More clarity needed on health information breaches

Opinion

Hey there, time traveller!
This article was published 02/01/2019 (2469 days ago), so information in it may no longer be current.

You don’t have to be a high-profile professional athlete to want assurance your personal health information is safe from snooping eyes.

After a Grace Hospital employee inappropriately accessed the electronic patient records of five members of the Winnipeg Jets hockey team in 2015, the employee was fired. It didn’t matter that the employee was an overeager Jets fan who was only seeking further details on the extent of the players’ injuries. Hospital authorities alerted the individual players about the violation.

But the authorities didn’t alert the public about the breach and, unfortunately, that lack of public accountability is typical with instances of improper access to the electronic health files that are entrusted to hospitals and the Winnipeg Regional Health Authority (WRHA).

How often are the health files of patients inappropriately accessed? The WRHA won’t share the statistics.

How many WRHA staffers have been disciplined for breaching the province’s Personal Health Information Act? Again, the WRHA won’t say, and there’s no legislation in Manitoba requiring it to divulge this information.

Manitoba’s acting ombudsman, Marc Cormier, wants to change that. He has recommended that the WRHA and other trustees of health information be obliged to report privacy breaches to the ombudsman’s office. The province is currently reviewing both the Personal Health Information Act and the Freedom of Information and Protection of Privacy Act.

Of course, no one is suggesting the WRHA publicly report the identities of patients whose records have been invaded; such revelations would only compound the problem by further violating their privacy.

Also, it’s unlikely the WRHA would identify staff members caught snooping. The employees’ personal privacy is likely protected from publication by provincial employment standards, and possibly also by union contracts. An exception would be serious cases in which criminal charges are laid and the identity of the alleged wrongdoer is disclosed in court.

But without identifying either the victim or the prying perpetrator, there’s still considerable benefit to be gained from tracking the instances of patient-record intrusions, how they happened and, in general terms, what disciplinary action was taken. As Mr. Cormier pointed out, the ombudsman’s office would provide guidance to the people in charge of health records and examine how they can fix the problems.

The security of health records has come a long way from the days of paper records kept in file folders in metal-drawered cabinets. Electronic record-keeping has meant an individual’s personal health information is only a click away for a large circle of health professionals, which has brought both advantages and dangers.

The public can only hope internal workplace procedures protect records from unscrupulous medical staff, and institutions keep up-to-date with the latest electronic defences against malware and hackers. But the public can’t judge if adequate defences are in place because the Manitoba medical system doesn’t adequately report the number of security breaches.

Beginning in March, Ontario is requiring annual statistics about privacy breaches from the authorities in charge of records at hospitals, personal-care homes, doctors’ offices, clinics and laboratories. This information must record the number of times in the previous year personal health information was stolen, lost or used without authority.

It seems like a model Manitoba could consider as it reviews current legislation. It’s to the credit of the province and the ombudsman’s office that they are showing serious concern for the health-record privacy of citizens.

These relatively minor leaks should be plugged before they become a flood.