Section 88 opens in new window of Personal Health Information Act (PHIA) outlines the instances in which a person, custodian or information manager may be charged with an offence and the penalties for such occurrences. Generally where the Commissioner believes there are reasonable grounds for a criminal prosecution based on the particular facts of each case, the Commissioner will lay a charge or charges against the person, custodian or information manager. The proceedings will be heard in the Provincial Court of Newfoundland and Labrador at the court house located closest to where the incident(s) occurred. To be successful, the evidence presented must establish the elements of the offence beyond a reasonable doubt.
In relation to a person, which includes not only an individual but a board, commission, tribunal, partnership, association, organization or other entity, an offence occurs where:
- the person, who is not entitled to access the information, intentionally obtains or attempts to obtain the personal health information of another individual; or
- the person intentionally makes a false statement to, or misleads or attempts to mislead, the commissioner or another person performing duties or exercising powers under PHIA; or
- the person intentionally obstructs the commissioner or another person performing duties or exercising powers under PHIA; or
- the person intentionally destroys or erases personal health information with the intent to evade a request for access to the information.
In relation to a custodian or information manager as defined in section 2(l) of PHIA, an offence occurs where:
- the custodian or information manager collects, uses or discloses personal health information in a manner which is contrary to the provisions of PHIA;
- the custodian or information manager fails to protect personal health information in a secure manner as required by PHIA; or
- the custodian or information manager discloses personal health information in a manner which is contrary to the provision of PHIA with the intent to obtain a monetary or other material benefit for themselves or another person.
However, if a custodian or information manager can establish that it took all reasonable steps to prevent the occurrence of a situation outlined in (a) or (b) then no offence will have occurred.
If the Court is satisfied beyond a reasonable doubt that any of the offences outlined above have been established, the person will be found guilty of a criminal offence and sentencing can include a fine up to $10,000 or imprisonment for up to six (6) months, or both.
As of March, 2016, the Commissioner has laid charges in two instances opens in new window . Both instances involved individuals who intentionally accessed the personal health information of other individuals on multiple occasions outside of the scope of their job responsibilities and duties. These individuals were employed by two of the Regional Health Authorities: Eastern Health and Western Health.
In relation to the individual employed with Western Health, an investigation was initiated after allegations of inappropriate access were made against the employee. It was later determined that 1,043 patients had their personal health information inappropriately accessed by the employee. The individual pled guilty and a conviction was entered. In September, 2014 a fine of $5000 was imposed.
In respect of the individual employed with Eastern Health, the charge involved 18 instances of inappropriate access over the course of one (1) year. The access was discovered as the result of an audit process employed by Eastern Health. In October, 2014, the individual was found guilty by Judge Gregory Brown and fined $1000.
Both individuals were also removed from their employment.