of Canada. To the extent that the personal health information accessed by a snooping healthcare worker includes information that can be used to identify the victim of snooping, eg, a name, address, date of birth, health insurance number, etc., the healthcare worker may face criminal sanctions under Canada’s Criminal Code.
The Criminal Code prohibits the possession or transmission of “identity information” if such information is to be used in the commission of an indictable offence that includes fraud, deceit, or falsehood. Similarly, the healthcare worker is prohibited from using such “identity information” for the purpose of impersonating the victim of snooping. At best, a conviction could result in a fine of up to $5,000, imprisonment for no more than two years, or both; at worst, a conviction could result in imprisonment for up to 10 years.
Should you have any questions, please contact Michael Weinberger, privacy and business law lawyer.
Read Michael’s previous cybersecurity and privacy blog post, on the Consumer Privacy Protection Act (CPPA) here.
Special thanks to Henry Fares, Articling Student, who helped write this article.