The Office of the Information and Privacy Commissioner (OIPC) received two Privacy Complaints under the Access to Information and Protection of Privacy Act (“ATIPPA”) from two separate individuals regarding the Western Regional Health Authority (“Western Health”). Each of the Complainants alleged that their personal health information was not adequately protected pursuant to section 36; was improperly used pursuant to section 38; and was improperly disclosed pursuant to section 39, of the ATIPPA. The complaints were broad in scope, expressing concern over the number of people who had access to patients’ personal health information, what personal health information could be accessed, and for what reasons that access could occur. Specifically, the complaints were directed at concerns about the electronic records system in use by Western Health, known as Meditech.

Subsequent to receipt of the complaints by the OIPC, the Personal Health Information Act (“PHIA”) was proclaimed into law. The Commissioner found that had this legislation been proclaimed at the time the Complaints were filed, they would have more properly been brought under that Act. Furthermore, as Western Health is bound to bring its personal health information policies and practices within the scope of PHIA, the discussion and recommendations of this Report are in accordance with PHIA. This ensures that the recommendations made in the Report will be forward-looking, useful and relevant to Western Health and to the complainants.

As a result of the investigation conducted by the OIPC, the Commissioner found that the current electronic system being used by Western Health for employee access to personal health information did not meet the requirements and standards of PHIA. The Commissioner found that individuals in many roles within Western Health have greater access than is always necessary, even though it is possible to further limit access. Consequently, the Commissioner determined that by permitting such open access controls Western Health was improperly using personal health information and did not have adequate information procedures as required by section 13(2)(b) of PHIA. Western Health justified the current framework on the basis that there are practical limitations for controlling access based on each individual user. Nevertheless, Western Health acknowledged that further and better controls, based on employee roles (i.e. required tasks and duties) could be implemented and it, in fact, Western Health is investigating and implementing these controls. The Commissioner was advised that a move to a newer version of Meditech across the province has been discussed, however its introduction is not yet certain as it has not yet received approval from the Department of Health and Community Services. Once approval is granted the system would take approximately 3-5 years to implement. This new version of Meditech would allow for better access controls and would be based to a greater extent on a role-based access model.

The Commissioner found that Western Health has developed and continues to develop policies and procedures with respect to the collection, use, disclosure and security of personal health information which help to mitigate its failure to appropriately limit employee access to personal health information. Additionally, Western Health has an auditing system in place which is designed to track employee access to personal health information and to identify inappropriate instances of access. This system has recently been upgraded to ensure that the most robust form of auditing is employed such that access can be monitored continuously and in real time.

The Commissioner thanked Western Health for their full cooperation in the investigation. The Commissioner commented that “Given the current focus on the development of electronic records within the healthcare sector, there is a need for continued vigilance by regional health authorities and other custodians of personal health information to ensure that privacy protection keeps pace.” Furthermore, the Commissioner indicated that “While this report is specifically in relation to Western Health, the Meditech system is in use by Regional Health Authorities throughout the province, therefore I hope my recommendations will be considered in detail by all of them.”