Hospitals and Privacy

2008-03-12T20:31:00.000-07:00

This site talks about patients privacy rights (or the lack thereof) in the medical field primarily in British Columbia, Canada. However, after reading/hearing about the issues, people have told me that they were going to look into the situation in their own province/country.

September 21 and 22, 2011 - New Posting
All new postings are listed under 3. New Postings.
The new postings will eventually be moved to "additional information" or other appropriate labels.

To Contact Christy Clark:
E-mail – premier@gov.bc.ca
Phone – 250-387-1715
or 604-660-2421 and they will put you through to her office toll-free
TDD – 604-775-0303
Elsewhere in B.C.:
Phone – 1-800-663-7867
TDD – 1-800-661-8773
Mailing Address: PO Box 9041
STN PROV GOVT
Victoria, BC
V8W 9E1

Sample Letter:

To promote openness, transparency, accountability and protection of rights we demand that:
(1) The Freedom of Information and Protection of Privacy Act (FOIPPA) be changed so that information may be collected, used and shared only with PATIENT CONSENT.
(2) The public be entitled to know SPECIFICALLY to whom we are consenting to share our information and how much information we are consenting to share. (Specifically means are they computer companies, janitors, food services companies, volunteers, etc., why do they need to access medical information, how much can they access, and is access limited to certain people in the company).
(3) The public be involved in the decision-making regarding the provincial and national medical databases being created; that our written consent be required before putting any information in the databases; that we have the right to say “NO” to putting our information in the databases.
(4) The public be given information on the new committee set up to look into privacy issues in the health sector.
(5) Privacy audits be conducted by an independent organization to ensure compliance by the health sector and the results made public.

We also suggest that one committee be set up to design forms, processes, procedures in the health sector to reduce costs, increase compliance with the law and accountability, and use of best practice techniques, as opposed to the current system where each health authority, and in some cases each hospital/clinic, prepares its own.

Yours truly,

Please cc Adrian Dix, NDP Leader at adrian.dix.mla@leg.bc.ca.(I'm assuming this is still valid but their website doesn't provide an email address. Or phone 604-430-8600 or 1-888-868-3637

Also please cc anyone else you think appropriate.
I would appreciate a copy of your letter e-mailed to me at searcher@imagen.ca, and/or please tell me the names of anyone else you think should be cc'd.

Additional Information

2008-03-09T14:29:00.000-07:00

Why should we care with whom the medical system shares our information?
(not necessarily in order of concern; what is most important will vary with individuals)

1. Rights
If we don't fight for our rights, if we don't stand up for them, we won't have them and, quite frankly, we won't deserve to have then. We either go uphill or we go downhill, we rarely have the option to stay in same place (think about the change in information technology).
It appalls me that we do not, or no longer, have the right to know with whom our information is being shared, except in terms so general as to be useless. The one reason I kept hearing, as I stood outside the hospitals handing out information sheets, was that the hospitals save lives therefore:
a. isn't that enough
b. give them everything they want
Well, a lot of other people save lives as well. That's their job. That's what they get paid to do. Police, firefighters, life guards, snow patrols, armed forces, etc. Does that mean we should give them everything they want, and we should not expect to have rights. Do you want these people showing up on your doorstep, or stopping you on the street and demanding information, knowing that you have no right to say no, no right to know why they want it, no right to know what they will do with it, no right to know with whom it will be shared? I don't.
I think that most people have learned what happens when you treat people, or they treat themselves, as gods or demi-gods, above the law, better than the average person. Catholic priests “molested” children for decades, and probably centuries, because people refused to believe they were capable of it, refused to believe that they were just average people with the strengths, and weaknesses, of average people. There was no one to hear the children, no one to take action, or at least, not enough people, for a very long time.
Medical people do save lives. But, as we have heard many times, they also do not “save lives”. It has been fairly recent that I have heard reports of estimates of the number of preventable deaths. Since the reports have been made public (i.e. actions in the medical system made more transparent), some steps are being taken to end these preventable deaths (i.e. make the medical system more accountable). Without transparency there is no accountability.

As mentioned, if we don't stand up for our rights we won't have any. This is supported by an article in the Vancouver Sun (a paper which I never buy), by Gail Bellward, John Russell and William Sullivan, January 22, 2008, pg. A9. Researchers (apparently any researchers, from wherever), want the US corporation which runs MSP, and Pharmacare, “to release information for the purpose of contacting potential research participants”. And the government is supportive. I assume this means that if a “researcher” wants information on women who have just had a miscarriage, they could contact MSP and/or Pharmacare, get a list of this people's names, addresses and other information and contact them. Please note, there was no mention of offering the patients the right to say no to sharing this information.
I am not against research, per se. But I am against anyone deciding that people have no rights. Destroying people's rights is not in the public interest. If they contacted me, under these circumstances, I would not be providing them with the information they would want. In fact, I doubt that most of what I would say to them would be printable. If the government allows these companies access to our information, what will we lose next. Read the “Foreign Connection” below for additional concerns. The ends do not justify the means.

Another article in the same paper, same date and page, by Barbara Yaffe is titled “What a Concept: The patient as a health care consumer”. She discusses the “Euro-Canada Health Consumer Index” on which “we placed 23rd of 30”. Among other things, Barabara Yaffe writes that the report notes that Canada tends to be “disdainful of the rights of health care consumers”.

2. The Foreign Connection

The following points are from:
ID Theft - PIPEDA and Identity Theft – Solutions for Protecting Canadians
From 2006, BC Freedom of Information and Privacy Association (FIPA)

Although this “book” refers to federal privacy legislation (PIPEDA), the BC privacy legislation is required to be substantially similar.
PIPEDA is the private sector legislation but why should the government institutions provide less protection, less transparency, and less accountability regarding our privacy. Logically, one would think that the government institutions would be at the forefront of privacy protection.
Also, the “book” refers specifically to identity theft. However, the information is pertinent to theft for other purposes.
Any information in comic sans MS are my notes. Any bolding is my emphasis.

- pg. vi - ...Canadian data overwhelmingly flows to the United States
- pg. 1 – The problem has grown, aided by the Internet and the fact that so few individuals are ever charged and convicted of ID theft.
- pg. 15 – The growing black market for identity information is one of the most worrying aspects of the problem, because it provides a secondary market after a thief has perpetrated his primary theft.
- pg. 15 – Identity thieves often turn to corporate and government databases to gather information, usually involving employees. Their level of access and knowledge of passwords provides them with significant amounts of personal and financial information, particularly if access controls are set too broadly, which is often the case.
- pg. 17 – One possible way for identity thieves to obtain information is through insecure e-commerce transactions or lax corporate practices.
- pg. 19 – One of the reasons that ID theft has become epidemic is that the law has not responded quickly to defend the rights of victims. Another is that prosecution is difficult, for a variety of reasons. Possession of identity documents that do not belong to you has not hitherto been illegal, so police have to catch ID thieves in the middle of a fraudulent act. Operations now can be set up and closed down quickly, as much of the data necessary for large scale scams can fit on a laptop, sometimes even a datakey, and thieves are highly mobile, going from state to state or province to province.
- pg. 19 – One survey stated that only 1 in 700 cases is brought to justice (I believe these are US figures)
- pg. 36 – ChoicePoint is one of a type of company known as data brokers who gather and analyze public records and sell the data to corporations, employment firms, marketers, the police, national security agencies and other government agencies. In a sense, these companies act as privatized intelligence agencies since they not only gather the information, they also analyze it. ChoicePoint is among the largest and most powerful of these data service providers in part because the company has bought out several of its competitors in recent years. Many of these companies have close ties to the government (referring to U.S.). The EPIC (Electronic Privacy Information Center) website reports that ChoicePoint sells a wide range of information to the government (referring to U.S.) including:
- Credit headers, a list of identifying information that appears at the top of a credit report. This information includes name, spouse's name, address, previous address, phone number, Social Security number, and employer.
- Workplace Solutions Pre-Employment Screening, “which includes financial reports, education verification, reference verification, felony check, motor vehicle record, SSN verification, and professional credential verification.
- Asset Location Services.
- The ability to engage in “wildcard searches,” which allows law enforcement to “obtain a comprehensive personal profile in a matter of minutes” with only a first name or partial address.
- The use of “Soundex” queries, which allow searches on personal information based on how names sound, rather than how they are spelled.
- Information on neighbours and family members of a suspect.

In the post 9/11 era, commercial information services are playing a central role in government intelligence services now clustered in the Department of Homeland Security. The agencies now united at DHS rely on these services for public records, identity verification, and automated analysis. In fact, ChoicePoint currently employs a team of homeland security advisors, many of whom were previously government officials.

As journalist Robert O'Harrow has pointed out:
ChoicePoint and other private companies increasingly occupy a special place in homeland security and crime-fighting efforts (as defined by the U.S. government), in part because they can compile information and use it in ways government (referring to U.S.) officials sometimes cannot because of privacy and information laws.

While government authorities have claimed that the services provided by companies such as ChoicePoint are essential for national security in the current climate, privacy advocates argue that there is a lack of regulations, restrictions and oversight in place to ensure that individuals' civil liberties are protected. In fact, there are virtually no restrictions in the private sector in the US that address the collection, use, and disclosure of this personal information.

pg. 38 – What does this have to do with a Canadian report on ID theft? Firstly, we are uncertain whether ChoicePoint or any of its subsidiaries holds data about Canadians. This is true for other giant data brokers as well. It seems highly unlikely that they do not, since the border is utterly transparent for the financial, telecommunications, and retail sector, i.e. Canadian traffic on these networks is seamless with that of the United States. Secondly, ChoicePoint now has the distinction of being the site of the biggest case of ID theft in history. The way this theft was perpetrated should give pause to all who think we are making headway in fighting this scourge.
ChoicePoint made the news on February 18, 2005 when the Wall Street Journal reported that the company had sold private information of about 145,000 U.S. residents to criminals who posed as legitimate businesses. The reason the company went public on the breach, long after learning of it, is that California's law requiring notification of security breaches to the individuals whose data was compromised came into effect in January 2005. The company rather cavalierly responded to the press that they did not intend to extend the notification to victims outside California, and the story has rolled downhill since then.

- pg. 39 – The central problems in the free flow of personal information throughout public
records and the private sector in the United States will be extremely difficult to combat. While PIPEDA may have its problems, Canadians should be thankful that we are not in quite as bad a situation as our friends in the United States. However, because Canadian data is now flowing across the border through airline and custom systems, and data brokers such as ChoicePoint have a mandate from the government (U.S.) to collect data for security purposes, these issues demand our attention.
...the ill-defined industry of data brokers whose activities largely fall outside the regulatory scheme of the Fair Credit Reporting Act, a law that regulates narrowly defined consumer reporting agencies or credit bureaus. ...the government is increasingly relying on data brokers to supply and analyze personal data for intelligence and law enforcement purposes. Federal agencies operate under the privacy restraints of the Privacy Act of 1974, but the government's use of data brokers appears to fall largely outside the scope of the Privacy Act. As a result, a major activity affecting individuals and their privacy interests and involving both the federal government and significant private sector data processors does not appear to be covered by any existing U.S. privacy law. Recourse to such data brokers has replaced collection by government itself, and has been explicitly noted by the Office of Management and Budget as falling outside the scope of the Privacy Act because it is not a “collection”.
In general, data brokers operate without any legal requirement to:
- provide data subjects with information about their data activities
- obtain any form of consent for processing of personal data
- permit opt-out of processing by data brokers
- offer rights of access or correction
- assume liability for errors that harm individuals

Is some of our personal/health care information going to U.S. companies and thereby becoming accessible to companies such as Choice Point, who then sells it to other companies and the U.S. government? Is this part of what the health care system is trying to hide?

- pg. 48 – PIPEDA Section 4.3.5 – In obtaining consent, the reasonable expectations of the individual are also relevant. ...an individual would not reasonably expect that personal information given to a healthcare professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.

- pg. 48 – One of the problems here is that society as a whole has not caught up with the information industry. Even extremely well educated people working in the field were not aware of the existence of ChoicePoint, or how the database industry functions. Most people have no clue how the insurance industry works or credit reporting (or hospitals). Therefore the reasonableness test is a bit problematic; the fact is the general population cannot pass a basic facts test on what is happening with their information. This is an area that needs to be rectified through consumer education. In the meantime, it would be helpful if people used the rights available to them under the openness principles and insisted on knowing where their data is going, who it is being shared with, and how long it is being kept. Then they can evaluate whether this meets their expectations.
Unfortunately, in BC, people are being denied this right.

- pg. 49 – the law can certainly, in our view, be read to require organizations to be absolutely explicit about what they are doing with information, in order that consumers (and patients) are not deceived into giving information when it could be exposed to risk.

- pg. 49 – PIPEDA Section 4.4.2 – The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception. (Yet, hospitals ask patients for permission to share their information with researchers, without telling the patients that the hospitals could share information without their consent. Isn't that misleading?).

- pg. 50 – If a company collects too much information, and keeps it all in one place, the risk of ID theft goes up tremendously. Process control would dictate that not all information be collected at once, lest there be a leak in that chain, and indeed in some of our examples, companies lost tapes or databases but there was no risk to consumers because the files were incomplete and had to be matched with other critical elements kept separately. (think about the Provincial database with potentially all your medical information in one location, accessible provincially/federally and possibly world-wide)
- pg. 52 – Most data protection statutes are vague about security measures. The Health Insurance Portability and Accountability Act (HIPAA) of the U.S., authorized regulations for security of health records which just took effect in April 2005. It is difficult to be more precise than PIPEDA in a general privacy statute, and certainly lawyers have been reluctant to stride into the arena of the IT security experts. However, more precision is required if companies are to understand what is expected of them in terms of a duty of care to their customers and individuals who become victims of ID theft through their carelessness.
- pg. 54 – Principle 8 – Openness
- 4.8 An organization shall make readily available to individuals specific information
about its policies and practices relating to the management of personal information.
Again, quoting Perrin:
This obligation is transformative and far-reaching but has received very little publicity. The principle states the obligation to make specific information available about policies and practices relating to the management of personal information. ...this provision goes much further by imposing an obligation to document policies and procedures concerning the handling of personal information, and make those policies available to the individual.
Individuals have not taken full advantage of this clause... Consumer groups, especially those offering services to victims, ought to systematically ask for the policies and procedures with respect to:
- ...
- Contract clauses with third parties which stipulate obligations to protect information as it is
protected in Canada under PIPEDA. It is unlikely that companies will release this information, but in the course of investigating a complaint, at least the Privacy Commissioner would have the opportunity to see if they have any specific language about protection, recognizing the risk of ID theft.
- The chain of sharing for their personal information (which companies and why, which
countries).

- pg. 55 – 4.8.1 – Organizations shall be open about their policies and practices with
respect to the management of personal information. Individuals shall be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
- 4.8.2 – the information made available shall include:
- (e) what personal information is made available to related organizations (e.g., subsidiaries).
- pg. 56 - 4.9.3 – In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual. (The hospitals I contacted refused to provide this information. Why?)

