VICTORIA, B.C. — British Columbia's largest health authority is being criticized for the second time in a month over the way it handles computerized patient health records.
Privacy Commissioner Paul Fraser said Friday that privacy was the missing ingredient when the Vancouver Coastal Health Authority set up a database containing personal health information that is accessible by about 4,000 users.
The database, known by its acronym PARIS for the Primary Access Regional Information System, compiles information about patients' finances, social insurance numbers, diagnoses, care and doctors' and counsellors' notes.
"In the course of our three-year investigation we discovered major deficiencies in the implementation of PARIS from a privacy perspective," Fraser said.
"The concern that has emerged from all of this was that there are too many people involved in accessing too much information," he said of the database, which has compiled information for the last nine years.
The system is used by various health care providers working in community programs, including mental health, addictions, public health and communicable diseases.
Records are stored for too long without being archived or destroyed, even when they are no longer needed for care, and the system lacks adequate security, Fraser said.
"The lessons we have learned from the PARIS investigation carry over into all other electronic health databases," he said.
PARIS is one of eight databases in B.C. that contain patient information.
"Health authorities must learn from the mistakes identified in this investigation by ensuring that privacy is not added on at the end, but baked into the entire functional design," Fraser said.
Health information is collected electronically so health care providers can easily access it for better treatment, Fraser said.
"The downside is that if the information is shared too broadly or incorrectly in specific instances then you've got a breach of privacy and to many people, depending on the severity of the information that they're faced with, the cure becomes worse than the disease, if I can put it that way."
However, Fraser also said the health authority has made major strides in fixing the problems.
Last month, auditor general John Doyle reported similar findings, including too many people having access to sensitive information that he described as being vulnerable to hackers.
Among his 20 recommendations, Fraser urged the health authority to collect only the minimum amount of personal information and that records should be archived every year with limited access to them.
He also recommended that staff be required to complete privacy training each year and sign confidentiality agreements on an annual basis.
For the latest from The Canadian Press, scroll down The Tyee's home page or click here.
3
Login or register to post comments
G West
1 year ago
Patient's finances? S.I.Numbers?
What the hell for?
All they ought to have as a reference is the MSP number. There's no need for anything else as an identifier on health files.
Takuan
1 year ago
what a load of nonsense! Of
what a load of nonsense! Of course live-stock records must be freely available to owners, how else will they know if they are buying a dud or a liability? Or worse, infecting their current herd with some cull bearing prion-disease ideas? I tell you, getting trade unionism declared a mental illness has been a blessing!
zalm
1 year ago
Well, I'm sure there are reasons
And just a few include:
All health care is subsidized, including people in most long-term care facilities. To access the proper level of subsidy, they have to declare their income and expenses. It's not sufficient simply to declare it to the facility which has a financial interest in their penury, but also to levels of audit. Ministry of Finance, Ministry of Revenue (each of which have different computer systems) Canada Pension, other pension providers, all have an interest in making sure the dollars provided for care get to the provider, and the remainder to the patient in good order. Otherwise, patients would be responsible for assembling records of all their own income, writing the proper cheques, and trying to make arrangements every time their circumstances changed, all from their hospital beds.
I wish we could just tattoo an MSP number onto each patient, but many of us have reasons for not being so identified, and I can agree with them.
It's not like there are no checks at all on this. My wife, the nurse, recently received a request to review privacy regulations once again after using some part of the system to check her own lab results instead of going in to see her own family doctor. As something she was used to doing, this did not occur to her that it was now illegal, and had been for more than a couple of years. And it was flagged right away.
Rest assured, there's pretty good privacy there to prevent misuse. The problem will always be how to prevent outright malice or fraud, especially by someone in the know on the inside.
Good for the Auditor and Privacy commissioner for looking into this, but the articles could be more balanced.