Personal Health Information and Privacy Rights
Have you seen health information privacy breaches featured in the news recently?
The six cases featured in this article are an important reminder of the responsibility health professionals have in protecting patient information.
Strong privacy protection together with appropriate and secure access to health information plays an important role in our health care system.
While health professionals need appropriate access to patient health information in order to provide safe and effective care, patients need to be able to trust that their personal information will be kept secure.
“One of the most important dealings citizens have with their government is when they entrust their personal information to health care providers. Whether it involves cancer treatment records, records of a person’s hospitalization, mental health treatment, or the results of an HIV test, British Columbians share, by necessity, far more sensitive personal information with the health care system than any other sector.”
When a privacy breach occurs, patients can quickly lose trust in the health care system and the health professionals providing care. This puts patient safety at risk. As a result, there is a need for high standards for health privacy protection.
Recent Privacy Breaches
These recent health information privacy breaches serve as an important reminder to ensure you are taking appropriate steps to keep patient information secure and confidential.
While some investigations have revealed incidents of pharmacy professionals showing blatant disregard for ethical and legal obligations surrounding health information, several investigations have also found a lack of effective administrative, technical and physical safeguards in place to protect patient information.
Investigation Showed Pharmacy Manager Inappropriately Accessed 46 People’s Personal Health Information
In August 2018, Nova Scotia’s Information and Privacy Commissioner shared the results of an investigation into a series of privacy breaches by a pharmacy manager employed by Sobey’s National Pharmacy Group.
The investigation found that over a two-year time period the pharmacy manager had violated patient trust and routinely searched through prescription and contact information of people she knew, who were not her patients. In many cases, she had created false customer profiles in order to gain access to the patient information.
Out of curiosity, the pharmacy manager had used the province's Drug Information System to check on her child's girlfriend, the girl's parents, her child's friends and teachers, her relatives and even someone with whom she had had a car accident.
The Commissioner’s Office issued separate reports for Sobeys National Pharmacy Group and the Department of Health and Wellness of Nova Scotia,with recommendations for greater auditing against snooping.
Pharmacist Disciplined for Privacy Breach by New Brunswick College of Pharmacists Disciplinary Action
In February 2018, the New Brunswick College of Pharmacists disciplined a pharmacist for a privacy breach that involved texting information about a patient to someone outside that person's "circle of care".
Pharmacist Sentenced by Alberta Court for Privacy Breach
In 2017, following an investigation by the Office of the Information and Privacy Commissioner of Alberta, a pharmacist pleaded guilty to accessing 104 patients’ medical records despite having no formal patient-pharmacist relationship with these patients. He was sentenced by the Court of Queen's Bench of Alberta to three months of house arrest, three months of a court-imposed curfew and also ordered to perform 20 hours of community service.
"The court in these types of offences is concerned with sending a message to not only Mr. Alsaadi but any others that patient information is very important and privacy rights are extremely important in a modern society."
- Justice Paul Belzil, Court of Queen's Bench of Alberta
The pharmacist is also going through the Alberta College of Pharmacists hearing process.
Privacy Breaches by 49 Employees at Alberta Health Services
In 2017,an investigation by the Office of the Information and Privacy Commissioner revealed that 49 Alberta Health Services employees had accessed and used the health information of a patient and her daughter for unauthorized purposes.
An Alberta Health Services audit identified 160 employees who accessed the health information of the patient, or both the patient and her daughter. Most of the accesses were authorized under the Health Information Act; however, 49 employees, including managers, nurses, and non-nursing or clerical staff, were found to have accessed health information outside their role of providing a health service.
The Office of the Information and Privacy Commissioner of Alberta found that the accesses made by these employees were in contravention of the Health Information Act and that Alberta Health Services did not take reasonable steps to put technical and physical safeguards in place to protect the information. They also provided Alberta Health Services with a series of recommendations on how to respond to the privacy breaches.
Manitoba Ombudsman Privacy Investigation Report
A 2017 Ombudsman report concerning a Manitoba Health breach, which detailed the investigation of an employee who accessed the medical records of his estranged daughter, colleagues and other public officials, found that Manitoba Health didn’t do enough to mitigate the risks of privacy breaches.
