Ellen Xu Student Writer, Windsor Law LTEC Lab J.D., 2019
The convenience of today’s technology makes it possible to track your health and fitness with your phone. The Apple Health app can track your sleeping hours, your weight, your diet, and the amount of physical activity you’re doing. The convenience of mobile apps on our smartphones today help us remain aware of our physical health or can be used to implement healthier lifestyle habits. Technology also has become a helpful addition to medical records systems, allowing hospitals to now store patient data electronically, in addition to, or even in replacement of, paper records. Given the fast pace in which technology is developing, it is important to understand your privacy rights, how your information is being handled, and how you can best protect yourself from unwanted breaches of privacy.
There are many advantages to the increase of technology in the health and medical fields. Health and wellness apps allow you to receive health advice right at your finger tips, and electronic records can be more easily stored, organized, and shared with other healthcare providers. At the same time, convenience comes with a price. The down side to electronic records and health apps is that they are more susceptible to cyber attacks and phishing, and using health apps to track so much personal medical information means that your information may now be in the hands of the company that owns the app.
Looking at electronic health records, the biggest downside to electronic health records seems to be their increased susceptibility to hacking or misappropriation. In 2017, a number of health record breaches and phishing incidents occurred across the US, such as the Henry Ford Health System hack that potentially affected the health data of 18,470 patients, or the MongoDB databases in which three hacking groups hijacked 26,000 open servers and demanded a ransom in exchange for releasing the data. [1] There are no remedies for alleviating these breeches, and the only advice from the security community is to change all default settings upon installing MongoDB.[2] To its credit, Henry Ford Health has since announced that it is increasing initiatives around email retention and multi-factor authentication to prevent future privacy breaches.[3] In Canada, one of the biggest health data breaches occurred in Alberta in 2014, in which the unencrypted laptop of an IT consultant for a Medicentre Family Health Care Clinic in Edmonton resulted in a breach that potentially affected as many as 620,000 patients across 27 Medicentre locations in Canada.[4]In response to this incident, a class-action lawsuit was launched, which was settled in 2016 for a total amount of $750,000 to resolve “credit damage, mental distress, increased risk of future identity theft and time and costs associated with preventing identity theft.”[5]
Electronic Health Records (EHRs) can be protected by both technical, administrative and legal means. Digital safeguards such as encryption, password protection, and tracking/logging of what changes have been made to your health records, and by whom, can better assist with investigation into privacy breaches.[6] On the legal front, both federal and provincial statutes regulate protection for digital information. In the US, the Health Insurance Portability and Accountability Act (HIPAA),[7] a federal statute that governs the privacy and security of personal health information (PHI), has strict notification requirements for data and privacy breaches.[8] In Canada, the recent enactment of the Digital Privacy Act[9] in 2015 addressed one of the major gaps in federal law. The Digital Privacy Act amends portions of the Personal Information Protection and Electronic Documents Act (PIPEDA),[10] including proposing mandatory reporting obligations for privacy breaches.[11] The mandatory reporting obligations proposed by the Digital Privacy Act include, notifying individuals whose information may have been affected,[12] making an official report to the Office of the Privacy Commissioner (OPC),[13] and retaining records of all data breaches[14] that are made available to the Commissioner upon request.[15] The OPC is an agent of Parliament that oversees compliance with the Privacy Act and PIPEDA.[16] Although this is a significant legislative change that sets a national standard in Canada for the expectation of privacy protection measures that users can expect, sections of the legislation pertaining to mandatory reporting obligations will come into effect on November 1, 2018.[17] Until then, only four provinces in Canada have mandatory reporting obligations: Alberta for the private sector, and Ontario, New Brunswick and Newfoundland and Labrador for the healthcare sector.[18]
Privacy protection legislation in Canada is divided into provincial and federal legislation. The above mentioned PIPEDA as well as the Privacy Act [19] regulate privacy and data protection at the federal level. Data protection exists at the provincial level as well. Per s 26(2)(b) of PIPEDA:
(2) The Governor in Council may, by order, … (b) if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.