Companies have argued that telling the individual who has their data amounts to releasing a customer list, and they argue that rival companies will use their employees to file access requests and find out who their customers are (would this not be their vendor list?). This may be true, but it is certainly a lesser evil than having a citizenry who do not have the right to find out who has their personal information.

- pg. 57 – Principle 10 – Challenging Compliance
- 4.10 – An individual shall be able to address a challenge concerning compliance with
the above principles to the designated individual or individuals accountable for the organization's compliance.

The right to challenge compliance with the standard and the law is available to all individuals, not just a person whose information is at play. This effectively means that consumer advocates or security experts could complain when they find practices to be sub-standard. An ID theft resource centre could encourage victims to take cases to Court where the facts warrant it, after complaining to the Privacy Commissioner. A few damage awards might have the effect of improving adherence to best practice. (The BC Privacy Commissioner's office refused to take action against hospitals who I believed were asking illegal questions because I had not gone to the hospitals and had my rights violated).

- pg. 60 – There has been quite a bit of controversy in Canada already on the subject of “naming names” and on publishing the details of each investigation. B.C.FIPA has come out strongly in favour of publishing the details and the names of the companies, in the interests of motivating parties to achieve better compliance with the law, and where ID theft is at play, it seems obvious that there is a public interest in disclosure to protect other individuals from exposing themselves to risk.
- pg. 61 – Obviously the ability of the Court to award damages has considerable interest for victims and for organizations such as the BCFIPA who would be interested in setting up victim assistance centres. At the very least, information on how to take a case to Federal Court could be made available to victims of ID theft (I would hope this would be expanded to include all people whose privacy rights have been violated).
- pg. 61 – Finally, the Commissioner has extensive audit powers which have not been used in the private sector. Auditing of security practices in particular would be useful, and publishing the results and recommendations stemming from such an audit would be educational for business. (Hospitals audit themselves. How much value do you place in a self-audit?)
- pg. 64 – One of the central problems in investigating and prosecuting ID theft at the moment is the lack of criminal code provisions, which hampers the ability of law enforcement to act. Using the powers of the Commissioner to investigate personal information breaches and complaints is not substitute for necessary legislation, but it could help to put pressure on the situation at the moment.
- If the office (Privacy Commissioner's) were to perform a few security audits of companies and develop recommendations for detailed codes of practice, this could assist in raising the bar for company practices.
- pg. 67 – The overwhelming impression we get when viewing the situation, particularly in the United States, is that absent any form of liability for companies, fundamental and effective change may be difficult to achieve.
- pg. 69 – The prosecution of certain types of ID theft is further complicated by the fact that the perpetrators can do the work from outside the jurisdiction where the individual resides. Because the transborder dataflow provisions of PIPEDA are weaker than those of, for instance, the European Union, it is difficult if not impossible to do anything once data has left the country. Consumers have no effective redress where the data breaches take place outside the country, other than to sue a company in a foreign jurisdiction, a proposition which is too onerous for the average individual to undertake. Most contractual provisions in subcontracting or outsourcing arrangements do not provide consumer rights, they mostly transfer liability from one company to another without granting status to individual consumers.
Think about all the outsourcing being conducted by the hospitals.
Also, MSP, run by a U.S. corporation, can, under certain circumstances, transfer our personal/medical data outside of Canada. Why? Why can't other arrangements be made. How safe is our data once it is outside Canada, or is it safe at all? I doubt that Canadian laws apply to this information once it is outside Canada.

3. Blackmail, harassment, ridicule, discrimination, etc.
One of the health authorities admits that we “own our information”, so why don't we have control over who sees it? What does “own” mean in the health system? Do you want your family, your boss, your co-workers, your neighbours, your insurance company, a lawyer, to know your medical history, that you had a heart attack, a past drinking problem, a hysterectomy, a vasectomy, a gall bladder operation, were raped, lost a child, etc. Don't you think that you should be the person to determine with whom that information is shared. For example, do you want the people from food services (which has been outsourced) accessing this information? According to Providence Health Authority and the Privacy Commissioners Office service providers do have access to this information, as do volunteers, etc.

The Legislative Assembly is currently reviewing the provisions of the province's private sector privacy act. The legislation is almost 4 years old. Submissions were requested by February 29, 2008.

Why not review the public sector privacy act? It is more than 13 years old.

If you google hospital privacy breach, you will find many more examples of hospitals violating patients privacy.

3. New Postings

2008-02-24T17:08:00.000-08:00

MAKE THIS AN ELECTION ISSUE

September 22, 2011

Theme Comments

When I am in front of St. Paul's I get some comments that run in themes. It's as if some people get together and decide to make very similar comments all within a few days. The latest theme is “You can't complain because it's free”. The following are some of the “passer-by” comments and my comments are in brackets.

It's free (no, the citizens pay for it)
They pay for it (assume she meant the politicians and no, we pay for it), but it comes from out taxes (which we pay)
They need it to pay for health-care (That would imply that they are selling our information which, I understand, is illegal)
Isn't it great that in Canada you can complain about something that's free (it isn't free).

If one takes that line of thinking that it's free then we can't complain if the roads are not repaired because their “free”; we cannot complain if the fire department does not go to fires because their “free”; we cannot complain if water doesn't flow through pipes and through our taps because it's “free”, and so on.

Then again maybe I'm wrong, maybe our health-care is free. Maybe we don't pay a dime towards our health-care. In which case, would someone please explain why we pay taxes? Where does the money go? Who does pay for our health-care? Do the medical people work for free?

Then again, maybe I'm right and this is the best excuse “they” can come up with for illegally sharing our information and destroying our rights.
______________________________________________________
Here's another comment that was quite bizarre (well, more bizarre than usual). A woman told me she worked in the pharmacy area of the hospital, that she had noticed changes over the last two years and wasn't that enough for my purposes. I asked her what changes had occurred and could she prove it. She refused to answer either question. It's like being given a blank piece of paper and having someone tell you there is writing on the paper so isn't that good enough. Presumably, she operates on the premise that she said it therefore it is. Isn't that a god complex?

September 21, 2011

Privacy Commissioner

I understand the BC privacy commissioner is reviewing BC Hydro's privacy protection (or lack thereof) regarding the information the smart meters will be collecting.(Metro, 7/29/11). I'm sure she will find that everything is just fine. That seems to be the privacy commissioner's job.

Because I try to protect my privacy rights, I have filed a few privacy complaints with both the provincial and federal privacy commissioner's office. Even when I have been absolutely right – NOTHING CHANGES. Even when the privacy commissioner quotes a specific act or law that has been violated/broken – NOTHING CHANGES. Even when the privacy commissioner's office recommends that the organization/company make changes – NOTHING CHANGES.

So, I consider the privacy commissioner essentially useless to normal people. However, it seems that they are an invaluable asset to the government and organizations/companies. When a person complains to a ministry or other organization/company, that ministry or other organization/company just tells that person that if they are not happy then that person can take the matter to the privacy commissioner, knowing full well NOTHING WILL CHANGE. It's the equivalent of telling someone to file their complaint in file 13 (for those of you not familiar with the term, that's the garbage can where things are dumped, never to be seen again). It seems to be a very comfortable diversionary tactic.

In fact, I strongly suspect that the government set up the privacy commissioner's office just for this purpose.

So sad, I had such hopes for it. Instead, it seems to be just another government organization wasting taxpayer money.

June 17, 2011

The Children (bold and italics are mine)

An organization called Kids First Canada has been raising awareness of the violation of children and parent privacy rights. Information is collected and linked, from preconception to adulthood, on your children and family (in fact, it appears that the information will be collected from preconception to death). Twenty-four pages of information, on each child entering school, has been collected by the Ministry of Education using a personal education number (PEN). This information was linked to HELP (Human Early Learning Partnership). HELP is a government funded research consortium of universities. According to HELP's, and associates, websites, it links the child's information to their family data such as medical, birth, death, hospital, perinatal, mental health, census, pharmaceutical, school achievement, daycare, children in province's care, stress, injury and Workers compensation board. This list is expected to increase; for example, HELP wants access to our personal income tax data, patterns of employment, time use, etc. Note that this is not information that is shared that can never be tracked back to you; it can be tracked back to you.
I understand that this is part of the Integrated Management System (see prior blog). This means that there will be thousands of access points to this information.

Until 2010 this information was collected and linked without parents consent. In 2010 this was changed from no consent to passive consent, in other words you have to sign a paper that says you don't want you child's information collected/shared? What if the paper gets lost, or you are busy and forget, or don't read very well, or don't understand what you read, etc. The schools say they will explain it to parents but I suspect they will not explain all the negatives to collecting/sharing your child's information (as much a time as knowledge issue). If your child's personal information ends up in the database all HELP has to say is that “they didn't receive a signed paper”. It would be hard to prove them wrong. On the on the hand, if they must have a signed paper before collecting/sharing the information then they would have to have the paper on file to prove they received it.
Kids First Canada are asking that written parental consent be required and all information collected without parents permission be destroyed.

Some concerns:
- information is being collected without the consent of parents
- information used for purposes not identified
- “HELP has stated in media and elsewhere that names and addresses are not used. However, given that HELP obtains Personal Identification Numbers, medical numbers and postal codes, etc. names and addresses would not be needed to individually identify a person or a family.” (1)
- “Judging from the types of data being collected -i.e. perinatal records, hospital records, census, etc. - parents' and mothers' personal records are also linked.” (1)
- “with increased use of electronic testing in school, children's personal beliefs, plans, opinions and experiences expressed in writing could potentially be linked.” (1)
- Will this pigeon-hole the kids, i.e. are they compliant, do they fit certain peoples expectations, are they “different”, etc.?
- Commercialization - HELP and its group has funding from organizations like the Canadian Institutes for Health Research whose mission is to “work with all partners in a concerted effort to move research from an academic setting to the marketplace”. Also from the CIHR website “CIHR is committed to facilitating the commercialization of health research in Canada in support of its overall mandate.”
- “The public has not consented to this collection of data or its use”.(1)
- Cost – we are paying a lot of money for these people to take our information and use it as they choose, sharing with those they choose, without our knowledge or consent
- The “rules” can change tomorrow without our knowledge, much less our consent.
- Security – The government has shown repeatedly that it cannot, and will not, protect the information in its care.

Just think when your children/grandchildren, nieces/nephews grow up, all their personal information will be available at the press of a button by probably just about anyone (banks, insurance companies, employers, future spouses/friends, universities, and so on). Did your children misbehave in school, did they get along with other kids, were they slow starters in school, did they have any medical issues, what is their family background, were there family problems, etc.

As Kids First Canada say “ Our children are not resources to be mined through schools at huge public expense while many parents struggle to pay for basics”. And neither are we adults.

It is not a question of whether all this information, linked to each person, will be “accessed” but how fast. We were told our medical information was confidential, to be shared only with those directly involved in our medical care, only to find out that it is shared with doctors, hospitals, clinics, pharmacies, their suppliers, researchers (and apparently lots of other people/organizations – who go to the “business office” and plug their computers into the database); and that information is now going to be linked to government ministries and I am sure the list will expand; all without our consent (and in most cases – our knowledge). The government just took the information. And once it's “out there”, it's “out there”. You don't get it back. The people who have this information will know more about you, and your family, than you know about yourself and your family; and they will use it for their own gain.

Some other databases they could link with include the police database. Apparently they've been keeping information even on law-abiding citizens (2). And, of course, the Smart Meter. Just think of the information those graphs would provide – the time you get up, the time you go to bed, whether you work out of home, if you go out in the evening and which nights, if you go on holidays and when, have family/friends over for the holidays, and much more.

And, as has been shown, once the government has your information, they can change the rules (laws) at anytime, without consulting us – unless we make that illegal. If you want our personal information, get our written permission.

We have a right to privacy. We have a right to control our own personal information. The politicians, and their friends, are repeatedly violating that right.

Here is some additional information from HELP, Population Data BC's and Edudata Canada's websites:

HELP'S website states “HELP's leading edge research has resulted in British Columbia being the first and only jurisdiction in the world to monitor the development of young children as they enter kindergarten at a population level.” - versus person-specific?????

“Researcher access to data will be approved by the Data Steward for a holding using a harmonized Research Agreement process through Population Data BC. Named programmers have access to Identifiers to perform linkages on intake only. Content Data are stored on a separate server, and are accessed by named programmers to perform Research Extracts as defined through a Research Agreement. In no cases are Content Data and Identifiers brought back together. This separation of information safeguards the privacy of personal information. “ (HELP)

If you have all the personal information of an individual, I doubt it would take much to “connect the dots”. A person lives in a particular postal code, has x number family members, is x age, etc. And, as Kids First say: “this is a false assurance of privacy as names are not needed when personal numbers are used.” Plus, there will be numerous “links” to all these other databases, and the more links, the greater the likelihood that this “separate server” with all your information,with your identifier number, will be accessed. How hard would it be to track, or intercept, a link? We also know that government people have accessed individual's information in violation of the law when it suited their agenda (The Veteran's affair for example) The Data Stewards are the government ministries and public agencies (but they don't seem to list them all), nor are the agreements shown.

As noted above in one sentence they say that “separation of data safeguards ...your privacy” then later admits that your data isn't safe by saying “Risk of exposure is significantly lower than that of most Data Providers as we separate Identifiers from Content Data”. So, they do admit that there is a risk of exposure, they just don't say how high a risk (and I'd want proof, not just words). By the way, HELP is looking for a part-time privacy officer whose duties will involve “addressing breach response management” - application deadline – April 19, 2011. Nothing like being prepared with the right excuse to explain why your very personal, confidential, information was shared with the world.