"Organizations that hold personal health information must have policies, procedures and safeguards in place to ensure that this information is only accessed by employees who have a legitimate work-related purpose for doing so. Employees need to know that snooping into the personal health information of others is a very serious matter."
- Charlene Paguin (via CBC)
The Ombudsmen’s investigation reviewed Manitoba Health’s typical response to unauthorized privacy breaches and how it prevents, detects, and ultimately reacts to such breaches, and provided recommendations that included reviewing Manitoba Health’s policies and procedures and developing a regular audit process to see who is accessing records and why.
Examination of British Columbia Health Authority Privacy Breach Management
In 2015 the Office of the Information and Privacy Commissioner of BC completed an Examination of British Columbia Health Authority Privacy Breach Management which identified existing gaps in privacy protection, including the need for:
- Increased compliance monitoring and risk assessment in order to identify gaps in privacy management programs and proactively resolve issues before breaches occur;
- Greater awareness by all staff, through regular mandatory training, regarding their duties and responsibilities for ensuring privacy and security of personal information;
- Stronger governance and leadership in creating a culture of privacy;
- A review of resources to ensure that privacy officers are equipped with the staff and tools needed to build and maintain adequate privacy management programs.
Protecting Patient Confidentiality and Health Information in BC
There are many layers to ensuring personal health information is protected – from following BC’s privacy legislation and establishing appropriate operational policies , to upholding ethical obligations. Modern pharmacy practice also uses a number pharmacy database systems, such as PharmaNet in BC, for tasks that include data collection and patient record management which also require high standards to ensure health information security.
Privacy Protection Legislation in BC
In British Columbia, there are two distinct pieces of legislation governing the protection of privacy:
- Public bodies (such as health authorities and the College) fall under the Freedom of Information and Protection of Privacy Act (FOIPPA).
- Businesses (such as community pharmacies) fall under the Personal Information Protection Act (PIPA).
Code of Ethics
Standard 4 of the College’s Code of Ethics sets out requirements for ensuring patient information is kept confidential.
- Registrants respect their patients’ right to privacy and confidentiality.
- Registrants do their utmost to protect patient confidentiality when they share patient information with colleagues or other health care professionals
- Registrants do not disclose confidential information without the consent of the patient, unless provided for by law or by the need to protect the welfare of the individual or the public interest.
- Registrants maintain confidentiality in creating, storing, accessing, transferring and disposing of records they control
Pharmacy System Security
PharmaNet is a valuable tool for protecting public safety. It allows pharmacy professionals to review a patient’s complete medication history and check a prescription for drug allergies and harmful drug interactions before dispensing medication.
In order to uphold legislative requirements and ethical obligations regarding patient privacy and confidentiality, it is vital that pharmacies practice proper system security when using PharmaNet or other pharmacy database systems.
The Pharmacy Operations and Drug Scheduling Act (PODSA), Bylaws, s. 21, sets out the following rules regarding Data Collection, Transmission of and Access to PharmaNet Data:
s.35 (2) A registrant may collect and transmit patient record information to PharmaNet or access a patient’s PharmaNet record only
(a) to dispense a drug,
s. 35 (3) A registrant may collect and transmit patient record information to PharmaNet or access a patient’s PharmaNet record only for the purposes of claims adjudication and payment by an insurer.
All registrants should ensure their network accounts are secure and remember they are ultimately responsible for all activity associated with their licence number.
The PharmaNet Professional and Software Compliance Standards, Volume 5 provides standards for PharmaNet System Security with regards to:
- User IDs
- Passwords, and
- Other Authentication
- The Office of the Information and Privacy Commissioner of BC has many resources including guidance documents, toolkits and more.
- The International Association of Privacy Professionals also has many resources, including training webinars, toolkits, and more.
- Pharmacy Matters: Pharmacy System Security ReadLinks article includes reminder on how to practice proper system security when using PharmaNet or other pharmacy database systems.