This means that in place of PIPEDA, provincial statutes that are deemed “substantially similar” are followed in place of PIPEDA in that province. Ontario is one such province in which a provincial statute is deemed “substantially similar” to PIPEDA. In Ontario, the Personal Health Information Protection Act (PHIPA)[20] governs privacy protections for PHI within the health care sector. Recent legislative changes in Ontario have strengthened the protections for PHI in PHIPA following bill 119, Health Information Protection Act, 2016,[21] which came into effect on May 18, 2016. The amendments made by bill 119 to PHIPA include, mandatory reporting of any privacy breaches to the Information and Privacy Commissioner of Ontario (IPC),[22] removing the requirement that prosecutions must be commenced within 6 months of the alleged privacy breach,[23] and doubling fines for “snooping” under PHIPA from $50,000 to $100,000 for individuals, and from $250,000 to $500,000 for organizations.[24] The amendments also add that health information custodians must take steps to ensure PHI is not collected without authority.[25] These safeguards are meant to strengthen privacy rules to prevent breaches from occurring and providing a clearer process for redress should breaches occur. The Information and Privacy Commissioner (IPC) at the provincial level in Ontario[26] acts independently of government to “uphold and promote open government and the protection of personal privacy.”[27] The IPC strongly recommends health agencies develop a privacy breach protocol, and has provided the following suggestions for what a privacy breach protocol should contain: Step 1, immediately implement privacy breach protocol, which includes notifying the IPC with details of the event in some instances; step 2, stop and contain the breach; step 3, notify those affected by the breach; step 4, investigation and remediation.[28]
This rise of mobile apps has flooded into the health sector as well. Health and wellness related apps are numerous, often acquiring ample amounts of personal information from clients during the course of their use. While legal protections exist, companies may not necessarily be implementing adequate protection measures in place. A study published in 2017 looked at 125 apps that matched the search terms for “medical + dementia” or “health & fitness + dementia” and found that only 33 of those apps had available privacy policies.[29] Another study published in March 2016, which looked at 211 Android diabetes apps found that 81% of them did not have a privacy policy. Of the 19% (41 apps) that did have privacy policies, 80.5% of them collected user data, and 48.8% would share user data with third parties, but only 4 policies (just under 10%) would ask users for permission to share data.[30]
What can you do to protect yourself? Best practices include being aware of the security settings of these apps (i.e. password protection, keeping your mobile devices safe and security features up to date) and knowing where your information is stored and how it’s used (i.e. checking the privacy policy of the app, knowing what information the apps are collecting and sharing). Ultimately, if you are not confident that those you share your information with via the app will respect your privacy and treat that information appropriately then you may want to think twice before using this app.
* Notice: Windsor Law LTEC Lab provides a platform to students, faculty and legal practitioners to express their views about various topics relating to law and technology. This note was written by a Windsor Law LTEC Lab student writer. This is not a legal opinion. Should you have legal questions on the matters discussed in this note, you should consider seeking independent legal advice.
[1]Health IT News, “The biggest healthcare breaches of 2017”, Health IT News (6 December 2017), online: < http://www.healthcareitnews.com/slideshows>. [2]Jane McCallion, “26,000 unsecured MongoDB servers hit by ransomware”, IT Pro (6 September 2017), online: < http://www.itpro.co.uk/security>. [3]Jessica Davis, “Hackers breach Henry Ford Health, exposing data of 18,000 patients”, Health IT News(6 December 2017), online: < http://www.healthcareitnews.com/news>. [4]Marianne Kolbasuk McGee, “Breach among largest ever in Canada”, Data Breach Today(23 January 2014), online: < https://www.databreachtoday.com>. [5]Bill Mah, “Settlement reached in lawsuit after laptop stolen from Edmonton Medicentre”, Edmonton Journal(1 May 2016), online: < http://edmontonjournal.com/news/local-news>. [6]Canada Health Infoway, “Digital health information and your privacy”, Better Health Together, online: < https://www.betterhealthtogether.ca>. [7]Pub. L. 104-191, 110 Stat. 1936, enacted August 21, 1996. [8]45 CFR §§ 164.400-414. [9]SC 2015, c 32. [10]SC 2000, c 5. [11]Supra note 9 at s 10.1. [12]Ibidat s 10.1(3). [13]Ibidat s 10.1(1). [14]Ibid at s 10.3(1). [15]Ibidat s 10.3(2). [16]Office of the Privacy Commissioner of Canada, “About the OPC”, Office of the Privacy Commissioner of Canada(14 September 2016), online: < https://www.priv.gc.ca/en>. [17]Order in Council, 018-0369,March 26, 2018. [18]Government of Canada, “For discussion – data breach notification and reporting regulations”, Government of Canada(4 March 2016), online: <https://www.ic.gc.ca>. [19]RSC 1985, c P-21. [20]SO 2004, c 3. [21]SO 2016, c 6. [22]Ibidat s 4. [23]Ibidat s 27. [24]Ibidat s 26. [25]Ibidat s 3. [26]Information and Privacy Commissioner of Ontario, “About the Commissioner”, Information and Privacy Commissioner of Ontario, online: < https://www.ipc.on.ca>. [27]Information and Privacy Commissioner of Ontario, “Access”, Information and Privacy Commissioner of Ontario, online: < https://www.ipc.on.ca>. [28]Information and Privacy Commissioner of Ontario, “Privacy Breach Protocol”, Information and Privacy Commissioner of Ontario, online: < https://www.ipc.on.ca>. [29]Lisa Rosenfeld, John Torous & Ipsit V Vahia, “Data security and privacy in apps for dementia: an analysis of existing privacy policies” (2017) 25:8 American Journal of Geriatric Psychiatry 873. [30]Sarah R Blenner et al, “Privacy policies of Android diabetes apps and sharing of health information” (2016) 315:10 Journal of the American Medical Association 1051.