“HELP partner, Population Data BC, offers the research community access to one of the world’s largest collections of health care, health services and population health care data; “Population Data BC offers qualified researchers access to a rich source of linkable, person specific, but de-identified data on British Columbia’s four million residents, in many cases from 1985 forward. Current data holdings include health care and health service records, population and demographic data and occupational data. Population Data BC continues to expand its data holdings and is working to bring in datasets from education, early childhood development, work place, and the environment”. Who are these researchers? Are they people from supplier/pharmaceutical/other businesses (many foreign companies subject to the Patriot Act) and how is the information being used?
“The Canadian Education Data Network (Edudata Canada) is developing user-friendly educational research databases from British Columbia and elsewhere. The mission is to create an infrastructure that makes K-12 education data available to researchers, policy makers and other qualified individuals and organizations, subject to privacy and confidentiality guidelines”. Now they say that in addition to sharing with researchers, they will also share with government & “others”. Also, when they say education data it sounds like they are sharing school grades when, in fact, it includes much more.
How can we monitor Population Data BC's use of the data to ensure it is being used as contractually agreed upon?
All usage of the data will be regulated by an Information Sharing Agreement with the data provider which will outline how the provider can monitor the use of the data on an individual basis. This will include regular reports and is outlined further in Population Data BC's Audit Policy. Again this tells us absolutely nothing since we won't know what is in the contract, how they are being monitored or if Population Data BC is upfront about any violations. And no mention of independent audits. In fact, their audit policy is not on their website. And, as we know from the Auditor General's audit of the hospital database, the data provider wasn't monitoring the use/disposal of the data they had shared, so why would we believe that hundreds or thousands of other data providers will monitor the data they share..
CYDTRU – Child and Youth Developmental Trajectories Research Unit - “an emerging research unit within HELP is developing a program of research that will track children's development over time” “...utilizing linkable health, child development (school readiness), education, community resource and socio-demographic data. These databases will enable research projects that can trace individual developmental trajectories (anonymized) from conception to high school leaving, across various facets of the health, social and educational systems for all children in B.C." “CYDTRU researchers are working in collaboration to identify and create additional data sets that will enhance the current stock of trajectories data... - ...to develop and expand the number of population-based person-specific databases and to conduct research projects.” In other words, they are planning to collect even more information on us. As long as there are links back to the person it is not anonymous.
“The BCLHD (BC Linked Health Database) infrastructure brings together person-specific, population-based, longitudinal* data across a broad range of health and societal factors from the late 1980s onwards. The BCLD is one of only a small number of resources in the world where longitudinal research on an entire population can be conducted”. I guess other countries respect their peoples privacy, their peoples rights. Also note that they say entire population, not just children.
For more information you can contact www.kidsfirstcanada.org, www.earlylearning.ubc.ca, http://www.popdata.bc.ca/; www.edudata,edu.ubc.ca, www.soeh.ubc.ca

* a longitudinal study is a correlational research study that involves repeated observations of the same items over long periods of time – often decades. Longitudinal studies track the same people. - Wikipedia

(1) Kids First Canada
(2) Office of the Information & Privacy Commissioner for BC (OIPC), March 25, 2011, Commissioner Shares BC Civil Liberties Concerns Over Information In Police Database

June 16, 2011

NEWBORN BLOOD SAMPLES

In BC, a lawsuit is now underway, after it was discovered that about 800,000 newborn blood samples, together with names and birth dates, had been stored on information cards since 1999, in a storage facility operated by a private contractor; and the blood samples had been shared with researchers - WITHOUT THE PARENTS KNOWLEDGE, MUCH LESS THEIR CONSENT. (1)

CONCERNS:
1. This is, in fact, a DNA database. “DNA is your personal signature, and it uniquely identifies us” (Jennifer Puck, University of California, San Francisco) (5)
2. These spots are being shared with researchers, without the parents knowing who the researchers are, who they work for, what kind of research they are doing, to whom they subcontract, etc.
3. Bill 11, passed in May 4, 2010, gives the Minister of Health power to collect, gather, use and share personal information without any notice to or consent from affected individuals.. In other words, your personal information can be shared with governmental and law enforcement agencies, without notice or consent. The B.C. Civil Liberties Association (BCCLA) is trying to have this reversed. (7)
4. The information may be used to discriminate against the individuals by employers, banks, insurance companies, your child's future spouse, etc. “You could make inferences about their future health, about their future behaviour, and if you got samples from their parents or a DNA databank, you can make inferences about family relationships.” (4)
5. The DNA also provides information on other family members (8)
6. The researchers/private companies may manipulate, alter or splice the DNA. (3)
7. The amount of information that can be obtained from DNA is expected to increase (8)
8. The genetic information could be used for unethical purposes such as human cloning,etc.(5)
9. De-identified blood samples are linked to personal information and you can trace the link. The blood samples are stored with a code number in one place that can be easily matched to names stored in another place. (4)
10. The blood samples and other information could be accessed by pharmaceutical and biotechnology companies, commercial companies who might bias or manipulate research findings. (10)
11. “The dark side is the commercial value of the human body. If the nature of the specifics of a given individual is available to the people searching for organ matches, the finding of a match might be someone who is not dead. Yet. (Ultra Bob) (5)
12. How securely is access controlled or is it like our hospitals, where audits have shown that almost anyone could access information. It has also been suggested that there isn't any system, no matter how good, that can't be abused and “once it's out there, it's out there” (10) And it's not just hackers that are a concern but employees with, for example, a flashdrive which can be put into a database to download information.
13. Conflict of interest - “...Just look at the conflict of interest statement in any pharmacogenomics journal today and you will find that the head of each of the major studies and a select group of investigators, funded by public tax payers money from NIH, and YOUR DNA, are going to make huge profits from royalties and huge salaries these physicians-researchers earn because they control proprietary samples that are otherwise hard to come by. Just by tying a SNP to a treatment outcome or diagnostic outcome, there are big profits in the healthcare business to be made; with no real innovation! Hence, one wonders about the real motivation underlying collection of blood samples with consent and especially without consent - a cure or a profit!” (11)
14. Ownership - Who owns the specimens and anything created from the specimens. (10)
15. Cost – It apparently costs quite a lot to store the blood samples in the right climatic environment. Is this how you want our health care dollars spent? (3)

Medical people certainly had lots of opportunity to tell people and ask for their consent. They verbally explained why the “heel prick” (taking a newborn's blood) was important for testing for diseases, they handed out pamphlets, and there was a website. But apparently not one person in the medical field, in over 800,000 births, mentioned that the children's blood was being stored indefinitely and used by others. Apparently no one in the medical field thought people would be interested in knowing the bloodspots were being stored and shared (or so they say), despite the fact that this had become an issue worldwide. (2)

In 2002, the public forced South Carolina to pass a law regulating the collection, storage, and use of blood samples. (9)
In Texas a lawsuit was settled when the state agreed to destroy the stored blood spots. New legislation requires parental consent and allows parents to opt out and all projects must also be published on the agency’s newborn screening website. However, a second lawsuit has been filed because they (the plaintiffs) had not been told, during the first lawsuit, despite asking numerous times, that the blood spots had been sold, traded and bartered. (13)
Blood spot samples apparently were also sent to the U.S. Department of Defense and Homeland Security. The U.S. Department of Defense, who were using the blood samples to build an international database, reportedly destroyed the samples (of course, you never really know, do you???). (13)(6)

A Dublin hospital has stored the DNA of all the people born in the country since 1984, creating a database. This was done without the individual's or parents knowledge, and apparently in contravention of the law; and despite having an ethics committee. (14)

Now that this issue about the children's blood spots has been brought into the open by the public, the BC Newborn Screenings Program has a notification on its website regarding storage. But, of course, it only mentions the positive and not the negative aspects of storing the blood samples. It allows parents to fill out and submit a form requesting the destruction of the blood spot (opt out), as opposed to being asked for their written permission to store/use the blood spot (opt in). It seems that the blood spot cannot be stored unless the parent agrees to it being used by others.
What happens if your form gets "lost". The medical/researcher people could say they never received it. It would be hard to prove them wrong. On the other hand, if they must have a signed paper before storing/sharing the blood samples/name/DOB then they would have to have the paper on file to prove they have a legal right to store/share the blood samples.

So what happens to everyone else's health samples. For example, when you go for a physical or an operation and blood/tissue samples are taken, are they being stored somewhere? What else has the medical/political people decided we don't need to know.

Some comments that I thought were particularly interesting:
Researcher | 10:11 a.m. Feb. 9, 2010
“I have worked in research for over 10 years. My job is to make sure that everyone obeys the law. When it comes to human research, the law is designed to protect the people who are the subject of research. Blood and tissue samples are your property even after they have been removed from your body, and researcher(s) can only do with them what they have gained your legal consent to do. That is the issue here. These researcher(s) do not have legal consent to do what they are doing. So many researchers feel like this is a hindrance. They would prefer to just be able to do whatever they want. They all think that what they are doing is for the greater good. If it is going to produce valuable results, it can and should be done legally. If you don't think these regulations are necessary, do an internet search on the Nuremberg Code, the Tuskeegee experiment, etc. Whether you care what happens to your child's samples or not, it is in everyone's best interest that researchers are forced to be accountable for what they do, and gain the proper consent. “(5) In BC, the politicians have taken the right to give legal consent, to decide what happens to your body parts, from you and given it to themselves.

"It's fine and good to say these can't be identified, but how real is that?" said Hank Greely, a Stanford University bioethicist. "Just because you don't have a name or Social Security number doesn't mean you can't identify it. Once we start using DNA for more and more things like regular medical records, somebody could do a cross-check and say whose blood it is." (12)
One: Telling people that their biospecimens are retained and used for important research, that strict privacy and confidentiality protections are in place, and that “we’re good stewards” of the biospecimens without providing accessible, clear information about those policies, fails to meet even minimum standards of transparency.
Two: Failure to acknowledge that public attitudes and values about consent, genetic research, and privacy/confidentiality may conflict with those of researchers and policymakers can lead to pubic distrust of biospecimen research and impede important research.
Three: Genuine public engagement in developing policies for biobanking initiatives takes time and resources. But the payoff – trust in the research enterprise and willingness to provide biospecimens – is worth the effort. (9)

IT'S YOUR DNA AND IT DOESN'T GET ANY MORE PERSONAL THAN THAT. (Michelle Salas)

1. The Globe & Mail, May 11, 2010, Jane Armstrong, Vancouver Parent Challenges Unauthorized Archiving Of Infant's Genetic Blueprint
2. CBC News, May 12, 2010, Scott Applewhite, Storing B.C. Babies' blood violates privacy: group
3. Infowars Ireland, February 8, 2010, Newborns' DNA Routinely Harvested For Government Bio Banks
4. In the Media, February 26, 2009, Barbara Sowell, DNA Testing Without Parental Consent?
5. Deseret News, February 8, 2010, Lauran Neergaard, Blood tests of newborns stirring major ethics debate
6. American-Statesman, May 10,2010, Mary Ann Roser, State agency swaps babies' blood for supplies
7. British Columbia Civil Liberties Association, May 12, 2010, New law may create largest DNA database in Canada
8. Statement of Claim filed with the Supreme Court of Canada, May 14, 2010, British Columbia Civil Liberties Association website www.bccla.org
9. The Hastings Centre Report, September 8, 2009, Karen J. Maschke, Disputes over Research with Residual Newborn Screening Blood Specimens
10. Exploring existing and deliberated community perspectives of newborn screening: informing the development of state and national policy standards in newborn screening and the use of dried blood spots; Ian Muchamore, Luke Morphett and Kristine Barlow-Stewart, December 13, 2006
11. The Scientist – Magazine of the Life Sciences, December 23, 2009, Consent issues nix blood samples, Anonymous poster - Non-Profit banking of DNA from blood for Profit
12. Washington Post, June 30, 2009, Rob Stein, Newborns' Blood Samples Are Used for Research Without Parents' Consent
13. Infowars Ireland, NaturalNews, February 20, 2010, Ethan A. Huff, Texas ordered to destroy five million blood samples illegally taken from babies without consent
14. Sunday Times, December 27, 2009, TJ McIntyre, “Is Temple Street Hospital Holding A De Facto National DNA Database

June 15, 2011

FACEBOOK

The government wants to share our information with social media groups like Facebook. Let me tell you a bit about the ethics of Facebook. Apparently they are “profiling” (I don't know what else you would call it) people who don't even have an account with them and who do not knowingly use their site.
I received some emails from Facebook wanting to know if I wanted to be someone's “friend”. I am trying to figure out how Facebook gets my email address. The people I spoke with said they never gave it to Facebook; one said Facebook “just went in and took it” (whatever that means).
But on the last email, Facebook also listed other people that I know (interestingly, I never received a “do you want to be their friend on Facebook” email for some). I call that profiling, tracking people you communicate with. I am not registered with them and do not knowingly use their site but still they collect information on me. And obviously Facebook benefits from this information (and whoever they share it with) or they wouldn't be collecting it.
In a letter (regarding another privacy complaint) on the Office of the Privacy Commissioner of Canada website (OPC to CIPPIC – under Commissioners Findings – PIPEDA 2009) it states “On the issue of retaining non-user's email addresses, Facebook confirmed it does not use email addresses to track the success of its invitation feature. In fact, it states that it does not keep a specific list of such addresses for its own use.” It appears that Facebook lied to the Privacy Commissioner.
I filed a complaint with the federal Privacy Commissioner's office in May of 2010. The Privacy Commissioner's office is “negotiating” with Facebook. I have asked the Privacy Commissioner's Office not to negotiate away any more of my rights.
Facebook has had a number of privacy issues, yet the government wants to share with Facebook our personal, confidential information. This would give Facebook even more information for their profiling and, quite possibly, the government will get more information on us, such as of list of the people with whom we communicate.

June 14, 2011

Integrated Case Management (ICM)

This is some additional information regarding ICM.

My blog of April 12, 2009 mentions a project called the Information Access Layer, which includes electronic health information and what is called the “Integrated Case Management Project (ICM)”.

The intent of this project is to collect all the client personal data collected by community service organizations that accept money from the government and link (share) the information to government ministries and their private sector contractors. And, it is believed, this information will eventually be shared nationally, and possibly, internationally. In other words, all information that you provide to the government, and any organization that takes a dime from the government, could be linked and shared.

According to a bulletin by the Ministry of Housing and Social Development, Deloitte Inc. has been contracted to develop the computer system. They claim that it will cost $181 million over six years but may start to be implemented by the end of 2010.

If you read “Culture of Care...or Culture of Surveillance?” at http://www.privacyresearch.ca, you will note the many concerns. These concerns include identity theft, people not accessing needed services because of privacy issues, legal risks and liabilities to the organizations, the lack of resources to implement the privacy and informational requirements (not to mention the diversion of those resources from aiding the people to providing information to the government), the constitutional right of the province to implement this system

The government has shown, repeatedly, that it neither has the desire nor is capable of protecting the information they collect. As has been proven, when the government says that the information will only be accessed by those who “need” the information, they lie, or, at the very least, have yet to prove that it is not a lie.

Once this information is shared, it is “out there”, it cannot be taken back. The information shared will follow the people for the rest of their lives. And, the government, once it has the information, can change the rules and do whatever it wants with the information (example is the e-health system – when you gave your personal information to a doctor or hospital, over the years, did you know that it would be shared).

Also, the government has yet to operate in an open, transparent, accountable manner. So, we will not know specifically who is accessing the information.

