Manitoba’s Personal Health Information Act has a hole that needs plugging, Manitoba’s acting Ombudsman Mel Holley said in a report released today.
Holley said an investigation into a privacy breach of the Personal Health Information Act (PHIA) by an employee at CancerCare Manitoba has revealed there is no penalty for the unauthorized access of private electronic health records. A penalty, a fine up to $50,000, can only be applied when there is a willful disclosure of a person’s private health information.
Holley said he’s spoken to Manitoba Health about beefing up PHIA so that it deters workers with access to electronic patient records from "snooping."
He said "snooping" is an evolving privacy issue that arises due to curiosity and the ease of access to electronic medical records (EMR) as they become more and more common.
"Given our increasing reliance on electronic health record systems, and the potential for employee snooping, there must be strong sanctions that will serve as a deterrence," Holley said in a statement.
In the case at hand, a mother suspected a CancerCare Manitoba worker of going into her daughter’s personal health information. The girl was diagnosed with cancer in early April 2011. She reported her concerns to the Ombudsman’s office, which investigates privacy breaches.
It was found that the employee's access to the child's personal health information April 13, 2011 was a breach of privacy because the employee did not need to access it for a work-related purpose.
The investigation also found the employee accessed the girl’s records for two minutes and two seconds. The employee also opened three tabs to view the contents, which indicates that the information was not accessed accidentally.
"As the child’s EMR had just been created, little information was available at that time and in fact, the employee viewed only the child’s name and cancer registry number in the EMR," the investigation report says.
"This information falls within the definition of personal health information under PHIA as it relates to the individual’s health and the provision of health care to her by CancerCare. Additionally, the cancer registry number is an identifying number assigned to the child."
The Ombudsman’s office also made recommendations to CancerCare Manitoba to tighten up its protection of electronic personal health information and to apologize to the complainant.
Holley said in the report that CancerCare has told his office that disciplinary action had been taken against the employee and that since the breach, quarterly patient access logs about this patient are to be retrieved and reviewed for a period of one year.
CancerCare also advised that the breach serves as a reminder to provide more regular PHIA training to longer-term employees.