VANCOUVER – If British Columbians can’t trust authorities to secure their sensitive medical records, there could be serious consequences to their health and a slump in scientific research, says the province’s privacy commissioner.
Elizabeth Denham is calling for immediate action by provincial health authorities to boost measures that safeguard citizen’s health information in the absence of disclosure laws.
Authorities aren’t legally obligated to report privacy breaches, but Denham wants that to change and made more than a dozen recommendations to patch the problem in a report released Wednesday. Data of concern could include HIV tests, mammograms or routine blood results, she said.
All provinces and territories, except for B.C., Saskatchewan and Quebec, have legislated or incoming requirements that order health authorities to reveal the inappropriate release of private information.
“It’s not in place here yet. It’s a problem,” Denham said.
People wary that their private information might be made public or accessed by someone other than their doctor could shy from disclosing health conditions, even though details are necessary to inform their diagnosis and treatment, Denham said.
Others might stop participating in important health research or get anxious about the use of electronic record systems, she added.
“Citizens expect when they go to the hospital or when they go to their care provider, their data is going to be robustly protected.”
Her report examined B.C.’s eight provincial health authorities, collecting information covering the past three years.
It revealed 3,000 suspected privacy breaches per year across those authorities. The privacy office was advised of less than one per cent of those, she said.
The review found the most common breach involved miscommunication, such as faxes sent to the wrong number or emails sent to the wrong accounts. The next most frequent problem was lost or stolen records, such as theft of a medical student’s unencrypted laptop or patient records taken from a physician’s car.
More seldom, but intrusive breaches involved health workers “snooping” in electronic records and deliberate social media disclosures, such as a physician posting a photo of a patient to their online account.
Denham said she plans to meet with executives of each health authority throughout the fall to provide them with specific report cards of their privacy performance.
Her report notes privacy leaders include Island Health and Fraser Health, which more actively monitor and analyze breaches. She also notes examples where the First Nations Health Authority has fallen down and points out that Vancouver Coastal Health lacks resources.
Denham called on provincial politicians to recommend health-breach reporting laws be strengthened in the current legislative review of the Freedom of Information and Protection of Privacy Act.
She also urged health executives to promote a culture of rigorous security and privacy controls by providing resources and tools for implementation of stronger practices.
Her recommendations to health authorities include regular staff training, proactive audits and prompt notification if a person’s personal information is breached in a situation that could cause harm or involves many individuals.
A statement from the B.C. Health Ministry said authorities will be accepting the recommendations.
“Ensuring personal privacy is everyone’s job in health care — and health authorities have been working diligently to reinforce this with staff.”
— Follow @TamsynBurgmann on Twitter