June 13, 2011

DUTY TO DOCUMENT

In comments to the privacy review (1), Paul Fraser, Acting Information and Privacy Commissioner, recommended to “Add to FIPPA a “duty to document” key prescribed government decisions”. “The OIPC has investigated hundreds of complaints concerning the fact that a requested record does not exist, as one was never created”. “...a “duty to document” be contained in access to information legislation, which would include a requirement for detailed documentation of key government actions and decisions, and an obligation to keep records up to date and readily retrievable, with penalties for non-compliance. A duty to document key government decisions is critical to good governance.”
The government and all the agencies and corporations of the government don't like to document anything because that makes them accountable, which I assume, is one of the reasons the hospitals/clinics refuse to state specifically who has access to our information. So, I will provide some tips based on my own experiences:
1. We have a right to have the information provided by government in writing so I have been told by government staff. And, that you can report them if they refuse to put it in writing.
2. They (those who don't want to put it in writing) will tell you that it is easier to discuss it on the phone (or in person behind closed doors) and they will put the conversation in writing later. I have found that what is later written (if something actually gets written) usually has little resemblance to what was said. So now I insist that it be put in writing, and it helps to prevent misunderstandings.
3. They insist that they just want to say one thing on the phone (or in person). I think of it as the “foot in the door” tactic. They don't stop at one thing and, before you realize it, they have said everything. And nothing is in writing. If I get caught in this tactic now, I let them know that, since they lied and nothing was in writing, it didn't happen, the conversation never took place. And, because it isn't in writing, they can't prove the conversation took place.
4. I had one person from the government who kept phoning me, despite the number of times that I said that I wanted to communicate only in writing. I should have reported him but instead, if I answered the phone I would repeat that I wanted everything in writing and hang up. If he left a message on my answering machine, then I would email him, restating what he had said on the phone and providing an answer. That way he either had to deny what was in my email or, by default, agree that it was what he had said. The end result was that it was in writing.
5. If someone refuses to put it in writing when asked (government or other), if they won't be held accountable, then I know that what they have to say isn't worth my time (the hospitals are an example). And, in fact, may put me at risk because there is a reason they don't want it in writing. I also think it lacks in ethics and integrity.
There are obviously occasions when I don't need it in writing. It's a judgement call. But if I have to think about whether I need it in writing or not, I get it in writing.

(1) Office of the Information & Privacy Commissioner for BC, March 15, 2010, Submission of the A/Information and Privacy Commissioner to the Special Committee to Review the Freedom of Information and Protection of Privacy Act
(2) The Tyee, April 1, 2010, Andrew MacLeod, BC Lousy at Guarding Privacy

June 12, 2011

PRIVACY REVIEW

In an earlier blog (November11, 2009) I wrote that the government had decided to review the Privacy Act for the 3rd time since its inception, and that the committee was composed entirely of politicians and that I didn't have high hopes for a positive outcome.

Well, it is worse than even I expected. It appears that the real purpose for the review was to have the Privacy Act changed to allow the government to legally centralize control of all the personal information obtained from citizens who receive government services. This information would come from all sources contracted to provide government services, including independent community service organizations. The ICM (Integrated Case Management) system would be shared across provincial ministries (and god knows who else) since I'm sure they won't tell us who has access. ALL WITHOUT OUR CONSENT.
And the government wants to store the database outside of Canada. I'm sure that would be in the United States, where the Patriot Act would give the US access to all our personal information. That, of course, assumes that they don't already have it. To add insult to injury the “government” hired a foreign company to handle all our personal information. What's wrong with Canadian companies, Canadian people. The government always talks about promoting Canadian companies, Canadian jobs, then hires foreign companies.
Currently the government is only allowed to store our information outside Canada for short periods of time. Why does our information have to go outside Canada at all? As you will see in future blogs, the government is prepared to spend huge sums of our money in collecting our information, why don't they invest in protecting it – inside Canada. Then again, Nancy Napolitano of U.S. Homeland Security did say she wanted more information on Canadians. Maybe this is how it happens.

Privacy Breaches

The Acting Information and Privacy Commissioner, Paul Fraser, to his credit, has pointed out the governments inability to protect personal information. This was shown in a report, dated February 9, 2009 (I believe they mean't 2010), from the Office of the Information and Privacy Commissioner for BC, on an investigation on the large-scale privacy breach by the Ministry of Children and Family Development (MCFD). In the report “Commissioner Fraser found MCFD and MHSD failed to make reasonable security arrangements to protect personal information from risks such as unauthorized access, collection, use, disclosure or disposal as required by the Freedom of Information and Protection of Privacy Act (FIPPA). In addition, “Commissioner Fraser found a troubling lack of knowledge within the Ministries about the rules respecting the protection of personal information”. So, not only do they not protect personal formation, they don't even know the privacy rules.
Some of the recommendations in the report by the Special Committee to Review the Freedom of Information and Protection of Privacy Act (based on recommendations of various groups/individuals) are:

Recommendation 20: Amend the Act to allow an individual to consent to the collection, use and disclosure of their personal information by a public body (similar to the Personal Information Protection Act).
“OIPC and privacy advocates....questioned whether the concept of consent was meaningful because of the power imbalance between the clients and providers of on-line, integrated government services.”

This was from OIPC – Cantelon letter 21 Apr 10 – From Paul Fraser under Consent, Collection and Disclosure:
“We strongly disagree with government’s submission that FIPPA should permit collection of personal information with consent. One of the internationally recognized privacy principles is that the collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Permitting government to collect more than is necessary via a consent mechanism violates this privacy principle and would be inconsistent with all other public sector privacy legislation in Canada. Any “consent” would be meaningless given that citizens would not have any genuine or real choice to consent if they want or need to obtain government services.”

As you will note in a later blog on the children, this can result in a situation tantamount to blackmail, i.e. give us your consent or we will deny you medical service.

Recommendation 22: Consider holding public consultations on data sharing initiatives.
The OIPC submission, presented to the Special Committee on March 31, 2010, also focused on the privacy provisions of the Act. The submission pointed out that new information technologies enable
data sharing initiatives on a scale and frequency that were never contemplated at the time the Act was drafted. The new ways in which the personal information contained in electronic databases is being collected, used and disclosed in data sharing projects raise significant privacy issues. When there is a bulk disclosure of personal information from a large database of one public body to another public body, citizens usually do not know how their personal information is being reconfigured, who is accessing it, for what purpose, whether it is accurate and how they can access it. This is particularly true where the transferred data is linked with personal information in other databases.
For this reason, the OIPC argued the public must be engaged in discussions around protecting privacy rights in data sharing projects. Its submission recommended that a code of practice be
developed by government in an open and transparent manner with stakeholder consultation through something like a White Paper process. A public consultation process on data sharing was successfully conducted by government and the Commissioner’s office in Britain in recent years.
The Special Committee supports the idea of a consultation process because we see it as a way to educate British Columbians on how the Act works now and how requests are treated by public bodies. We have concerns, though, about the prescriptive tone and broad scope of this OIPC amendment (as well as the one requiring the Commissioner’s approval for data-sharing initiatives).
Our own recommendation to government in regard to consultation is more modest.”

“Recommendation 23: Appoint a Government Chief Privacy Officer.
The OIPC submission also stated that a government-appointed Chief Privacy Officer is urgently required to act as a privacy advocate in the decision-making process and to ensure that privacy is fully
considered and respected in any new initiative. This recommendation had been made by the former Information and Privacy Commissioner, and the current A/Commissioner in his investigation report
into a recent privacy breach.
While the Special Committee is reluctant to create a new layer of bureaucracy, we think there is a need to educate ministries about what they can and cannot do in regard to privacy matters.”

If the public servants haven't learned to read, to take courses or have an interest in protecting privacy by now, or interprets the Privacy Act in a self-serving way, I wonder if adding another layer of government bureaucracy will have any value. I still believe that we need transparency. I believe the public servants need to know we are monitoring them, holding them accountable. We need to know exactly what information is being collected, why it is being collected, specifically who has access, and specifically what measures are taken to protect that information. This should be followed up by independent reviews.

“Recommendation 24: Amend the Act to require that data sharing projects for the purpose of research must be subject to ethics review by an arm’s length stewardship committee.
The OIPC submission suggested too that some form of specific ethics review is necessary and desirable for government’s data sharing activities for the purposes of research. Complementary research-governance measures should be adopted in addition to the approval role for the OIPC. A committee of experts should be appointed by government that would function in a manner similar to research ethics boards of universities and the stewardship committees of the Ministry of Health Services. It would apply the criteria in s. 35(1) of the Act and such other criteria as are considered desirable in the committee’s terms of reference. The committee’s approval should be a mandatory precondition to disclosure of personal information by any public body for research purposes.”

This comes back to transparency and accountability. A committee of unknown individuals, agreeing to share our information with unknown research organizations, for unknown purposes – unknown to the individuals whose information will be shared. Why not recommend that consent be obtained from the people whose information is being shared? Why not identify who the researchers are, who they work for, what type of research they are doing with our information, and who will have access to our information, and who profits. After all, who selects these committees – not us!! Whose interests will these committee members serve? And if everything is above-board, then there is no need to hide this information. I just see this as another form of secrecy, and if you have secrecy you must have something to hide, and that may be fine, if it's your information but it isn't, its ours.

And from BC Office of the Privacy Commissioner - 2010 Annual Report News Release
“The risks to privacy presented by the growth of networked databases is a growing concern for public and private sector agencies, and a key challenge for the Office of the Information and Privacy Commissioner. This message was delivered in the office’s annual report, issued by Acting Information and Privacy Commissioner Paul Fraser, Q.C. today. “The erosion of privacy protection is nothing new, but the nature and magnitude of the risks to privacy provide increasing cause for alarm.”
New technologies are enabling, and driving the creation of more and more personal information data bases. “These systems collect and match disparate pieces of information about us and create a digital persona that not only may we be unaware of, but which may not represent an accurate picture of who we are,” the Acting Commissioner stated. “Yet this information will be used in decisions that affect us. I cannot understate the urgency of building these systems in a transparent, restrained and accountable way.”
Perhaps the first questions should be – do we (the patients, the citizens) need these systems, and who benefits.

I have not heard what the government will do. It can ignore all recommendations, or some recommendation; in essence it can do what it wants.

June 10, 2011

AUDITOR GENERAL

I understand from a newspaper article (The Province, August 27, 2010 pg. A10) that Auditor General John Doyle is in trouble with the politicians. There seems to be a conflict regarding who he works for – the politicians or the people. Fortunately, he believes that he works for the people and keeps doing his job and exposing wrong-doings of the politicians, including the violation of privacy rights. I hope he continues and doesn't bend to political pressure.

There is a question I have regarding his report on the hosital database audit. Mr. Doyle's report says that so many people were accessing patient information that it was impossible to sort out who was accessing the information. Doesn't the CEO Dr. David Ostrow know who his suppliers are and which were accessing patient information? Doesn't the CEO, Dr. David Ostrow, know who was allowed into the “business room” to plug their computers in the database and whose information they downloaded or was this available to anyone walking in off the street, no questions asked?

Madam Justice L'Heureux, of the Supreme Court of Canada, – Dube in R.V. O'Connor stated:
“Respect for individual privacy is an essential component of what it means to be free...When a private document or record is revealed the invasion is not with respect to the particular document or record in question. Rather, it is an invasion of the dignity and self-worth of the individual, who enjoys the right to privacy as an essential aspect of his or her liberty in a free and democratic society.” - R.v O'Connor [1995] 4 S.C.R. 411 at paras. 114, 119 – pg. 17
So, when someone violates your privacy rights they are also destroying your freedom and democracy.
We appear to have a segregated society in B.C., those whose privacy rights are respected in word and in action, and the rest of us whose privacy rights exist only on paper. Which group are you in??

July 22, 2010

Last night, as I handed out information in front of St. Paul's, I met a lot of supportive people.

However, one man came up very close to me, at first I thought he had been drinking, and I started to back away but he grabbed both my wrists very tightly, holding my arms straight down, and said “You had better find a new activity in life”. He then went into St. Paul's. It all happened very quickly. I didn't smell any alcohol and I believe that he new exactly what he was doing. Later I noticed that I had a red mark on part of one wrist and broken skin.

I mention this because I think it is important that people understand the difficulties and risks that people face when they are peacefully and legally exercising their democratic rights in this country.

May 24, 2010

The Auditor General and the Office of the Information and Privacy Commissioner of BC (OIPC) conducted independent audits of one database (called PARIS) of Vancouver Coastal Health Authority (VCH). I commend them, particularly the Auditor General, for finally exposing the truth (or at least a good part of it) -- that our privacy within the health care system is virtually non-existent. I highly recommend that you read/skim the reports. Even if you don't understand it all, it will give you an idea of how badly our privacy and rights have been violated.
http://www.oipc.bc.ca/orders/investigation_reports/InvestigationReportF10-02.pdf
http://www.bcauditor.com/pubs/2010/report7/paris-system-community-care-services-access-and-security

I will reiterate some of the findings from the audits, with a few comments of my own. Please note that PARIS is just one of eight core databases operated by VCH. Patients are referred to as clients.

Privacy Commissioner's Audit:
- “One of the ethical obligations of every health professional is to protect the confidentiality of patient information. The assurance of privacy is essential for patients to be willing to engage in the frank communication with their health care providers that providers rely on to deliver quality care. Patients assume that their personal health information is kept confidential because it is such a well understood hallmark of the provider/patient relationship.” (pg. 5)
The protection of privacy is a fundamental value in modern democracies and is enshrined in ss. 7 and 8 of the Canadian Charter of Rights and Freedoms.2 - (pg. 5)
- “The following types of information are collected into PARIS: Names of clients, contact information of clients, personal health numbers of clients, allergies of clients, employment, funding or eligibility of funding, education, languages, case notes relating to treatment of clients, names of family members or friends of clients (known as “associated persons” in PARIS), contact information of associated persons, whether the associated person is receiving health care from VCH, financial information and social insurance numbers of clients.” (pg. 13)
- Information was illegally shared with other organizations. When the PCO pointed this out, the government just passed legislative amendments making it legal for VCH to share some of the information. (pg. 16) (pg. 27)
- The information provided to clients (pg. 16) by VCH was “incomplete”, in other words VCH wasn't telling everything about what happened to personal information. You will find this to be a recurring tactic in the health care/government system. It appears that the premise is that the less we know, the less we will question, the more we will trust the system and the more they can hide. And, as you will see, there was/is a lot they didn't/don't want us to know.
And, not surprisingly, I didn't find any reference to the audits on the VCH website.
- “VCH does not have a secondary use policy in place to ensure the conditions for the use of personal information for research are met.” (pg. 34) In other words, when giving research organizations personal information, VCH did not ensure that “high standards for privacy and security” were met. The Auditor General found that they was no follow-up to ensure that the information was used and disposed of appropriately.
- I found this information particularly interesting. “An important privacy principle is that individuals should have control over their own personal information to the maximum extent possible. One mechanism that provides an individual with the ability to control their personal information in an electronic system is a “masking” feature. This allows an individual to restrict access to personal information that is collected by the public body. In order for this option to be meaningful, the public body must inform individuals that the option is available; there should not be any barriers for the individual to exercise it; and the individual must be advised of the implications and have access to clinical advice. The ability of a client to mask their personal information is particularly important when its collection is mandatory.” “In PARIS, there is an Enhanced Information Security Client (“EIS”) flag feature in the system that enhances the ability of clients to control their own personal information in PARIS. “ (pg. 35) However, the only people who could utilize the EIS were “staff or family member of a staff person, notable person, and clients who can demonstrate the the PARIS security model does not provide sufficient security.” It's been my experience, through Providence Health Care, that VCH keeps its security arrangements, or lack thereof, secret, so how would anyone know if their information was secure, must less prove it. In essence, staff members and “notables” had rights, the rest of us didn't.
- I had a doctor ask me why I was concerned about my privacy, after all I wasn't important. I tried to explain that I thought I was a damn important person, just as important as anyone else. This was interpreted by the doctor as meaning that I thought I would be important in the future. The concept that I am important now, just as I am, with the same rights as anyone else, was beyond this doctor's comprehension. This attitude seems to be pervasive in the medical system, and I suspect, all government.
- “Because of the large number, and serious nature, of the deficiencies in security, we have chosen not to elaborate on them in this report.” (pg. 37) The Auditor General's report exposes these deficiencies (see below).
- “Archiving records is an effective means to minimize inappropriate access.” “We found that there was no archiving of records in PARIS.” (pg. 42)
- “In our view, the information that is provided to clients about their right to make access requests is inadequate in that it does not inform them about the process for making access requests, the possible scope of the request (e.g. audit logs), timelines, fees and where the request must be made. Improvements are needed to better inform clients about their access rights under FIPPA. With respect to an electronic health record system, clients should have access to the audit logs for their health record so that they are able to monitor disclosure of their own personal information.” (pg. 43)
- “there is so much access to client records that it is impossible to analyze the [audit] reports.” (pg. 51) Except, of course, for those privileged few using EIS.
- “It must be noted that many of the problems were not caused by PARIS, but instead were the result of human decisions in respect of how personal health information would be collected into, made available by and disclosed through the system, which is a human issue.” (pg. 53)
- “We found that VCH is routinely, and without legislative authority, disclosing identifiable data sets to other public and not-for-profit entities...” (pg. 54
- For employee's, “privacy training and education at VCH is inadequate.” (pg. 52) Actually, it appears to be almost non-existent.

