HOSPITALS VIOLATE PRIVACY RIGHTS (This is an expanded version of the handout)
Are you aware that hospitals have the right to give your personal information (medical records, with your name, address, date of birth, SIN, etc.), to “research” organizations without your consent, but Providence Health Care refuses to give ANY information about these "research" organizations. Other people who have access to your medical records include, but are not limited to, hospital staff, pastors, volunteers, students, contractors, subcontractors, consultants, vendors, suppliers, and any individual directly or indirectly associated with the hospital. Among many other problems, identity theft becomes a concern.
Privacy is recognized as a fundamental right of every Canadian and is grounded in the Canadian Charter of Rights and Freedoms (1984).
1. WHY ARE HOSPITALS REFUSING TO STATE, SPECIFICALLY, WHO HAS ACCESS TO MEDICAL RECORDS?? WHAT'S THE BIG SECRET??
2. WHY DO WE NOT HAVE A “RIGHT” TO KNOW WHO ACCESSES OUR MEDICAL INFORMATION??
3. WHAT INFORMATION WILL GO TO THE PROVINCIAL/NATIONAL MEDICAL DATABASE(S) AND WHO WILL HAVE ACCESS AND HOW MUCH??
4. WHY WON'T OIPC PROVIDE ANY INFORMATION ON THE NEW COMMITTEE SET UP TO LOOK INTO PRIVACY ISSUES IN THE HEALTH SECTOR? WHY SO SECRETIVE?Some hospitals have provided information but it is so general as to be meaningless (see specifics under individual health authorities). By specifically, I mean are they computer companies, janitors, food services companies, toilet paper companies, volunteers, etc., why do they need to access medical information, how much can they access, and is access limited to certain people in the company.
1. To make people aware of the lack of privacy rights within the hospital/health system.
2. To encourage people to contact Gordon Campbell and demand the the FOIPPA be changed so that information may be collected, used and shared only with PATIENT CONSENT. And that we are entitled to know SPECIFICALLY to whom we are consenting to share the information and how much information we are consenting to share.
3. That the public be made aware of the provincial and national medical databases being created which will contain our medical information. We should be involved in the decision-making as to what information is included, who has access and how much information they can access. Our written consent should be required before putting any information on a provincial/national database. We should have the right to say “NO”. We should determine who accesses our information.
4. To, individually, monitor hospitals to ensure that they are sharing our confidential information only with authorized individuals; ie. when you are involved with the hospital system, watch, ask, etc.,who is accessing medical information.
5. To ensure that privacy audits are conducted by an independent organization to ensure compliance.
6. To have the hospitals remove all illegally collected information.
Definitions (I have found some of the hospitals definitions to be very deceptive):
Access: Providence Health Care and the OIPC's definition of access is “anyone who has legal access”. I consider this the equivalent of putting people's medical records on a table, at the front door, where anyone walking by could open and read the records, but then claiming that only doctors/nurses have access because the doctors/nurses are the only people who have authorization to look at the information.
Or, they state that people can access health records but are only authorized to look at specific information. Again, that's like giving someone a whole book and telling them they can only read page three. And then claiming these people only have “access” to page three.
Employee: (hospitals definition) – may include doctors, nurses, volunteers, pastors, vendors, contractors, service providers
Medical Information: (my definition) – It is used interchangeably with personal information as defined by FOIPPA. In other words, ALL the information of an individual that the hospital has access to, including your name, address, date of birth, SIN, employer, occupation, marital status, blood type, sexual orientation, religion, etc. This is essentially the same as personal information defined below.
FOIPPA (also called FIPPA): Freedom of Information and Protection Act
OIPC: Office of the Information and Privacy Commissioner
Personal Information: as defined by FOIPPA can be any recorded information about an identifiable individual (excluding contact information). Examples of personal information include but are not limited to:
- The individual's name provided with home address and/or home telephone number;
- The individual's race, national or ethnic origin, colour or religious beliefs or associations;
- The individual's age, sex, sexual orientation, marital status or family status;
- An identifying number, symbol or other particular assigned to the individual;
- The individual's fingerprints, blood type or inheritable characteristics;
- Information about the individual's health care history including a physical or mental disability;
- Information about the individual's educational, financial, criminal or employment history;
- Anyone else's opinions about the individual; and,
- The individual's personal views or opinions except if they are about someone else.
