Whether you are an insurance company, hospital or patient, a medical information privacy case in Canada last month illustrates how important is the quality of an organisation’s compliance infrastructure and its response to any breach of such sensitive personal information.

In the Ontario case, a hospital reported to the privacy commissioner three separate medical information privacy breaches under that province’s version of Bermuda’s Personal Information Protection Act 2016. Each involved unauthorised access to a patient’s personal medical information by employees of the hospital who had, in the words of the privacy commissioner, “snooped” those records for non-work-related purposes.

The number of such distinct wrongful access incidents suffered by the hospital aroused the privacy commissioner’s concern that such surreptitious snooping might be systemic across the hospital’s staff so she agreed to hear the complaint against the hospital.

By comparison, under Pipa, all such medical information is defined as sensitive personal information which must be used only for the consented purposes for which it was collected by the retaining organisation.

It must be securely kept to a standard of “safeguard” from unauthorised access that must take into account the likelihood and severity of the harm threatened by any such unauthorised access or misuse, the sensitivity of such personal information and the context in which it is held.

A possible contextual consideration for any hospital is the reasonable patient expectation of confidentiality for such sensitive medical information.

The Ontario privacy commissioner considered whether the hospital had taken reasonable steps to protect the health information, which must include the implementation of administrative and technical measures or safeguards — including policies, procedures, practices, audits, training and awareness programmes.

She also undertook a thorough review, if not audit, of all the hospital’s privacy compliance infrastructure.

Because the hospital in that case had responded diligently when those breaches arose, had taken disciplinary measures against the perpetrators, had increased its staff training on those issues, and had otherwise diligently complied with the security and other measures required by Ontario’s health information protection statute, the Ontario privacy commissioner was “… satisfied that the hospital has adequately addressed the privacy concerns raised by the three breaches … a [conduct] review [of the hospital] is not warranted”.

Although Bermuda and Ontario have different health information privacy laws, they are very similar in their treatment of personal medical information. Certainly, such employee snooping would likely be a violation of Pipa’s medical information privacy protections.

The decisions of the Ontario privacy commissioner are in no way binding in Bermuda, but the case may be instructive about how important preparatory compliance measures can be.

Whether sensitive medical information is in the hands of your healthcare providers, a hospital or your insurance company, the preparatory quality of the organisation’s compliance infrastructure and the diligent nature of its responses to a breach incident may well influence and inform a determination as to whether an organisation has contributed to, or even enabled, such breaches to occur.

First Published In The Royal Gazette, Legally Speaking, May 2023

Locations

Bermuda

Services

Corporate, Regulatory Advice

Sectors

Privacy & Data Protection

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Employment-and-Immigration
19 Nov 2024

When and how to vary a Bermuda contract of employment

A contract of employment is a legal agreement that sets out the terms and conditions of an employee�...

Theodora Hand
Theodora Hand
Technology and Innovation
8 Nov 2024

When non-tech companies buy IT

Generally, there are three categories of information technology buyers: non-technology enterprises, ...

Duncan Card
Duncan Card
Dispute Resolution
17 Oct 2024

Cross-Border Disputes: Discovery and Evidence from Third Parties

John Wasty
Sam Riihiluoma
Jordan Knight
John Wasty, Sam Riihiluoma, Jordan Knight
050-Insolvency-Restructuring-Grid-Image
15 Oct 2024

Insolvency: Bermuda

In-Depth: Insolvency (formerly The Insolvency Review) offers an incisive review of the most conseque...

John Wasty
John Riihiluoma
James Batten
John Wasty, John Riihiluoma, James Batten
Appleby-Website-Insurance-and-Reinsurance
10 Oct 2024

Recovery planning for commercial insurers

New rules released by the Bermuda Monetary Authority aim to equip certain insurers with a structured...

Cathryn Minors
Cathryn Minors
The Global Website header
7 Oct 2024

The Global – your offshore corporate law questions answered: October 2024

The Global is a quarterly collection of corporate expert insights and analysis across Appleby's glob...

Duncan Card
Christophe Kalinauckas
Matt Mulry
Duncan Card, Christophe Kalinauckas, Matt Mulry
Brad Adderley, Bermuda Managing Partner at Appleby, will speak at the 2022 Society of Actuaries (SOA) Life Meeting on 23-26 August in Chicago.
2 Oct 2024

Bermuda: It’s Impressive How Mainstream Cat Bonds Have Become

Although Brad Adderley, Bermuda Managing partner at Appleby, doesn’t expect 2024 to be another rec...

Brad Adderley
Brad Adderley
Appleby-Website-Private-Client-and-Trusts-Practice
26 Sep 2024

Private Wealth and Private Client: Bermuda

In-Depth: Private Wealth and Private Client (formerly The Private Wealth & Private Client Review) pr...

Nicola Bruce
Nicola Bruce
Technology and Innovation
26 Sep 2024

Augmented Advocacy Series (Bermuda): The Practice of Law in the Age of AI

As the world enters the age of artificial intelligence, the legal profession is once again faced wit...

Kiara Wilkinson
Ligaya Sanchez-Wilson
Kiara Wilkinson, Ligaya Sanchez-Wilson
Private Client Trusts
12 Sep 2024

Mental health and estate planning

The demographic shift towards an ageing population in Bermuda raises important matters that should b...

Ryley Tannock
Ryley Tannock