Auditor General's Report:
- “ Maintaining the confidentiality and integrity of individuals’ health care records is profoundly important. Failure by health care organizations to properly manage and safeguard this information could have serious consequences, from compromising an individual’s privacy to enabling identity theft or other fraudulent use of personal information to occur.” (pg. 1) ” If adequate controls are not in place, the results could be loss of individual privacy, corruption or manipulation of client information, medical identity theft, or system failure.” (pg. 5) Remember that this system has not been properly managed since its inception in 2001 and this probably applies to all health care information in other systems.
- “I undertook an assessment of a clinical information system used by the Vancouver Coastal Health Authority (VCHA)...In every key area we examined — from the management and assignment of user access to security controls within the health authority’s computing environment — we found serious weaknesses.” (pg. 1) (bolding is mine)
- “Because PARIS users are not granted access on a “need-to-know” basis, sensitive and confidential health care records were accessible to thousands of users who have neither the need nor the right to see the information. Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information, without VCHA even being aware of it. Fundamental controls to prevent or detect unauthorized access to the system were lacking, and monitoring to determine what data exchanges occurred was also insufficient.” (pg. 1)
- “In several areas, the governance and direction that staff needed to build a secure environment were not in place. Staff were not provided guidance on security controls to mitigate risks. The organization did not have an IT security policy and basic security practices (such as building layers of defense within the system) were inadequate.” (pg. 1)
- “Due to the seriousness of the deficiencies, I delayed the publication of this audit report to allow sufficient time for VCHA to address the security vulnerabilities we identified, thereby ensuring that this report would not further expose the system to potential compromise. I have been satisfied with the responsiveness and significant effort that VCHA has put into addressing the most significant problems, in a relatively short time. Over the next months, my staff will continue monitoring the actions of the VCHA in addressing the remaining audit findings. Based on the conclusions of this audit and other work performed by my staff, some of the fundamental security weaknesses identified in this information system may be present to some degree in other government systems. The findings and recommendations reported here should therefore be of use to other organizations in the health industry, as well as in other sectors. Adequate security controls should be built into any system, and it is equally important to undertake regular reviews of critical systems to ensure that they remain sufficiently secure.” (pg. 2)
- “We have not published all the details of the findings and recommendations from the detailed management report, to avoid introducing additional security risks. We consolidated the most significant recommendations from the detailed management report into 10 key recommendations.” (pg. 6)

Recommendations (Please go the Auditor General's Report for the complete version):
“Access is beyond “need-to-know” - Access granted to PARIS client records is excessive, with users in many cases having full, unmonitored access to all client records. ( pg. 6)

System Security is Inadequate – Controls to detect and prevent external or internal attacks are not adequate. (pg. 7)

Security Policies are Lacking – The lack of a comprehensive security policy for PARIS has contributed to the absence of other fundamental security controls in the system and of the processes affecting the network, database, operating system and application security. The overall organizational security culture has not set the right tone for a secure environment. (pg. 7)

The database is not secure - Lack of proper database security controls means that errant data could be input, data could be corrupted, unauthorized viewing or data extraction could occur. There have been several irregularities, including connections made to the production database by non‑production servers; vendors having continuous database access; users gaining access to the database directly through unprotected roles; and support staff having access to powerful database privileges that should be restricted to database administrators. - (pg. 8)

Risk of data leakage - There are insufficient controls to ensure that client information stored on PARIS has been safeguarded from inappropriate disclosure for the personal or financial gain of insiders or external intruders. Logs are not monitored; traffic to the database is not restricted; information extracted from the database is not tracked; default passwords have not been changed; and the database management privileges are not properly restricted. - (pg. 8)

Monitoring is not Adequate – Inadequate visibility, logging, monitoring, analysis and management of audit trails could result in external or internal attacks going undetected. Most logs are not monitored, limited information is collected, and log management capabilities are insufficient for consolidating and analyzing the logs. (pg. 9)

Access Is Not Properly Maintained – Inadequate user ID and password management practices could put the system at risk of unauthorized and undetected access. (pg. 9)

Unsecure network access - Current system settings and practices do not restrict unsecure connections to be made into sensitive systems. Physical connections in meeting rooms allow non-VCHA computers to connect to the internal network and the Internet. Unaccounted-for laptops are able to connect to the internal network, remote access servers are allowing connections to bypass perimeter defences, and Virtual Private Network (VPN) users are granted too much access within the internal network. - (pg. 9)

Inadequate Traffic Control on the internal Network – Within the internal network, there are no access control mechanisms to restrict traffic to critical servers or to reduce the spread of viruses or malicious code throughout the network. (pg. 10)

Record management practices are lacking - No classification system or retention policies are in place to effectively guide or manage the removal or archiving of client records that are no longer relevant. These records therefore remain accessible and viewable in the system indefinitely.” - (pg. 10)

Additionally, on page 20 the report states: “We found that a comprehensive security policy for PARIS does not exist. Only a few security policies are in place, and some of those have only recently been established. In all of the IT areas we assessed, we found little guidance provided to IT support staff to tell them what security controls should be implemented.”
On page 22 the report states “Both IT and application support staff have full, unmonitored access to all information”, and “Open vendor accounts exist, allowing health care data to be copied even outside the VCH at any time.”
On page 24 the report states “We found that that some users with former employment or contractual relationships with the Vancouver Coastal Health Authority are still able to access the PARIS network and its resources.
„. Processes are not always followed to remove or change a user’s access when his or her employment or contractual status changes.
„. We found that hundreds of former users, both employees and contractors, still have access to resources through active application accounts, network accounts and Virtual Private Network accounts.
„. Passwords for powerful, privileged IT support accounts have, in some cases, not been changed even though users who know the passwords have left the employment of the health authority.”

After reading this – major deficiencies in every area, 127 recommendations by the Auditor General, you really need to read VCH's response on pg. 11. I think this is symptomatic of the system – the creation of an illusion. Some quotes from Dr. David Ostrow, President and Chief Executive Officer:
“We also know that safeguarding that information is crucial — not just to comply with legislation, but to build confidence and trust in those we serve.
VCH believes that PARIS has served our community patients and clients well without any demonstrated risk to safety.
As you are aware, VCH has always placed a strong emphasis on the protection and confidentiality of patient/client information.
VCH acknowledges it cannot become complacent in the areas of security, confidentiality and protection of privacy.”

I really think this guy wants an award. There is no apology, no recognition of the damage done. Quite the opposite, he just wants to blow it off, an “oh well, no harm done” and “aren't we wonderful” attitude, as if his words still had value. Major deficiencies in every area, virtually open access to all our information but he says that “VCH has always placed a strong emphasis on the protection and confidentiality of patient/client information” A complete disconnect between words and actions, to put it politely. Really, how disgusting, how reprehensible.
As one woman, who came up to speak to me at St. Paul's, pointed out, that even if the security was made perfect today (won't happen) all our information up to today is “out there”. We don't know who has it, how it's being used, or when it will be used against us. Actually, some people I have spoken to have already run into problems.
Dr. Ostrow's kind of statements I think of as propaganda/brainwashing. If you say something often enough, no matter how far it is from the truth, people will start to believe it. It is the difference between words and actions. It is a recurring tactic in the government system.
The medical/government system has lost and does not deserve our trust. In my opinion, they have lied, manipulated and conned about the status of our personal/medical information. In fact, it appears that that our personal/medical information has never been protected, at least since they started using computers, and probably before then.
When I filed my complaint with the OIPC 6 years ago, I was told that the hospitals had never taken steps to determine if they were in compliance with the Privacy Act. So, to the best of my knowledge, this is the first audit that has been done since the Privacy Act came into effect in 1993. So, it took them 15 years to do one audit.

To add insult to injury, I still have people, who say they work at St. Paul's, tell me that the system is good. One person said that at meetings they are told to “ssh”, they aren't suppose to say certain things that are private. Presumably I am suppose to believe that our information is safe because they have a “ssh” policy (at least at meetings). This is someone who works in the system and who, therefore, must have a good idea of the lack of privacy.
As pointed out by the Auditor General, the systems will evolve to meet changing needs, and “Any computing environment has risks that must be constantly addressed and managed.” If the medical system has such a complete lack of concern on security issues now, how can we trust that, even if forced to meet minimum standards today, they will do what is required to meet future minimum security standards.. And again I reiterate, only one core database in one health authority as been audited.
“They [VCH] have told us that the most significant deficiencies identified have been fixed.” (pg. 6 – Auditor General) First of all we cannot trust the VCH to tell the truth. Have they fixed the major deficiencies? We don't really know because it has not been checked by an independent source and VCH has repeatedly lied to us about the security of the system.
The OIPC and Auditor General offers “recommendations”. They will monitor VCH over the next year to see if VCH implements the “recommendations”. Again, I assume they will rely on VCH's “word”. Will we be told if VCH doesn't implement some of the recommendations? Quite honestly I doubt it.
The rest of the medical system is presumed to be as bad or worse. Who is going to ensure that they are “fixed”.
While I commend the Auditor General on the audit, I want to point out that I take exception to a statement by the Auditor General that “security is not the main focus of the health care system”, implying that it is understandable that they made these horrendous errors. People walking or driving don't have the traffic laws as their main focus, but will be fined and even jailed if they break the laws. Most people's main focus is earning an income, not paying taxes. Yet, they will be fined and even jailed if they break the tax laws. VCH will not be fined (of course they would pay with our money anyways), no one lost their job, was disciplined or was charged. These people who have been violating our rights for years will not be punished in any way. That's how much our rights matter.
When there is no trust, it leads one to wonder if some of the information collected illegally was done so because people, who had illegal access to our information, wanted it. Are tests, not necessary to the patient's health care, being done for other purposes? Etcetera.
Also, has anyone heard from the doctors or nurses, etc. or their associations or unions? Have you heard of any of these standing up and saying this is wrong and needs to be fixed? I haven't, with the exception of a report, from the doctor's association, outlining their concern regarding the central health database, and I don't believe it addressed the essentially non-existent security in the medical system. I have had some doctors, etc. come to me and tell me that I'm wrong, that our information is safe. But I have also had doctors, etc. tell me, quietly, that I was right. One doctor told me that the loss of information from the hospitals wasn't a leak but a flood. So true. But the reality is that one person, such as myself, shouldn't have to spend 5 years, and counting, standing in the streets, bringing this to people's attention, taking all the abuse, when so many people knew the truth.

Suggestions:
Please note that I hope these suggestions are just the start of an open discussion by the people of this province on how best to make the medical system, and the protection of our information, more transparent and accountable to us (ie. all the people).

1. We need to have the medical system continually monitored
2. We need someone who is independent of the government to continually monitor the health system. PCO calls itself independent but when the privacy commissioner is appointed by the politicians and your career advancement is dependent on the politicians, you are not independent. In addition, PCO has to stick to looking at what is legal, what is allowed under legislation. We need someone who can look past that, to what should be made legal, or what legal rights should be revoked, and what other methods/systems could be used to accomplish the same purpose (ex. sharing information) that would not impact our privacy.
3. I am concerned with the frequent reference in the OIPC report that if the hospitals want to share information, just have yourself designated as a health information bank under the E-Health Act, which legally allows sharing. I think this needs to be reviewed.
4. Possibly this person(s), group(s) could be elected. I would suggest we have more than one person/group reviewing different hospitals or they could alternate health authorities so a person (group) does not become embedded. Their findings could be put on a website and/or their could hold public forums to hear people's concerns and experiences.
And for those of you who would like to accuse me of doing what I do for reasons other than “protecting my rights”, I would not be the slighest bit interested in auditing the hospitals. And my word has value.
5. We should know about any person/group who is looking into privacy issues in the health care sector, who they are, who pays them, and the scope of their mandate. They should not be allowed to hide in the shadows.
6. Information should be shown on a website and/or other means, accessible by the public, sufficient to allow the public to know who has access to their information and under what circumstances. For example, The OIPC has recommended a role-based access control system. “role-based access control (is) capable of mapping each user to one or more roles, and each role to one or more system functions.” (pg. 20). This mapping could be provided to the public.
7. The public should be told, via a website and/or other means, what information is being provided to what research organization for what research. If everything is above board, then there is no need for all the secrecy. The general topic of the research would probably be sufficient.
8. as recommended by the OIPC, people should be informed what to do to mask their personal information.
9. As recommended by the OIPC clients should y receive a copy of audit logs automatically.”(pg. 42). Plus, there shouldn't be roadblocks to a patient accessing their medical information. One of the most frequent complaints I hear, when I am outside St. Paul's, is how difficult it is to get access to their own information. Interesting isn't it, when everyone else has access. I also think of this as a tactic to make it appear that the front door is locked tight so people wouldn't notice that the back door is wide open.
10. One central committee should prepare the forms for the health authorities. This would help to ensure that all forms ask legal questions, are easy to update and audit, and would save taxpayers a lot of money by reducing redundancy.
11. Efforts should be made to determine who has illegally collected our information, and have it deleted, after informing the “client”. A law should be passed which states that anyone having and using patient information, unless directly related to patient care, will be severely punished. But I don't know what you do about the information that has gone out of Canada.

The medical system has lost all right to be trusted. I now operate on the basis that if they can't prove, it isn't true.
And, in the medical system, the only safe information is that which isn't given or is false.

May 10, 2010

A lot has been happening in the last few months. For example, an audit showing the appalling lack of privacy protection of our medical information, Gordo et al wanting all our information (medical plus all our other information) in a database in the US, etc. So, there will be several new postings in the next short while, as soon as I have finished reading all the reports.

