Dr. Omar Afandi used his electronic health record access privileges at Windsor Regional Hospital to look for parents of newborn boys to solicit their business, Ontario’s information and privacy commissioner wrote in a report.Rob Gurdebeke/The Canadian Press
Ontario’s information and privacy commissioner has ordered a Windsor doctor and his private clinic to pay thousands of dollars in fines for privacy breaches in a case she calls a “cautionary tale” for other health startups.
Commissioner Patricia Kosseim wrote in a recent decision that a doctor with privileges at Windsor Regional Hospital used his electronic health record access there to look for parents of newborn boys and contact them to offer circumcisions at a clinic he partly owns.
Kosseim writes that Dr. Omar Afandi has acknowledged his wrongdoing and is remorseful, but his breach was serious and he should pay a $5,000 penalty under Ontario’s personal health information law.
The harm in this case should not be underestimated, she wrote.
“These patients had just given birth and could have been in a vulnerable emotional state,” Kosseim wrote.
“Being disturbed by someone out of the blue who would have contacted them by phone to offer circumcision services at a private clinic could have left many of them highly perturbed, questioning how such a physician, unrelated to their care, got access to their phone number and other (personal health information) in the first place.”
Afandi conducted the searches 146 times through which he could have viewed the personal health information of up to 831 patients, Kosseim wrote. He maintains he did not open their charts, and only ended up texting 17 people and calling up to 74 people to solicit their circumcision business.
The doctor stood to make $350 – minus $35 paid to the clinic as overhead – from each circumcision, and performed one for a family whose business was solicited this way, the decision said.
The monetary penalty against Afandi should discourage him and others from trying to unlawfully gain access to patients’ personal information for direct or indirect financial gain, Kosseim wrote.
As well, she found that the WE Kidz Pediatrics clinic was operating without any privacy management program and should pay $7,500.
“I believe it is a reasonable amount to encourage WE Kidz and other startups in the health sector to respect and comply with their basic obligations as custodians under (the law) and ensure that these foundational protections are in place prior to commencing their operations,” she wrote.
WE Kidz said in a statement that it is strengthening its internal privacy policies and ensuring they are fully aligned with all current regulations.
“These actions reflect our continued commitment to the protection of patient information and the safety of those we serve,” the company wrote.
These are the first administrative monetary penalties issued by a privacy commissioner in Canada, Kosseim said, and were done under new powers her office was granted last year.
Regarding the WE Kidz findings in particular, Kosseim wrote that other private health enterprises should take note of this decision.
“This case should serve as a cautionary tale for any startup in Ontario’s health sector that decides to put the cart before the horse, and begin operating without the necessary privacy policies, procedures and practices in place,” she wrote.
The hospital itself was not found to be in breach of the law, and had good privacy practices in place, Kosseim wrote, though she suggested some ways for them to be improved.
Windsor Regional Hospital did not offer comment on Kosseim’s decision, but said in a previous statement it had revoked Afandi’s privileges and alerted the privacy commissioner.