Denial of Information
Hospitals are saying that if the information isn't in writing, they don't have to provide the information (see hospital authorities). I guess this why the health authorities kept trying to discuss the matter on the phone and not in writing. I'm not sure which scenario is worse:
1. that the hospitals have the information in writing and refuse to divulge it; or
2. that people at hospitals are giving access to our confidential information without having any written procedures or guidelines as to who has access, under what circumstances, and how much access. Are these people expected to remember verbal instructions or is it completely discretionary? This would also imply that the hospital has no record of all the people who have access to our confidential information so how do they know if records have been accessed illegally? How do they audit?
And yet the hospitals/authorites assure us that they take the protection of our privacy seriously; that every precaution is taken....
There are several references to telling us “who our information will be shared with”. For example:
1. “Section 27(2)...when a public body collects personal information...must tell an individual...with whom (the information) will be shared” (see Providence Health Care).
2. “Both the Vancouver Coastal Health Authority and the Vancouver Island Health Authority post their privacy statements at admitting points so they are easily accessible to incoming patients. These privacy statements include why information is being collected, how it will be used, who it may be shared with....” (see Providence Health Care)
This is being interpreted by the hospital authorities, Ministry of Health and OIPC in the vaguest possible manner.
I find it unconscionable that the government allows the hospitals to hide behind this flawed law. I consider it a violation of people's rights, immoral, and unethical to refuse to even state specifically who has access to a person's medical information, much less require consent to share this information.
What defines consent? When we sign a hospital “admittance” form are we consenting to our information being shared by whomever the hospital decides is appropriate? I don't believe that this would be considered a legitimate contract in court when pertinent information is being withheld (ie. who we are consenting to share this information with and how much information is being shared).
Hospitals also like to say that the information will only be shared by the consent of the patient or in accordance with the law (ex. FOIPPA). The problem is that the law is so broad and vague that, depending on interpretation it could include almost anyone. Do the people, accessing our confidential information, have a legitimate reason for needing it; we don't know because we don't know who they are or why they want our information.
However, if you don't sign the “admittance” form, you won't get in the hospital; a hospital you have paid for and will continue to pay for. What a “choice”.
A friend pointed out that he was asked, by a hospital, for his consent to share information with research organizations. This is deceptive.
A hospital has the legal right to give all your information to research organizations without your consent under certain conditions, for example if the research organization can't get the necessary information any other way. A hospital can also ask for your consent which will allow them to give your information to research organizations under any other situations.
SETTING - A Trip to a Catholic Hospital Opens Pandora's Box
In February 2005 I went to Mount St. Joseph's Hospital and I was asked questions that I believed to be illegal. When I protested I was told that if I did not answer all the questions that I would not be allowed in the hospital for tests (which I later found out was illegal). They also refused to explain why they wanted the information (also illegal) except to say, regarding the religion question, that they are a faith-based hospital (what happened to separation of church and state). Mount St. Joseph's Hospital is run by Providence Health Care, a catholic organization, which runs St. Paul's, etc.. During this time I was suppose to go for a procedure but I refused until the hospitals were in conformance with the law, plus I did not feel comfortable going to medical facilities that I was having investigated and who were contesting that investigation, and I was told that I would probably be asked the same questions. Also, I was assured by the Privacy Commissioner's Office that it would not take long to resolve the problem. It took almost a year but Mount St. Joseph was found to be in violation of the FOIPPA in several ways and suppose to make changes as of January 2006.
Providence Health Care was also asked, in 2005, who had access to my hospital records and I asked for this information in detail. They gave a very general answer. In January 2006, I discovered their answer was “incomplete” and “in error”. I again asked the question and insisted on a detailed answer. They refused to answer the question, again violating the privacy act (they are required to answer the question within 30 days). This has been done in the name of the Catholic religion and Catholic god (so you can imagine what I now think of them). It has taken almost a year for the Privacy Commissioner's Office to respond to this question. This is still ongoing.
I wrote to the other hospital authorities. Some hospitals provided answers so general as to be useless and others refused to answer at all. I have had to lay a complaint against every hospital authority in the province. These hospital authorities are doing everything they can to avoid answering the question “ Who has access to patients confidential information”. The health authorities are now claiming that they don't have to tell us who has access to our information.
The hospitals are operated by different organizations. So, they have different forms, procedures, etc. I understand the change required at Mount St. Joseph's does not apply to other facilities run by Providence Health Care since I have not lodged a complaint against them. Other health authorities have "problems" with privacy but OIPC won't do anything. I understand it's because I haven't actually gone to these hospitals, sick and vulnerable, and had my rights violated.