April 13, 2010

I am going tell you about a privacy problem with Revenue Canada. The story is true but I will use Party A and Party B to protect the privacy of the people involved. It illustrates so well the huge gap, the contradiction, between what the government (any level of government) says and what it does.

Party A received a notice from Revenue Canada stating that authorization had been given to Party B to access Party A's tax information, in accordance with the form signed by Party A. Party A immediately phoned Revenue Canada informing them that Party A had never signed any such form. Revenue Canada immediately removed Party B's authorization to access Party A's supposedly confidential information.

Party A then asked for more information, such as a copy of the form, how it was submitted (by mail or fax), etc. because this involved potential violation of privacy rights, fraud, forgery, etc. Party A was told to fax a request and given two fax numbers. A fax was sent to the first number and when a reply wasn't forthcoming, a fax was sent to the second number. Two months later Party A still had not received a reply. Despite contacting Revenue Canada several times and explaining that the situation involved a potential crime, requesting to talk to someone or be given an email to contact someone, no help was given. There was no one that Party A could talk to, or email, regarding this potential crime.

Finally, Party A sent emails to the Minister of National Revenue and the local MP (who was from a different party). No response was ever received from the Minister of National Revenue but the local MP was able to get an answer from the local Revenue Canada office.

An “investigation” was conducted, and Party A was told that Party A's identifying number had been inadvertently entered on the form but Party A's information had never been accessed. Revenue Canada obviously hoped that would be the end of it.

But Party A pointed out the list of errors, the problems in their system:

1. Party A's identifying number was entered "in error" on a consent form (or so it was claimed).

2. The information was input into Revenue Canada's system even though the other information on the form did not match the identifying number.

3. Two faxes were sent to Revenue Canada and "lost".

4. Despite the fact that this was identified as a potential CRIME, there was no one Party A could speak with. Was this an error on the operators part (because Party A spoke to several) or was this policy? If this was policy, why does Revenue Canada have a policy that a person cannot talk to someone about a potential crime

5. Revenue Canada stated that the consent form was processed at the same time that the notification letter went out. In other words, access was granted before there was time for the notification letter to reach the recipient and allow the recipient to take action. In other words, someone wanting to access another person's information has however long it takes for the notification letter to reach the recipient and have the authorization cancelled and, if the recipient is away, even longer. Is it policy to allow access at the same time the notification was sent out or was this another error?

Party A asked why the mistakes were made and what they were doing to fix the problems? Revenue Canada's response was that they were committed to providing the best possible service but refused to answer the questions. This is also the government that says that they will get tough on crime, but in fact don't even want to hear about it.

Do you see the difference between the words and the actions? Do you really think the provincial government and its agencies care, any more than the federal government, about the protection of your privacy?

January 10, 2010

People have said to me that we should be grateful for our health care system and not complain because other people don't have as good a health system. They speak as if this is a gift from the hospitals. It isn't. The people of this province and this country, in their wisdom, chose this system. The citizens of Canada pay for this system because they want every person who needs health care to have access to it. This health system belongs to the people. The medical system, and the people who work in the medical system, work for the people of British Columbia and Canada. If the people who fund the system want to know where their information is going, why won't the people we employ provide it?

Tracey Tyler, wrote in the Star, Jan. 14, 2009, of a court ruling in Ontario (in this case regarding the Toronto Police Services Board) that required , “municipal government institutions to produce any electronically stored information the public has a right to see, even it requires using new technical expertise to develop new software”. So, if the police are required to provide information that the public “has a right to see”, why aren't the hospitals?

November 11, 2009

The government has decided to review the Privacy Act for the 3^rd time. The committee reviewing the Act is composed entirely of politicians. Needless to say, I don't have high hopes for any beneficial outcomes (for the general public).

Even if the politicians actually did make a beneficial change, what do we gain. If you don't implement the Privacy Act, it is nothing but useless writing on paper. As we have seen, the government seems to be one of the worst organizations for ignoring the Act. When I first asked questions about privacy at the hospitals, the hospitals had not brought themselves into conformity with the Act, even though the Privacy Act had been in effect for 13 years. When I made phone calls to the hospitals inquiring about the Privacy Act, the people I spoke to had no idea what I was talking about. I was asked what I meant by the Privacy Act, what was the Privacy Act, what is a Privacy officer, etc. These were front line people dealing with the public. So, if after 13 years, hospital staff had no idea what the Privacy Act was, how could they be expected to implement it, to protect our privacy.

Have you walked into a retail store, or an insurance office, etc. and been asked questions? If you ask them why they need this information, do you get a straight forward answer, as is your right under the Privacy Act. Or, do you get answers such as “the computer needs it”, “everyone asks these questions”, “I don't know so just answer it otherwise I won't sell you the product”? In most cases, you have to be very persistent to get a real answer; in some cases even that doesn't work. Most people (general public) aren't that knowledgeable regarding the Privacy Act and/or assertive. And those who are, I suspect often get tired of the fight or, like me, just try to minimize buying anything new. So, the end result is that people's privacy rights are not respected or protected because the Privacy Act is, for the most part, not enforced.

I find it ironic that the politicians will be commemorating Remembrance Day, commemorating the people who fought and died for our rights (including our right to privacy), while they make a mockery of those rights.

I continue to receive threats, some subtle and some not so subtle, while handing out information in front of St. Paul's. For example, I was told that if I came back again I would be given something to be really concerned about (I have been back since). I was told by another person that people who do what I do (peacefully exercise my democratic right to hand out information) “often go missing”. I will not be out as much during the winter months but if I am not in front of St. Paul's for any length of time -- I may have gone missing. This is our democracy.

October 8, 2009

Were you aware that the government had proclaimed September 28 to October 2 as “Right to Know Week” in BC. The government recognizes that the BC Privacy Act grants the people of BC a right of access to information in the custody or control of public bodies.

Ok, I'm back. I had to take a break. I was laughing so hard I couldn't type. I'm sure the politicians are laughing equally hard at the “Right to Know” statement and anyone who actually believes it. “Right to Know” week – what I can only consider as another hypocritcal farce brought to you by the government of BC.

August 8, 2009

Today, as I stood outside St Paul's handing out information, I was approached by two of their security guards, two big guys, who stood in front of me and told me that I was on public property and did I have a permit. Believe me, this was not said nicely; it was said in a tone and manner that I felt to be very threatening. One guy told the other to contact ? (I didn't catch who they were phoning), as far as I knew it was the police, athough I wish they had been called. I was very confused because I knew that I didn't need a permit. I thought they mean't that I was not allowed to have my things on St. Paul's property so I moved my papers and petition off the ledge and put them on the sidewalk and said “I am on public property, now get the hell out of my face”. They did not move, they didn't explain what they were doing, just continued with their phone call and I felt as if I was about to be thrown in jail or charged with some crime although I had no idea what that would be.

A few minutes later they walked up the street and talked to someone. This person then walked towards me and told me that he had explained to the security guards that I was on public property and that I had a right to be there, and they didn't know that. It would appear that he was their supervisor, although he never introduced himself. He did have courtesy to apologize but then said “no harm done”. Well, there was harm done. When you threaten someone, when you treat them like a criminal, when you demand information you have no right to demand, especially when the person has done nothing wrong, there is harm done. And I am sure the people walking by thought I had done something wrong by the way I was being treated.

The three boys made a rapid retreat into St. Paul's.

June 10, 2009

A woman came up to me and claimed that she worked in a hospital (not St. Paul's) and said that everything was corrupt so why was I worried about the hospitals. I find it sad that someone, and I'm sure there are others, believes that everything in our society is corrupt. Have we really reached that stage? But, whether you believe that “everything” is corrupt or if you believe that just some things need to be fixed, rather than give up, is it not better to strive to change things?

She also said that I cannot change the world. I don't think I'm trying to change the world, only a very small part of it. But on the other hand, yes I can change the world by doing something positive. I can do one small thing, even if it's just raising awareness, and someone else can do one small thing and so on and change will occur.

April 12, 2009

According to BCGEU, the BC government is planning to outsource, to a US company, the operation and maintenance of the mainframe computer servers that contain all provincial documents and e-mails. Does this include your health information? Just in case it doesn't, another US company will maintain the provincial health data base.

As early as June 2009 the BC Government will implement its provincial database collection of your personal/medical information. The website www.optout.ca provides detailed information, information that should scare you.

This site will tell you that the Province has not stated who will have access (although apparently it will include the government), and whether it will be given to third parties. It does say that the Province used a US-based multi-national company which will be subject to the Patriot Act, allowing the US Government to access this database.

Will it save money? It's possible. Because I'm sure a lot of people, who need medical care, will not access the health care system because of privacy concerns.

A few excerpts from a talk given by Michael Vonn of the BC Civil Liberties Association (Database Nation and Health Privacy)-

“And just so you are clear about the scope of the access, the plan is ultimately for a Pan-Canadian e-health record system. Canada Health InfoWay -- which is an organization which receives a lot of money from the federal government, but is not “government” for the purposes of access to information laws, so is completely unaccountable to citizens – exists solely to promote centralized electronic health records, first provincially and ultimately linked so as to be accessible nation-wide.”

“....this is ultimately the thin edge of the wedge. BC’s electronic health information infrastructure is meant to anchor an integration project called the Information Access Layer, which includes the Integrated Case Management Project. This is a massive information-sharing project meant to encompass the entirety of social services in British Columbia and to link information about us from the Ministries of Employment and Income Assistance, Children and Family Development, Health, Education, Justice and the private sectors contractors for all of the above. The government has already issued an RFP, (a Request for Proposals) for this project.”

Please read this article in full, plus “So, what the heck is eHealth”, as well as the other articles. It's your health, it's your privacy, or at least it was. You can choose to do nothing and give away your rights or you can choose to try to protect those rights.

November 4, 2008

According to a Vancouver Sun article, by Chad Skelton, September 17, 2008 “BC nurses are being allowed to quietly leave their jobs, even under the cloud of accusations of drug misappropriation, abuse and rank incompetence.” They have not been formally disciplined , prosecuted or fined and may apply to return to nursing. No details of their misconduct were made public. This is another example of the shroud of secrecy the medical system has around its actions. Also, if hospital staff are not being disciplined for these offences, how likely are they to be disciplined for violating a person's privacy??

However....An article in the Globe and Mail, by Catherine O'Neill, October 17, 2008, states that Alberta is putting the “often sensitive and private” personal health information online. I read that Ontario is doing the same but on a limited, trial basis. So, hospitals certainly don't mind putting your information online. How safe do you think that is??? How long before it's in BC???

October 12, 2008

A man, who said that he worked for the computer section of a hospital authority, stated that pharmacies have access to our medical records. He said that you could put a password on your record at the pharmacy so no one in the pharmacies could access your records without this password. I had heard something very similar last year from a person who I understood to be a pharmacist. He said it was the way of the future and implied that we had no say in it.

I visited a couple of pharmacies and they denied having access to our medical records. The people at the pharmacies said that they only have access to the information provided by a person to that individual pharmacy. I will continue to monitor the situation and find out if it changes.

-->

One of things I have noticed, when giving handouts, is the range of people interested in the privacy problem. The people are not only from all over BC but from other provinces and countries. People from other provinces expressed an interest in learning if their province had similar problems.

The European's discuss how the different countries protect people's privacy. Some European countries appear to have really good rules for protecting patients privacy. Many Europeans expressed disappointment that we would be having these privacy problems as they had heard that our medical system was good.

Thursday, September 4, 2008

Threats

One of the things that surprised me, when giving people my handouts in front of the Catholic hospitals, is the number of threats that I have received. I have not proposed blowing up the hospitals, I have not engaged in civil disobedience, instead I have legally exercised my democratic right to question and to inform people. Yet, I have received comments such as “Give them what they want or die”; a couple of times I was told that I am probably now in the hospitals records as a troublemaker and that I may be given a very difficult time if I go to the hospital; I have heard comments such as “I hope you never, ever have to use their services” (implying that if I do I will receive substandard or worse “care”). I have heard quite a number of variations on these threats. Will my health/life be in danger if I go to one of these hospitals? I don't know. However, I do not intend to go to a Catholic hospital again for a number of reasons, nor will I ever again step foot in a Catholic church.

What concerns me is that not only should an individual expect to receive the same care as everyone else regardless of their beliefs, politics, religion, nationality or because they stand up for what is right, there should not even be a perception that a person would receive inferior care.

Of course, money will continue to be taken from my pocket to pay the wages of the hospital administrators and staff and otherwise support these hospitals.

I won't describe the other abuses that have been heaped on me. But it is telling that these people support the medical/catholic system as is. I have obviously hit on a very, very sensitive nerve. I can only wonder why this topic is considered so sacrosanct that these people would do the things they do and say the things they say.

The other side of the coin are the people who have offered their support because they are concerned, even fearful, about who is receiving their personal information. And they agree that we have the right to know.

Crime

I have had a few people say to me that I shouldn't be concerned with whom the hospital shares our information. After all, anyone can get all your personal information off the internet. Well, it appears this is not true. If it were, there would be no need to use methods such as buying the information from employees, as noted in the article below.

National Post, August 23, 2008, pg. A6 [bolding is mine]

Personal and financial information is becoming just as attractive as cocaine and marijuana to Canada's organized crime groups.

The problem of identity theft and fraud has become such a concern to police who investigate organized crime that it is the main focus of Criminal Intelligence Service Canada's annual report.

“As we move more and more to the Internet and the technology being used, the risks are increasing. A lot of the public are not very careful about their identity,” said Commissioner Elliott....

Inspector Roberty Chartrand of the Montreal police said investigators are noticing an increase of cases in which employees of companies and institutions are being tempted by the lure of easy money and selling large quantities of personal and financial information.

“We've noticed over the past year that there are a lot of people involved in different companies who give information from the inside to organized crime members. It's not necessarily on the street [level]. It's more like companies, government, it's almost everywhere,” said Insp. Chartrand, who is also head of Quebec's criminal intelligence bureau.

“It's a pretty new phenomenon for us. It's a nationwide problem.”

Some people are not very careful about their identity. But a large part of the problem are the companies/organizations, such as hospitals, who demand information they do not need and who refuse you service if you do not provide it. Obviously, the more companies/organizations that have your personal information, whether you give it to them directly or it is given by companies/organizations such as hospitals, the greater the risk.

This is why we need to know with whom our information is being shared, how much is being shared and the circumstances. We need to monitor that our information is being shared appropriately and that the appropriate safeguards are in place.

2007-07-29T19:59:00.000-07:00

To receive a copy of the following petition to collect names from your family, friends, neighbours, co-workers, etc. , e-mail me at searcher@imagen.ca and specify if you want an 8-1/2 x ll or 8-1/2 x 14 page.

I am looking into the possibility of setting up an online petition. Until then, as soon as the weather warms up, I will, at various times, be outside St. Paul's Hospital, St. Joseph's Hospital, skytrains and possibly other places, if you wish to sign the petition.

