Nova Scotia needs to toughen the governance over medical-related databases held by the public and private sectors, the province’s information and privacy commissioner says in her annual report.
“There is an urgent need to strengthen and clarify the responsibilities for and monitoring of interoperable health information databases to protect the privacy of Nova Scotians’ health information,” Catherine Tully said in the report released this morning.
“One of the most significant trends in privacy is the growing collection of databases containing
personal information. These databases are becoming increasingly interoperable. We saw
evidence of this during a privacy breach investigation we conducted in relation to the Drug
Information System. During the course of this investigation that began in late 2017, we discovered that the governance and monitoring of broad access, multi-custodian, electronic personal health information databases is a critical vulnerability in the province.”
That investigation, detailed in a report released in August, led to the discovery that a pharmacist inappropriately viewed the personal health information of 46 individuals over two years. Victims included the pharmacists’ doctor, co-workers, former classmates, her child’s girlfriend and her parents as well as teachers in her child’s school among others. “In order to gain access to some of the personal health information, the pharmacist created false profiles and falsely claimed that individuals had consented to the creation of the records.” The pharmacist also shared the personal information with others.”
A separate investigation into the staff abusing their access privileges within the Nova Scotia Health Authority (NSHA), which oversees a number of hospitals in the province, found unauthorized access of 335 individual medical records by six different staff at multiple worksites. “Our investigation revealed a dangerous and insidious culture of entitlement to view health records, with accounts of unauthorized access that, in some cases, took place over a long period of time,” Tully noted.
The NSHA co-operated with the commissioner’s office during the 2017 investigation and accepted all of its recommendations, including flagging high profile patient and excessive patient
access. A new fully-integrated electronic records access control system is expected to be added by the end of 2020.
But Tully also warned that data custodians in hospitals, doctors offices, pharmacies and other places where medical information is held “must be vigilant and cannot rest on an honour system, nor on the ethical standards of a professional designation, as the means to guard against unauthorized access by authorized users.”
“By engaging an electronic system and database, the custodian becomes responsible for specific steps to secure the system, ensure limited role-based access and monitor user activity. The custodian must proactively curb a workplace culture that encourages or turns a blind eye to such behavior and must take steps to fully investigate and contain any privacy breaches that occur. Without a thorough and strategic approach, the behaviour will continue to go undetected causing harm to individuals and will undermine public trust in the health care system.”
Nova Scotia is in the middle of reviewing its Personal Health Information Act (PHIA), which ovesees the collection, use, disclosure, retention, disposal and destruction of personal health information in the province
In an interview this morning Tully noted the legislation already allows the province to create a body to oversee interoperable medical databases with personal information, such as the Drug Information System and patient registry systems. This body would manage and integrate health information records and ensure there are audit logs of data access. “We know there are growing connections between these databases, and they really need to be managed … When there’s a breach in one there’s a high risk of breaches in others.”
She also said that the growing prevalence of online fake news and the use of unregulated personal data create serious challenges for democracy” In encouraging the provincial government to be more responsive to access to information requests, she argued that “citizens need a reliable source of information about their government in order to actively participate in democracy. The integrity of our democratic institutions also requires that privacy laws are capable of protecting our personal information in the digital age.”
In her report Tully again called for the modernization of the provincial privacy access to information laws, as well as the ability for the commissioner to make orders, not just recommendations. “Order-making power for the Information and Privacy Commissioner would both improve the quality of the evidence provided in support of exemptions and also motivate public bodies to more actively participate in informal resolution. After all, if at the end of the day they are required to comply with the commissioner’s recommendations, informal resolution will likely be a more attractive option. Informal resolution decreases the time to resolve complaints and, of course, improves the resolution of matters to the satisfaction of both parties.”
She also repeated her call for the province to update its privacy law to comply with the European Union’s new General Data Protection Regulation (GDPR). “The standards set by the GDPR will increasingly become standards expected around the world,” Tully noted.
(This story has been updated from the original to include comments from an interview this afternoon with commissioner Tully)