British Columbia's Freedom of Information and Protection of Privacy Act (FOIPPA) came into effect as of October 4, 1993. So, the hospitals have had years to comply with the privacy legislation. The government has had years to enforce compliance. Why does this government not ensure that the hospitals are in conformance with laws before giving them our money? Why do they not perform independent privacy audits and make them public (hospitals audit themselves, so why can't we do our own tax audits)? Why do they not have one set of forms/rules for all hospitals (see One Committee/Cost)? And this is the same government who, when they hired their U.S. company Maximus, assured us that our privacy was protected. Why doesn't FOIPPA address the concept of “consent”?
The government has set up a provincial database so information can be shared provincially, with plans to go national. The database is expected to be in effect soon. There are a lot of privacy concerns. For example, the Province has not specified who will be able to access your personal health information, has not specified that eHealth will keep your personal health information private from third parties and used a US-based multi-national to develop the systems. This information, opt out forms, and more can be found at www.bcoptout.ca, and www.fipa.bc.ca.
Also, the government has obviously not bothered to determine if the information has been legally collected and protected. I understand that the general public has not been consulted regarding this legislation. Apparently, the decisions regarding what gets included in the database and who has access is being decided out of public view. I recommend you contact Gordon Campbell and demand the public be informed and consulted. And, we have a right to hear all views to make an informed decision. We must ensure that information may be collected, used and shared only with PATIENT CONSENT. We must ensure that we know SPECIFICALLY to whom we are consenting to share the information. We must ensure that we have the right to "opt out" of having our information in this database. The BC Medical Association opposes the concept of a single provincial data repository where identifiable patient information generated in physicians’ offices would be stored and, potentially, accessed by third parties such as Health Authorities, governments, and external agencies. (BCMA – Clinical Data Repositories, Sept. 2004)
The Office of the Privacy Commissioner of Canada, in response to the Romanow Commission report Building on Values: The Future of Health Care in Canada (2002), stated that having all health information including doctor and hospital visits, prescription, and lab tests in a central repository would significantly undermine privacy rights. (BCMA – Clinical Data Repositories, Sept. 2004).
I understand that a private clinic is now being allowed to operate in B.C. Will this clinic, plus the private diagnostic clinics, etc. have access to your confidential information in this database.
And this is the tip of the iceberg. Michael Vonn of the BC Civil Liberties Association has stated "the plan is ultimately for a Pan-Canadian e-health record system... This is a massive information-sharing project meant to encompass the entirety of social services in British Columbia and to link information about us from the Ministries of Employment and Income Assistance, Children and Family Development, Health, Education, Justice and the private sector contractors for all of the above. The government has already issued an RFP, (a Request for Proposals) for this project."
It is interesting that it says in the OIPC's Role and Mandate (www.oipbc.org)(page 2) that “It is a central tenet of democracy that public institutions are accountable to the citizens they serve, and accountability cannot survive in the absence of transparency”. It also says, on page 3, “People who have no rights of privacy are vulnerable to limitless intrusions by government, corporations, and anyone who choses to interfere in your personal affairs”.A lawyer said to me that people are more concerned about the protection of their medical records than anything else, including financial information. A medical person told me that they believe that the loss of information from hospitals is not a leak but a flood and I now believe this. Changes have to be made to ensure that our privacy is protected and in such a way that we can easily see that it is protected.
When a person goes to the hospital they are at their most vulnerable. They should not have to deal with their rights being violated. And they should not have to make a choice between medical care and their rights (which I believe is a violation of the Health Act). And they should have the right to consent to who has access to their information.
The hospitals can violate people's privacy almost with impunity. When they make a report on a complaint in which the public body has violated privacy rights, the OIPC makes “recommendations”. The Guide to FOIPPA (pg. 14) states that: “If the Portfolio Officer finds that a public body has violated your privacy rights, the Commissioner may require the public body to change the way it collects, uses, discloses or secures your personal information.” To the best of my knowledge, FOIPPA does not provide the OIPC with the legal tools to force a public body to comply. The Privacy Commissioner's Office also has no authority to impose penalties for any violations by a public body.
And imagine what will happen to your confidential information if (or is it when) the system is privatized.