PETITION:

To the Honourable the Legislative Assembly of the Province of British Columbia, in Legislature Assembled:
The petition of the undersigned, concerned citizens, of the Province of British Columbia, states that:
To promote openness, transparency, accountability and protection of rights we request that:
(1) The Freedom of Information and Protection of Privacy Act (FOIPPA) be changed so that information may be collected, used and shared only with PATIENT CONSENT.
(2) The public are entitled to know SPECIFICALLY to whom we are consenting to share our information and how much information we are consenting to share. (Specifically means are they computer companies, janitors, food services companies, volunteers, etc., why do they need to access medical information, how much can they access, and is access limited to certain people in the company).
(3) The public be involved in the decision-making regarding the provincial and national medical databases being created; that our written consent be required before putting any information in the databases; that we have the right to say “NO” to putting our information in the databases.
(4) The public be given information on the new committee set up to look into privacy issues in the health sector.
(5) Privacy audits be conducted by an independent organization to ensure compliance by the health sector and the results made public.

Dated this ______________ day of _________________,

NAME (Printed) SIGNATURE ADDRESS POSTAL CODE
1. ________________________________________________________
2. ________________________________________________________
3. ________________________________________________________
4. ________________________________________________________
5. ________________________________________________________
6. ________________________________________________________
7. ________________________________________________________
8. ________________________________________________________
9. ________________________________________________________
10. _______________________________________________________
11. _______________________________________________________
12. _______________________________________________________
13. _______________________________________________________
14. _______________________________________________________
15. _______________________________________________________
16. _______________________________________________________
17. _______________________________________________________
18. _______________________________________________________
19. _______________________________________________________
20. _______________________________________________________
21. _______________________________________________________
22. _______________________________________________________
If you have completed this form, do not append sheets of paper
or write on the back of the sheet. To add more names and
signatures, please print or photocopy a new form, as names without the correct petition heading and wording will not be valid. For more information please visit www.hospitalsandprivacy.blogspot.com

4. Providence Health Care

2007-04-16T18:03:00.000-07:00

Providence Health Care (PHC)

February 2005

I went to Mount St. Joseph's Hospital and I was asked questions that I believed to be illegal. When I protested I was told that if I did not answer all the questions that I would not be allowed in the hospital for tests (which I later found out was illegal). They also refused to explain why they wanted the information (also illegal) except to say, regarding the religion question, that they are a faith-based hospital (what happened to separation of church and state). Mount St. Joseph's Hospital is run by Providence Health Care, a catholic organization, which runs St. Paul's and other hospitals.

February 24, 2005

I filed a complaint with the OIPC.

"When I went to Mount Saint Joseph Hospital on February 18, 2005, I was required to provide information that I believe contravenes the Privacy Act.

I was required to tell them my religion, my occupation, who employed me, and how long I had lived at my current address. I was not given an option of providing the information. When the woman asking the questions asked what my religion was, I asked her why she wanted to know. She said that it is just a question, and repeated the question. I asked again and told her that I didn't want to provide this information. She said this is a catholic hospital (I thought it was a public hospital) and that they wanted it on record in case I should need...(I can't remember the exact words, but essentially it was final rites or whatever). I was trying to get into the hospital for a 10 minute procedure.

When she asked me the other questions, I again asked why the questions were being asked. Again, she said it is just a question, and would repeat the question. I told her that I didn't want to answer these questions and I was told that before I could be admitted (ie. have the procedure done), the form had to be filled out. In other words, I had no choice if I cared about my health. I felt that I was being black-mailed.

I want to know:
1. Why are these questions asked? How does the hospital having this information relate to a 10 minute outpatient procedure (or any procedure/stay)?
2. Why was I refused an answer when I asked why this information was required?
3. Who do they share this information with? (I want names)
4. I want this information deleted from every database or other recorded place.
5. They already had information on me in their database although I don't recall ever being in their hospital. Where did this information come from?
6. The length of time at my current residence is not noted on the form. So obviously it wasn't even necessary to fill out the form. So again why was it asked?
7. When did they start asking these questions because I don't recall ever being asked these questions in the past?
8. I want their procedures and form changed because I do believe that it violates the privacy act. At the very least people should be informed why these questions are being asked, and which questions are optional.
9. Also, there were two pages related to being admitted and I was only given a copy of page 1. Why wasn't I given a copy of page 2?

I believe that demanding to know a person's religion is a violation of the criminal code. Do you pursue this or do I need to see a lawyer?

Comment:
You may wish to continue reading the details. There is a lot to be learned from them or you may wish to go to the final report prepared by OIPC, dated January 3, 2006.

March 1, 2005

Response from Morag Wilmut, OIPC

"We have received your complaint under the Freedom of Information and Protection of Privacy Act (the Act) about the information Mount Saint Joseph Hospital collected when you went to Mount Saint Joseph Hospital on February 18, 2005.

It is the policy of the Office of the Information and Privacy Commissioner to refer a complainant back to the public body, where the complainant has not first given the public body an opportunity to respond to and attempt to resolve the issue. There is no indication in your letter that you have contacted Mount Saint Joseph Hospital in writing regarding your concerns. We are therefore not assigning your complaint to an officer for investigation at this time. You may instead contact the Mount Saint Joseph Hospital in writing regarding your complaint. I am enclosing a complaint form you may wish to use when contacting Mount Saint Joseph Hospital.

Once you have received a response from Mount Saint Joseph Hospital about your concerns, if you believe that they have not dealt with it adequately, you may wish to write to our Office again. If you decide to do this, please provide us with written details of both your complaint to the Mount Saint Joseph Hospital and Mount Saint Joseph Hospital's response. At that point, we will consider whether further investigation by this Office is warranted."

March 1, 2005
I sent the exact letter to Mount Saint Joseph Hospital, Privacy Officer, only leaving out "Do you pursue this or do I need to see a lawyer?"

April 6, 2005

I received a response from Zulie Sachedina, Vice President, Human Resources and General Counsel, Providence Health Care.

"I am writing in response to your complaint regarding Mount Saint Joseph Hospital under the Freedom of Information and Protection of Privacy Act (FOIPPA) and your letter dated March 11, 2005.

I will look into your concerns in detail; however, in light of this complaint being made under FOIPPA and wanting to ensure we follow the proper protocols, I am writing to ask if you will provide permission to release your name to the departments who may have been involved in your care at Providence Health Care. If you agree, it will enable us to look at the circumstances in your individual case.

Please reply back to me, in writing, whether or not I can release your name to others within Providence Health Care, with the sole purpose of reviewing the concerns detailed in your letter. If more convenient you may fax me at 604-806-8894."

April 7, 2005

My letter to Ms. Sachedina

"No, you may not release my name to the various departments. Who I am, at this point, is irrelevant; I do not believe that I was being singled out for different treatment by your admitting office. You have a standard form on which you ask certain questions, as identified in my last letter. You refuse to admit people unless they answer these questions. Why?
If you still feel you need to ask departments about me, as an individual, then I want to know which departments you need information from, what this information would be and why you need it?"

Comments:
I did not believe that I was being discriminated against and therefore this problem went beyond my individual case. It affects everyone who enters the hospital and I wanted it resolved on that basis. And why would she need to contact all the various departments involved in my care to address an admittance form issue?

April 19, 2005

I filed a complaint with OIPC, attention Morag Wilmut

"As requested in your letter of March 1, 2005 I sent a letter to Mount Saint Joseph Hospital (copy attached). I received a response from Providence Health Care (copy attached).

As you will note they waited until the 30 days were almost expired to write asking for more information. I consider this to be nothing more than a delaying tactic since the information is irrelevant. The form was not designed for me (unless I am being personally discriminated against). The form/questions are, I believe, generic and asked of everyone. There was a question regarding where they got my information they already had in the system, but again, this should be generic, ie where do they usually get this type of information.

I would also like to know why Providence Health Care wants to know my Canadian status, ie whether I am a Canadian citizen, landed immigrant, etc. I would like to think having a doctor's referral, and a health number to be sufficient.

Please ensure that these questions are answered. Otherwise, I will pursue this through different avenues (organizations who are already aware of my questions/process)."

April 21, 2005

I received a response from Ms. Sachedina.

"Your letter dated April 7th was received in my office April 19th, as it had not been addressed to my attention.

Providence Health Care does have a standard form for Admitting, and standard guidelines for gathering this information. Some information is mandatory under the Ministry of Health regulations and some information, such as Religion, is asked to enable Providence Health Care to care for individuals more sensitively. This question should not require a response should a person not wish to provide one.

Without your permission to release your name to the Admitting Department, the only follow up that this office can take is to advise the Admitting Department that Providence has received a complaint and provide the basic information in your letter (anything that would not identify the writer), and advise the department to follow up with all of their staff on their guidelines to ensure that questions are asked with sensitivity and awareness of how to explain the reasons for the questions asked. I will proceed to do this."

Comments:
Paragraph One: The letter had been addressed to the privacy officer so apparently their staff did not know the name of the privacy officer.

First of all, they had wanted to release my name to all departments, not just the admitting department. And, basically what they wanted to do was blame this situation on the admitting person, but my sense was that she was doing what she was told to do. The forms did not identify the questions as optional. And, even now, the privacy officer was refusing to state why these questions were asked. She didn't need my name to answer those and other questions. I found it interesting that they were asking their staff to ask these questions sensitively; I guess they want them to be asked sensitively so people don't get upset at being asked illegal questions.
I filed a complaint again with the OIPC.

April 25, 2005

Letter to Ms. Wilmut, OIPC

"Attached is a response that I received from Providence Health Care. Allowing Canada Post 2 days to deliver a letter locally, it is unfortunate that it took Providence Health Care 10 days to give the letter to the appropriate person (how many privacy officers do they have?) and that, during those 10 days, no one contacted me regarding a delay in response.

However, as you will note, with the exception of the religion question (where they agree that this question should not have been demanded), my questions have still not been answered. I can only wonder why they are refusing to explain why they ask the other questions and where they got my information from. Where do they usually get information on people. I would think that there could only be one or two sources where they would get personal information for their medical records.

This refusal to answer questions, even when asked directly several times, does not give me any confidence that they will encourage their departments to identify which questions are mandatory and which are optional. Again, I believe that this should be identified on the forms so there is no confusion."

May 11, 2005

Letter from OIPC, Morag Wilmut

"We have received your complaint that Mount Saint Joseph Hospital allegedly collected personal information in an inappropriate manner in violation of the Freedom of Information and Protection of Privacy Act (the Act). Your case has been opened as of April 22, 2005 and has been assigned to Patrick Egan, who will be the Portfolio Officer performing the preliminary investigation. By copy of this letter, I notify Mount Saint Joseph Hospital of the investigation and provide Mount Saint Joseph Hospital with a copy of your letter to this office.

Please address future correspondence to Patrick Egan who will be handling your complaint."

Comment:
In opening a file as of April 22, 2005, they cc'd Cindy Wong, FOI Coodinator, Mount Saint Joseph Hospital. I never heard her name again. Apparently, no one knows who the privacy officer is. However, in further correspondence they added FOI Coodinator to Ms. Sachedina title. Did they even have a privacy officer or did they appoint Ms. Sachedina as privacy officer after I wrote?

May 27, 2005

Letter to Patrick Egan, OIPC

"It has been 4 months since I wrote to the Privacy Commissioner regarding Providence Health Care (Mount Saint Joseph Hospital) and almost two months since I received your last letter from Morag Wilmut and still I am no further ahead than I was 4 months ago.

Why is this taking so long? Legally, an enterprise is suppose to have a valid reason, related to the transaction, for asking questions before they ask the questions. Why are you allowing them to spend months to come up with a reason to justify the questions? They should have been able to answer these questions immediately. Did you not set a time limit? Or do they have an indefinite time limit?

My doctor wants me to go to the hospital but, of course, I am hesitant to do so until this is resolved. Needless to say, if anything happens to me my lawyer will be involved.

I also phoned you on May 20th and left a message. I understood from your message that you would be out of the office under May 30th. However, I have never received a response. Please explain why.

If you can't set time limits, I will. If I don't have the answers to my questions by July 11, I will pursue this matter through other avenues, and this will include action against your inaction."

Comments:
I believe I put the wrong date on this letter. This letter must have gone out in June.

July 11, 2005

Letter from Patrick Egan, OIPC

"I am writing in response to your letter dated May 27, 2005. I apologize for the time it is taking to attempt to resolve your concerns and for not providing you with an update sooner.

Morag Wilmut's letter to you on May 11, 2005 indicated that your case was opened as of April 22, 2005, and it was assigned to me on May 11, 2005. In normal circumstances the Office of the Information and Privacy Commissioner attempts to investigate and resolve complaints within 120 working days. At this time I am working towards a deadline of October 14, 2005. I will, however, certainly try to complete my investigation sooner if possible.

My investigation, so far, has included:
- Reading the correspondence between yourself and Mount St. Joseph Hospital and Providence Health Care;
- Conversations with Ms. Zulie Sachedina, of Providence Health Care, about the admitting process; about the personal information collected during this process; about possible improvements to Providence's admission form; and about the nine questions you submitted to Mount Saint Joseph's Hospital in a letter dated March 11, 2005;
- Receiving copies of Mount St. Joseph's Record of Admission form and the registration system guidelines;
- Consultation with colleagues in this office about the general concerns you brought to our attention;
- Consultation with an Information and Privacy manager in the Vancouver Island Health Authority about what kinds of questions their hospitals ask.

My preliminary investigation leads me to believe that the outstanding issues are:
1. Determining which items of personal information being requested, for admission to Mount Saint Joseph Hospital, are mandatory and which ones are voluntary. The second part of this issue is an explanation for why this information is needed and then being able to communicate this clearly to patients.

During my conversations with Ms. Sachedina she made it clear to me Providence health care providers will not deny anyone medical treatment because of incomplete admission information. I encourage you to get medical care if and when you require it. I hope I have provided answers to some of your questions. I will continue working to attempt to resolve your remaining concerns."

Comments:
The degree of my anger to the last paragraph is obvious in my response.

July 16, 2005 (I had cooled down somewhat by now)

Letter to Mr. Egan, OIPC

"I was completely flabbergasted when I received your letter of July 11, 2005. In it you state that 'during my conversations with Ms. Sachedina she made it clear to me Providence health care providers will not deny anyone medical treatment because of incomplete information.' I am appalled at Ms. Sachedina and your arrogance at what I can only assume is an attempt to scam me, your ignorance and/or complete denial of the obvious. How can your resolve my concerns if you don't even know why the complaint was filed? Let me reiterate from my first letter. The whole basis for filing the complaint was because I was denied admittance to a hospital unless I answered all the questions, including the one regarding my religion.

I have already been told by my doctor's office that I will have to arrive at the hospital at least two hours in advance in order to fill out all the paperwork. I know, from experience, that if I refuse to fill out this paperwork that I will be denied admittance and that will be a waste of valuable hospital and my doctor's time, not to mention my time. If I could have received medical treatment without answering all the questions we wouldn't be going through this process. But you feel qualified to tell me that, what has happened, will not happen. Unbelievable.

