On February 21, 2017, an Ontario Justice of the Peace heard R v Barnim, an unreported privacy case dealing with a violation of the Personal Health Information Protection Act, 2004 (“PHIPA”). Ms. Barnim was, at the time of the violation, a registered social worker studying for a Masters of Social Work. She was completing a cooperative placement with a local health care team that held the personal health information (“PHI”) of 10,000 patients in its electronic medical records (“EMR”) system. Ms. Barnim’s duties were to provide social work services to patients who were assigned to her and to access their PHI in the EMR system for that purpose. She was not authorized to access the PHI of any other person for any other purpose.
Ms. Barnim pled guilty to one count of violating section 72(1) of PHIPA, which provides that “[a] person is guilty of an offence if the person, (a) wilfully collects, uses or discloses personal health information in contravention of this Act or its regulations…”. The single count refers to a specific day, February 24, 2015, upon which Ms. Barnim accessed the personal health information of five individuals without authorization. In fact, Ms. Barnim had only 47 patients but she had actually accessed the information of 139 individuals between September 2014 and March 2015, a number of whom provided victim impact statements to the Court. In accordance with the joint submission from counsel, the Justice of the Peace ordered that Ms. Barnim pay a $20,000 fine as well as a $5,000 victim surcharge.
In her oral reasons, the Justice of the Peace found that Ms. Barnim had wilfully accessed the PHI of five individuals in violation of PHIPA. In determining that the $20,000 fine was appropriate, the Justice of the Peace took into account a number of factors including the devastating consequences to each of the victims, the significant number of victims involved, as well as the need for general deterrence to others working with PHI.
The Barnim case is not an isolated incident. Snooping has become increasingly common as personal information becomes accessible to more people electronically within the charity and not-for-profit sector. Cases like Barnim can damage the reputation of organizations whose staff violate the privacy of their patients and clients and could lead to claims in tort, as well as under PHIPA and other privacy legislation. Charities and not-for-profits whose staff have access to personal information should have clear privacy policies and controls in place and a strong internal audit system to ensure compliance with applicable laws and regulations.