Office of the Information and Privacy Commissioner
March 30, 2010Newfoundland and
Labrador's Information and Privacy Commissioner Comments
on Recent Privacy Concerns about Electronic Health
Records
Information and Privacy Commissioner Ed Ring
commented today on the recent privacy breaches which
were disclosed to the public by Eastern Health CEO Vicki
Kaminski: "I want the public to know that we have
received inquiries and complaints about the incidents in
which Eastern Health indicated that there were willful
acts on the part of individual employees to
inappropriately access electronic patient records. We
are now commencing an investigation, but I must caution
that this cannot be done overnight. It will take time,
however, our findings will be made available to the
public when our work is complete. This Office takes
these concerns very seriously, and we support Ms.
Kaminski's decision to present a strong message to the
public and to Eastern Health's employees that willfully
accessing the personal health information of others for
inappropriate purposes is wrong and should not be
tolerated."
Commissioner Ring also noted that two complainants
from the province's west coast had come forward several
months ago with concerns about the ability of a wide
range of health professionals to access their personal
health information through Western Health's electronic
medical records system. That investigation is also
ongoing.
Commissioner Ring went on to provide some further
context on the issue of privacy and electronic health
records: "The development of electronic medical records
has been ongoing for more than two decades, not only in
this province, but in every jurisdiction across Canada.
Our provincial health authorities are not unique in the
issues they have encountered involving privacy and
electronic medical records. As the use of electronic
medical records has evolved, there continues to be a
struggle to find the balance between ensuring that staff
have appropriate access in order to do their jobs, while
at the same time finding ways to limit that access so
that employees who do not need access will not have it.
This is a very complex endeavor, requiring the
expenditure of multiple millions of dollars over many
years. It involves trying to implement newer parts of
the electronic system which can work with older legacy
systems having more limited functionality. It also
requires raising the bar for the development of
appropriate policies and procedures as well as training
for employees."
Commissioner Ring added: "In any situation where
there are thousands of employees, many of whom are
required to work with sensitive personal health
information, there are going to be a few individuals
from time to time who will ignore protocols and rules
and do the wrong thing. With an entirely paper-based
system, however, it would have been impossible to know
if someone intentionally viewed personal health
information for inappropriate purposes. In this case, by
conducting regular audits on their electronic medical
records system, Eastern Health was able to determine
that this inappropriate access had occurred, and to deal
with it. Breaches will happen. Mistakes will happen. A
few individuals will do the wrong thing. Any system
created and maintained by human beings will have flaws.
That is the case whether you are talking about an
electronic records system or a paper one. The focus
needs to be on finding ways to minimize the risks and
trying to reduce the scope and frequency of those
breaches so that the public can have confidence in how
their personal health information is being handled."
In investigations such as these, the goal of the
Office of the Information and Privacy Commissioner is to
review the practices, policies, procedures, and training
utilized by the health authority in question, as well as
the functional capability of the electronic medical
records system being utilized, to see how the privacy
breaches occurred, as well as what can be done to
prevent or minimize further breaches in the future.
- 30 -
Media contact:
Ed Ring
Information and Privacy Commissioner
709-729-6309
2010 03 30 3:55 p.m.