Back to All

Alex Ostola, BA Hons., CRM

Picture this: you’re a physiotherapist working in a large hospital facility and your favourite artist, athlete, or celebrity is referred to your facility for treatment. 

You now have access to his private information. You can finally find out if those rumours are true (not to mention find out where he lives!). You just want to have a look; it’s a victimless crime, you tell yourself. No one will know… 

You pull his record, read it and return it in less than five minutes. There’s been no harm done, right? Or has there?

In reality, you’ve just committed a serious breach of privacy.


Upon reflection,  it’s probably apparent that this kind of snooping is unethical. The fact is that this action actually borders on criminal. You might be telling yourself – “I would never do this”. 

But nobody’s perfect. A momentary lapse in judgement can have major consequences. Five minutes of curiosity could lead to you being fined, restrictions being placed on your license, or even losing your job.

As a broker and risk management professional working with the CPA insurance program, I hear about all sorts of situations relating to improper practice behaviours.  It’s my business to be informed about the various allegations made against physiotherapists, including improper access of patient records.  

Record snooping by health professionals and their employees has also been reported in the media, so people are becoming much more aware of privacy breaches.    


Lawsuits and PHIPA

For instance, in the summer of 2016, Katie Mallinson of Mississauga Ontario filed a $3,000,000 lawsuit alleging that her sister systematically and seriously breached her privacy by inappropriately accessing her patient records. Ms. Mallinson’s sister allegedly accessed her medical information using the computer in her workplace, an ophthalmology practice that shares records with a hospital group where Ms. Mallinson sought treatment.

You might also have heard about the hospital staff who inappropriately accessed Rob Ford’s personal information. 

Earlier this year, two medical radiation technologists (MRTs) were found guilty under Ontario’s Personal Health Information Protection Act (PHIPA) for accessing Mr. Ford’s patient records when he was undergoing treatment at the Princess Margaret Cancer Centre. The MRTs were the first in Ontario to be convicted under the province’s health privacy law and both received fines. 

Although there was no evidence that they used or shared Rob Ford’s personal information, the MRTs were not in his circle of care and so had no legitimate reason to access his records.


The simple answer

So what do you need to know to avoid finding yourself in a similar situation? With digitized personal information so easily accessible to healthcare professionals, there is an increased risk that privacy breaches will become a more frequent and systemic issue. 

The good news is that there is a simple answer: education. 

Ontario’s privacy commissioner Brian Beamish emphasizes education as essential to combat snooping. 

There may always be cases of snooping. However, most unintentional and/or non-malicious snooping can be eliminated with strong internal protocols and educating yourself and your colleagues on appropriate procedures. 

The government provides resources on understanding privacy legislation. For example, you can find resources on PIPEDA here


Your employer may also have developed resources on applicable privacy legislation. As an example, you can find Niagara Health System’s resources for education on PHIPA (Ontario’s privacy legislation for health information) here. Not only should this kind of resource be made available to employees, but your employer should also explicitly communicate it to you and provide appropriate training. 

Being careful, asking questions, and understanding legislation and protocols can greatly reduce your risk of being involved in a privacy breach. If you have questions, ask someone – your supervisor, your colleague, legal counsel and your insurance broker are all valuable resources in helping you navigate this new, complex risk.  

Unfortunately, there isn’t a one-stop shop for education on your responsibilities as a regulated health professional. Properly understanding privacy legislation requires a mixture of personal initiative, and government/employer provided resources and education.


Coverage can help

Because I’m an insurance broker, I feel I should devote at least a few sentences to insurance coverage. If you are involved in a privacy breach or become aware of one, you have certain reporting obligations. 

For instance, if you are in Ontario and you are the person in control and custody of the record that has been breached, you must notify the affected person and must also let them know they can make a complaint about the breach to the Information and Privacy Commissioner of Ontario. This may result in an investigation into the breach and you could also become involved in an investigation by your regulatory body. 

Luckily, if you’re reading this you’re probably a member of the CPA insurance program.  With the CPA program, your individual professional liability insurance policy protects you if allegations are made relating to your professional practice, and an accusation of snooping would likely fall under your professional liability coverage. This means that the defence costs associated with a complaint would likely be covered by your insurance policy. 


If you are looking for more robust cyber and privacy coverage, an optional, stand-alone Cyber Security and Privacy Liability insurance policy is also available through the CPA program. 

A data breach can be expensive (the $3M claim example above is a case in point). Some of these costs can be for damages awarded to the individual(s) involved, but other expenses can quickly add up, including defence costs, investigative costs, notification and response costs, regulatory penalties and more. 

The optional Cyber Security and Privacy Liability insurance policy that can be purchased in addition to your individual professional liability insurance will provide coverage for these costs. 


Over to you

The digitization of medical records and the potential snooping that it can generate has presented itself as a potential risk for physiotherapists – whether done intentionally, or by mistake in a fleeting moment of curiosity. 

There are already a number of incidents that have raised the profile of snooping in Ontario and across Canada and serve as a bellwether for snooping in general. Educate yourself, become familiar with the issues, and ask questions!

I’m curious about your experiences with patient privacy:

  1. Do you know your reporting obligations and who to notify if a privacy breach occurs? 
  2. Do you own a clinic? If so, what policies and procedures do you have in place around professional reporting obligations, confidentiality, and privacy of personal information and personal health information?
  3. In the event of an accusation of snooping or from a large scale breach of patient information, are you properly protected?
  4. Do you think privacy breaches are a concern for physiotherapists now and in the future? Why?


Where to go to get more information:


By Alex Ostola, BA Hons., CRM


#30REPS 2017 is brought to you by:



Read more #30REPS




Here is an example of consequences for snooping from today's news:



Comments are now closed. Please contact if you would like further assistance.