The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, March 11, 2005
The San Jose Mercury News is reporting on an interested development. HMO Kaiser Permanente is informing 140 of their insureds that a former employee posted confidential medial information on her blog. She says that it is Kaiser Permanente's fault, but that's beside the point to the 140 people involved. See the Mercury News (registration req'd):
MercuryNews.com | 03/11/2005 | Patients' private data put online:"In a troubling episode involving medical privacy in the digital age, Kaiser Permanente is notifying 140 patients that a disgruntled former employee posted confidential information about them on her Weblog.
The woman, who calls herself the ``Diva of Disgruntled,'' claims it was Kaiser Permanente that included private patient information on systems diagrams posted on the Web, and that she pointed it out.
The health care giant learned of the breach from the federal Office of Civil Rights in January, said Kaiser spokesman Matthew Schiffgens. Kaiser has been investigating ever since, Schiffgens said, but it wasn't until Wednesday that it asked the Internet service provider hosting the blog to remove the information...."
Jeff Drummond at HIPAA Blog has some interesting things to say about the incident:
HIPAA Blog:"...The article indicates that the blogger could be subject to HIPAA penalties for the disclosure. One of my fellow HIPAAcrats on the AHLA HIT list noted that the article is wrong in this regard, since Kaiser will be the one subject to the penalties. Rightly or wrongly, in light of the Gibson case, I disagree. The blogger would certainly be subject to a HIPAA enforcement action if the Department of Justice were so inclined to take that route. Kaiser would also be subject to an enforcement action for the original posting on the techincal Web site, but their defense would be one of inadvertence. It would be hard for the blogger to make that cliam for her intentional posting."
Update: The former employee at issue has her blog still up and running. Not only that, but she's posted a comment on the publicity surrounding this incident:
corphq: Kaiser Trying to Rile Up Patients?:"Kaiser Trying to Rile Up Patients?
Just read the Mercury News story: http://www.mercurynews.com/mld/mercurynews/11110907.htm
It looks like Kaiser is now informing patients of the 'unlawful disclosure'. The only reason why I can think they would do this now is that Kaiser hopes to whip up people against me. If Kaiser really thought people should know about the patient information, they would have informed people months ago when they quietly took the Systems Diagrams *they* posted offline.
Kaiser had the patient information posted online since *2002* at http://docviewer.tripod.com. Here is my blog post from July 2004 where I first pointed it out: http://www.livejournal.com/users/corphq/10816.html
Kaiser did not respond to my complaints or inform the patients at that time, and they did not take the Systems Diagrams down until September. Still not a word to the patients.
I also find it interesting that I couldn't get the press to cover it when I contacted everybody and their grandmothers to show what Kaiser had done. Now that Kaiser wants to hound me, however, the press is interested...."
Thanks to Health Care Blog Law for the above link: Health Care Blog Law : Private Patient Data Posted Online Blog by Disgruntled Former Kaiser Employee
Labels: health information, information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.