CORNER BROOK — Marjorie Deckert and Eva Joan Lee knew something wasn’t right when they went public with their concerns about medical files kept by Western Health being too accessible to people who had no need to view them.
After they did a story with The Western Star the two retired registered nurses from Corner Brook each filed complaints with the province’s Office of the Information and Privacy Commissioner in July 2009.
Earlier this week, commissioner Ed Ring filed his report based on his office’s investigation into those complaints and agreed with Deckert and Lee that Western Health’s protection of private medical information has its shortcomings.
“The commissioner found that individuals in many roles within Western Health have greater access than is always necessary, even though it is possible to further limit access,” wrote Ring in the summary of his findings. “Consequently, the commissioner determined that, by permitting such open access controls, Western Health was improperly using personal health information and did not have adequate information procedures as required by Section 13(2)(b) of (the Personal Health Information Act).”
The Act had previously been introduced in the House of Assembly, but was not enacted until after Deckert and Lee filed their complaints. Ring found Western Health, like other jurisdictions in the province, is still in the process of having its information access control systems conform to the legislation.
Western Health justified its current system on the basis that there are practical limitations for controlling access based on each individual user. Nevertheless, the health authority acknowledged that further and better controls — based on employees’ required tasks and duties — could be implemented.
In fact, Western Health is investigating and implementing these controls, Ring found.
“This has been a while coming and I am very pleased that steps are being taken to remedy this system they have in place right now,” said Deckert, who was still slowly wading through the complex report Thursday afternoon.
In 2009, Deckert and Wells feared there would eventually be a serious breach of privacy since it seemed so easy for medical files to be inappropriately viewed. In 2012, a Western Health employee was fired for accessing files more than 1,000 times without authorization.
Two class action lawsuits have since been filed against Western Health over those breaches, including one suit that has named the employee accused of the breaches as a defendant.
“I knew that something like this was going to happen and people would have access to records, especially since it was so easy,” said Deckert.”And it did happen.”
Lee was expecting Ring’s report to hold back a little in its criticism of Western Health. She was surprised to see how thorough the report was.
She and Deckert have no regrets about bringing their concerns to the privacy commissioner, even though it took more than three years for this report to be made public.
“Nobody wants to get mixed up with the bureaucracy,” said Lee. “But, on the other hand, if you look at something and you think this is against everything you believe on both a professional and personal level, go ahead and do something about it, which is basically what we did.”
Ring, who noted that Western Health is not the only jurisdiction to have these sorts of issues controlling access to medical files, made 12 recommendations for Western Health. They include developing a better system that has more stringent controls over access, including training for employees.
“Some of the changes I am now recommending may have already been achieved by the time Western Health receives this report, others may be in progress, while still others will require further time, money and research,” Ring concluded. “That being said, this office intends to follow up on the progress made by Western Health in six months to see what has been accomplished by that time and to get a better sense of what challenges still lie ahead.”
No one from Western Health was available to comment on the report as of press time Thursday, but the authority said someone should be available to discuss it today.
To read the report in full, visit www.oipc.nl.ca/PHIAprivacyreports.htm .