Information and Privacy Commissioner Ed Ring commented today on the recent privacy breaches which were disclosed to the public by Eastern Health CEO Vicki Kaminski: "I want the public to know that we have received inquiries and complaints about the incidents in which Eastern Health indicated that there were willful acts on the part of individual employees to inappropriately access electronic patient records. We are now commencing an investigation, but I must caution that this cannot be done overnight. It will take time, however, our findings will be made available to the public when our work is complete. This Office takes these concerns very seriously, and we support Ms. Kaminski's decision to present a strong message to the public and to Eastern Health's employees that willfully accessing the personal health information of others for inappropriate purposes is wrong and should not be tolerated."

Commissioner Ring also noted that two complainants from the province's west coast had come forward several months ago with concerns about the ability of a wide range of health professionals to access their personal health information through Western Health's electronic medical records system. That investigation is also ongoing.

Commissioner Ring went on to provide some further context on the issue of privacy and electronic health records: "The development of electronic medical records has been ongoing for more than two decades, not only in this province, but in every jurisdiction across Canada. Our provincial health authorities are not unique in the issues they have encountered involving privacy and electronic medical records. As the use of electronic medical records has evolved, there continues to be a struggle to find the balance between ensuring that staff have appropriate access in order to do their jobs, while at the same time finding ways to limit that access so that employees who do not need access will not have it. This is a very complex endeavor, requiring the expenditure of multiple millions of dollars over many years. It involves trying to implement newer parts of the electronic system which can work with older legacy systems having more limited functionality. It also requires raising the bar for the development of appropriate policies and procedures as well as training for employees."

Commissioner Ring added: "In any situation where there are thousands of employees, many of whom are required to work with sensitive personal health information, there are going to be a few individuals from time to time who will ignore protocols and rules and do the wrong thing. With an entirely paper-based system, however, it would have been impossible to know if someone intentionally viewed personal health information for inappropriate purposes. In this case, by conducting regular audits on their electronic medical records system, Eastern Health was able to determine that this inappropriate access had occurred, and to deal with it. Breaches will happen. Mistakes will happen. A few individuals will do the wrong thing. Any system created and maintained by human beings will have flaws. That is the case whether you are talking about an electronic records system or a paper one. The focus needs to be on finding ways to minimize the risks and trying to reduce the scope and frequency of those breaches so that the public can have confidence in how their personal health information is being handled."

In investigations such as these, the goal of the Office of the Information and Privacy Commissioner is to review the practices, policies, procedures, and training utilized by the health authority in question, as well as the functional capability of the electronic medical records system being utilized, to see how the privacy breaches occurred, as well as what can be done to prevent or minimize further breaches in the future.

- 30 -

Media contact:

Ed Ring
Information and Privacy Commissioner
709-729-6309