FOIPPA – Some Important Points
- Section 27(2) of FIPPA states that when a public body collects personal information from an individual they must tell the individual why the information is being collected and what it will be used for and with whom it will be shared. They must also inform the individual under what authority they are collecting the information. Finally, they must also provide the contact information for an officer of the public body who can answer the individual's questions about privacy and access. You stated that the admitting (OIPC, Providence Health Care, Jan. 3, 2006)
- The public body must determine the minimum amount of personal information needed to administer a program during the design of forms, questionnaires or other collection instruments. (FOIPPA – Policy and Procedures Manual – Section 26)
- The public body must have a demonstrable need for the information such that the operating program or activity would not be viable without it. (Section 26)
From the OIPC regarding Providence Health Care:
– Oct. 26, 2005 - “Unfortunately, it has not been a simple process to determine what information must be collected and what information is voluntarily collected during a hospital admitting process. A survey of BC hospitals reveals every admitting form is different and there does not appear to be one person or government department who is able to say what has to be on the admitting form and what does not have to be on it. I have submitted a list of questions to a newly formed committee that is looking at privacy issues in the health care field and I am now awaiting their response before I finish my report.
– July 26, 2005 - "According to Ms. Sachedina the forms are designed by individual hospitals with input from the Health Authority and the Ministry of Health Services. In addition, a hospital Forms Committee reviews all the forms used in the hospital including the admitting form. Ms. Sachedina expects that as time goes on the forms will be more uniform across the province.” The hospitals are operated by different organizations. As noted, each hospital (not just each health authority) has different forms, procedures, rules, etc. I understand the change required at Mount St. Joseph's does not apply to other facilities run by Providence Health Care since I have not lodged a complaint against them. To deal with each hospital/clinic/authority costs the taxpayers, the expenses of the OIPC and the hospital/clinic/authority, and my time and expenses (no cost to taxpayers), to try to bring the hospitals, etc. into conformance with the law. Where is the effectiveness and efficiency, and the justice, in this? So take each form, etc. x the cost x the number of hospitals/health clinics and you can see where our money is going. Why not have one committee, for all hospitals/health clinic, who designs the forms, policies and procedures etc. and distributes them to each health entity. Then this committee could ensure that the forms, etc. are in compliance with the laws and when there is a change only one form, procedure, etc. has to be changed and distributed. Then again, if the system is privatized, it is unlikely that the individual owners will want to conform to the decisions of one committee.
HOSPITALS RESPONSES – (OR NOT)
I have entered almost everything from the communication between myself, the hospital/health authorities, OIPC, etc.. I have left out information that I considered trivial (ex. thank you for your letter of...)., or redundant (ex. a summation of previous correspondence). I have included names, and in some cases, contact numbers so that you can write and have information verified if you chose, or pursue your own privacy issues. Some people may feel there is too much information and may choose to skim, but others will find it very helpful in gaining some understanding of how the hospitals operate in terms of your personal information, and the process I had to go through to get what information I got, and I am sure you will sense, and hopefully understand, my increasing anger at the information not disclosed. Most importantly, by providing the correspondence almost in their entirety, you will be able to form your own opinions and questions. I have made my own comments, which you may, or may not, agree with. You must read the information from the hospitals/authorities very carefully. Sometimes it may sound good, until you think about it. Also, the dates identified are the dates on the correspondence, not the dates received, and anything in italics are quotes.
I continue to be amazed and more than curious, at the hospitals refusal to provide the information I have requested. The questions that I have asked the hospitals/health authorities, I consider to be very basic to privacy; ie. who has access and how is the information protected. I believe this information should be posted at the hospital and on their website. I am of the belief that people have the right to know this information. This is a patient's personal/confidential information and in many cases, if the information is improperly disclosed, it could have severe and wide-ranging negative impacts on that person. And, if the hospitals have a good handle on protecting our privacy, then this information should be at their fingertips.
I question many times why volunteers and pastors have access to patient information contained in the database. I do recognize that the majority of volunteers and pastors are honest, ethical people. However, the reality is, that if an insurance company, lawyer, irate family member, neighbour, employer, etc. wants to know you medical situation all they have to do is have someone volunteer (or start a new religion or pretend to be a pastor for an existing religion). That person, if assigned to your floor, at a hospital run by a health authority such as Providence, has access to the database containing all your confidential information. Some people would not want their pastor to know all their business and I take great offense at pastors who think they have a right to access hospital databases.
IF YOU ARE CONCERNED AND CARE, CONTACT GORDON CAMPBELL
E-mail – firstname.lastname@example.org
Phone – 250-387-1715
or 604-660-2421 and they will put you through to his office toll-free
TDD – 604-775-0303
Elsewhere in B.C.:
Phone – 1-800-663-7867
TDD – 1-800-661-8773
Mailing Address: PO Box 9041
STN PROV GOVT