I will not be going to the hospital until I am assured that my privacy, my rights will be respected and protected. I will not submit again to what I consider to be nothing less than blackmail.

I phoned you in May and left you a message on your answering machine, to which you did not respond when you returned on May 30. I asked you to add another question which is 'why does the hospital want to know my citizenship status.' This is a question on another form by a hospital administered by Providence Health Care. It asks if I am a citizen, landed immigrant, etc. Again, why is this question being asked? What has it to do with my health care? I want to know why this question, plus the questions asked, is being asked, how the information will be used and disclosed?

This actually leads to another question. Who designs the forms/questions for the hospitals? Does Providence Health Care or each individual hospital? Do I have to go through this process with each health care unit (or whatever they are called) or with each hospital?
Most forms that you fill out now have an asterisk beside those questions which are mandatory. Also many places now attach to a questionnaire a page (or more) explaining the reasons for the questions. This would seem an appropriate solution for the hospitals. When I was at the doctor's office and they asked me to fill out some forms for the hospital, they didn't know why some of the questions on the form were being asked. My understanding of the privacy law is that it is illegal to demand an answer to a question unless you can explain the purpose for the question and why the information is required to complete the transaction being undertaken.

I consider the hospitals to be essentially a government agency since they operate on taxpayer money. As such, these agencies should be the first to uphold the laws of this province and nation and the rights of its citizens, not abuse, not consider themselves above, these laws and rights. In addition, the government should be ensuring that organizations, funded by my and other citizens money, are operating in accordance with the law."

July 21, 2005

Response from Ms. Sachedina, Providence Health Care:

"As per your request, please find further and more comprehensive information related to your complaint. As you have continued to refuse to have your name released to those departments involved in your admission, there are some areas we cannot address fully.

I will attempt to respond to each of your questions in your original letter dated March 11, 2005.

1. Why are these questions asked? How does the hospital having this information relate to a simple outpatient procedure (or any procedure/stay)?
Providence Health Care (PHC) is a faith-based hospital whose mission encompasses the care of the whole person, including spiritual care. The registration clerks are instructed to ask clients would you like a religion noted on your health record? It is optional for the client to provide religion. If the client has any questions such as will not providing religion or not being catholic affect my care?, the clerk is to reassure the patient that spiritual care is a service provided by PHC should the patient desire it. If the patient were to request spiritual care during their stay, having their religion noted on the file permits PHC to provide spiritual care by the appropriate denomination as stipulated by the patient.

2. Why was I refused an answer when I asked why this information was required?
It was clearly inappropriate of the staff member to refuse this information when questioned. Given the restriction of releasing your name, we are unable to identify which staff member may have been involved in order to follow-up with them.

3. Who do they share this information with (names)?
Registration information is the basis of the health record and begins the care process. Demographic information is used to ensure client identity, i.e. that the right person is given the right treatment. It is kept for auditing purposes for eligibility by BC Hospital Programs. Finance may also use the information for billing if it is required. If the patient requests spiritual care, Pastoral Care will look at the religion and provide the appropriate caregiver. The encounter level information, insurance, next-of-kin, address, etc. is kept in the system approximately 20 months and visit information is maintained about two years.

4. I want this information deleted from every database or other recorded place.
The only place that the religion is recorded is in the Eclipsys ADT Database which forms the basis of the clinical repository/health record. Religion does not go to another database. If the client does not want religion noted on his/her electronic or paper chart it can be deleted (if in fact it was collected). By law, Health Records must be retained forever in some form. (Attached are relevant sections of the BC Hospital Act).

5. They already had information on me in their data base although I don't recall ever being in their hospital. Where did this information come from?

PHC has one data base for all of it's member hospitals: Youville Residential Home, Langara Residential Hospital, Brock Fahrni Pavilion, Holy Family Hospital, St. Vincent's Hospital, Mount St. Joseph's Hospital, and St. Paul's Hospital. We also register all the satellite hemodialysis clinics: Cambie Street, Sechelt, Powell River, North Shore, Squamish, and Richmond. PHC has a variety of out-reach services: Geriatric Outreach Clinic, occupational therapy, etc. External electrodiagnostic tests have person-related information attached. Almost every patient that receives service at PHC is registered. Given the limitations on releasing your name, we cannot do a search to determine whether you were ever seen at one of our sites in the past.

6. The length of time at my current residence is not noted on the form. So obviously it wasn't even necessary to fill out the form. So, again why was it asked?

This information is required under the Ministry of Health and Ministry Responsible for Seniors (Hospital Programs Division Policy Manual) Chapter 2 Eligibility and Benefits, Section 2.2 Eligibility, subsection 2.2.1 Determining Eligibility. The wording of the policy follows below for your information.
Policy
In determining whether a person is a beneficiary a hospital must determine if a person is a resident, where a resident is either:
...is physically present in British Columbia at least six months in a calendar year
If the client told the registration clerk that s/he resided at their current address greater than six months nothing has to be noted in the chart.

7. When did they start asking these questions because I don't recall ever being asked these questions in the past?

The requirements to register and to confirm that an individual is a beneficiary have been in place since before 1979.

8. Why aren't people informed why these questions are being asked, and which questions are optional?

Centralized training for all registration staff is provided by the Client Registration and Information Services (CRIS) staff. The registration clerks are instructed on what information is to be collected and the reasons. CRIS also sends out regular reminders to staff and keeps an accessible manual with all the procedures. It is an expectation that the clerk would answer all questions regarding the information collected. Additionally, there is Help Desk support for all registration clerks Monday to Friday to obtain an answer to any question they may have. As well, Patient Placement, during the off hours, plays a support role for clerks regarding the collection of information. Since the incident in question took place with a day procedure, the clerk had multiple individuals they could have contacted to assist them with the questions if they could not answer them.

9. There were two pages related to being admitted and I was only given a copy of page 1. Why wasn't I given a copy of Page 2?

There is only one form printed off with an extra copy. One copy is for the Health Record. The other copy is shredded unless required by either Emergency, who keep records for three months so they can pull up the chart on return patients very quickly, or for out-of-province, non-residents, and self paying patients where copies are sent to Finance.

I hope that the above answers adequately respond to your questions. In case you are not aware, patients do have the right to access their full health records via Health Records."

Comments:
Again, Ms. Sachedina states that I have refused to have my name released to those departments involved in my admission. Actually, she asked to release my name to all departments involved in my health care, which is quite different from releasing my name to admissions. But then again, she uses the plural form of department, which begs the question, just how many departments are involved in an admission. Also, I did not outright refuse but I did make permission conditional. Apparently, only unconditional permission was acceptable.

Note that in responses 1, 2 and 8 Ms. Sachedina blames the staff for not providing answers while she continues to do the same. While she addresses why religion is asked, she does not explain why the questions of employer and occupation were asked.

July 26, 2005

Response from Patrick Egan:

"I will attempt to answer the questions you pose. I asked Ms. Sachedina for assistance in answering these questions.

1. Why does the hospital want to know my citizenship status?
I believe a person's citizenship status has less to do with direct health care and more to do with the administrative functions necessary to make sure the hospital is getting reimbursed for the services it provides to its patients.

My understanding is that in order for a hospital to be reimbursed, by the provincial government, for the cost of a patient's visit it must first verify that the patient is eligible for health insurance. One of the criteria for eligibility is being a resident. The hospital must verify that the patient is a resident of Canada, makes their home in BC and has been physically residing in BC for the past six months. Ms. Sachedina's July 21 letter may also help to explain this.

2. Who designs the forms/questions for the hospitals? Does Providence Health Care or each individual hospital?
According to Ms. Sachedina the forms are designed by individual hospitals with input from the Health Authority and the Ministry of Health Services. In addition, a hospital Forms Committee reviews all the forms used in the hospital including the admitting form. Ms. Sachedina expects that as time goes on the forms will be more uniform across the province.

The second part of my investigation into your complaint is to continue to explore this question and other broader questions about what information is legally required to be collected and how best to collect it so the patients understand why it is being collected and what it will be used for.

Thank you for your suggestions. I believe some hospitals may already be using pamphlets to explain the information collecting procedures.

3. Do I have to go through this process with each health care unit or with each hospital?

I believe there is some kind of admitting process each time but I am not sure if it is the same each time. Ms. Sachedina says the process may be quicker if you attend the same hospital more than one time because some of the information is now stored in their data systems. However, some information must still be collected again. Ms. Sachedina explained that the admitting process is meant to accomplish a number of objectives. These include verifying that they have the right person so the correct records and treatment plan can be retrieved, updating any new information (address, next of kin, etc) and confirming insurance coverage."

July 30, 2005

My response to Patrick Egan:

"1. Citizenship Status & reimbursement for services

I notice on one form that the question is actually broken down into several parts. Are you: a BC Resident, Canadian Citizen, Landed Immigrant, Visa, Refugee. Again, why are they asking these questions? Are all of these people issued health care cards?

What is the purpose of a health care card? Can anyone obtain a health care card?
It is my understanding that the purpose of a health care card number is to show that someone is covered and doctors/hospitals, etc. will be reimbursed for medical services. When I have gone to my doctor, to other places for tests, etc. I have not been asked a question regarding my citizenship or residence, although I am sure that these people are equally interested in being paid. Obviously they consider my health card number sufficient.

2. Length of Time at Current Residence

The question I was asked as how long had I lived at my current residence, not have I resided in Canada for the last 6 plus months. I may have lived at my current residence for 2 months, having moved from another Canadian residence. So the question asked is at odds with the supposed purpose related to the transaction at hand.

Again, like the citizenship question above, I believe that this question is illegal.

3. I notice that both you and Ms. Sachedina neglected to answer the questions:
a. Why was I asked my occupation?
b. Why was I asked for the name of my employer?

You state that 'the second part of my investigation into your complaint is to continue this question and other broader questions about what information is legally required to be collected and how best to collect it so the patients understand why it is being collected and what it will be used for'. How long do you anticipate this taking. As stated before, my doctor wants me to go to the hospital but I refuse until this is resolved. So I need to have resolved the question of what questions can legally be asked and to have all information illegally obtained removed from the hospital records. Only then will I feel comfortable going to the hospital."

Comments:
At this time I did not realize that the hospital had omitted information when explaining who had access to patient information (see letter of July 21, 2005).

August 15, 2005

Response from Patrick Egan:

"During my investigation I will be looking for the answers to some of the questions you ask in your letter. For example, your questions about citizenship, residency, occupation and employer are important and they are included in my investigation.

With respect to your questions about the BC CareCard I refer you to the Health Insurance BC web site at http://www.hibc.gov.bc.ca/ where you may find the answers you are looking for. If you wish to call them their phone numbers are 604-683-7151 or (toll-free) 1-800-663-7100. I am not sufficiently informed, at this time, to accurately answer your questions about the CareCard.

I respect your need to know what information health care providers can legally collect from you as soon as possible. At this time I am not able to give you a specific date when my investigation will be complete. However, I continue to give this investigation my full attention."

September 27, 2005

Letter to George Abbott, Provincial Minister of Health

"On February 18, 2005 I went to St. Joseph's Hospital for a 10 minute procedure. I was asked questions such as my religion, my occupation, my employer and how long I had lived at my current address. I was refused entry to the hospital unless I provided the information. And I was refused an explanation as to why they wanted the information. I know that some, if not all, of these questions contravene the Privacy Act. I believe that the question about my religion also contravenes the Charter of Rights.

I filed a complaint with the privacy Commissioner in February but I was told that because it was a public body I had to lay a complaint with the hospital first; actually, I thought I did that when I told the admitting person that I didn't want to answer the questions. So I wrote a formal complaint to the hospital, who then took the maximum amount of time to not answer the questions. Then I wrote again to the Privacy Commissioner.

So now it is seven months later, I am no further ahead and my doctor wanted me to go to the hospital several months ago (of course, I must arrive 2 hours early to fill out all the papers). But I refused unless I am assured that my rights, my privacy were protected. I will not submit again to what I felt was blackmail. Of course, I had not anticipated that resolving this situation would take so long. The Privacy Commissioner's office had said that they would try to resolve things quickly.

I also realize that even when the Privacy Commissioner provides their determination that I may have to take this matter further. After seven months Providence Health Care is still refusing to even explain why they want the information and the Privacy Commissioner does not seem to have the ability or desire to insist that Providence answer the questions.

I would like to know:
1. Why the Ministry of Health did not ensure that hospitals/doctors, etc. were in compliance with the Privacy Act before providing funding? You have had more than 2 years to do this. I feel that I am being put in the uncomfortable position of doing your job.

When a person goes to the hospital, they are at their most vulnerable. It is not the time to find out that the government has failed to protect their rights.

2. I would like to know why a complaint must first be formally sent to a public body; why the special status. This is a health issue and delays can be physically and emotionally costly.
To add insult to injury, your American MSP collector is demanding that I pay for services that are currently unavailable to me. "

October 19, 2005

Letter to Patrick Egan:

"Your deadline for resolving this case was October 14, 2005. This has not happened and I have not heard from you for several months. I find this absolutely appalling. It has been 8 months since I first filed a complaint. Determining what questions an organization has the legal right to demand is not rocket science. And this is affecting my health.

This weekend I will proceed to pursue this through other avenues."

November 8, 2005

Since Providence Health Care is a catholic organization I wrote a letter to the Pope explaining the situation. He didn't care to respond. Perhaps this explains Providence Health Care's attitude.

October 26, 2005

Response from Patrick Egan:

"Thank you for your letter dated October 19, 2005. I apologize again for the length of time this investigation is taking. I am, in fact, in the process of writing my investigation report in response to your complaint.

Unfortunately, it has not been a simple process to determine what information must be collected and what information is voluntarily collected during a hospital admitting process. A survey of BC hospitals reveals every admitting form is different and there does not appear to be one person or government department who is able to say what has to be on the admitting form and what does not have to be on it. I have submitted a list of questions to a newly formed committee that is looking at privacy issues in the health care field and I am now awaiting their response before I finish my report. I hope to have my report completed as quickly as possible."

November 23, 2005

Letter from Patrick Egan:

"Thank you for your letter dated November 5, 2005. I am writing to inform you that I have completed my investigation into your complaint. Our Director of Policy and Compliance is now reviewing my investigation report. When the review is complete and any revisions are made I will mail it to you. I anticipate I will be able to mail it to you late next week.

I apologize for the length of time this investigation is taking. I appreciate your patience."

November 29, 2005

A letter from Effie Henry, Executive Director, Health Authority Branch, in response to a letter I sent George Abbott, Minister of Health on September 27, 2005:

"Thank you for your letter of September 27, 2005, to the Minister of Health about providing pre-admission information at Mount Saint Joseph Hospital. I am responding on behalf of the Minister.

I appreciate your concerns about being asked to provide specific information (such as your religion, occupation and employer) prior to your admission to Mount Saint Joseph hospital.

In your letter you ask whether the Ministry of Health ensures hospitals and doctors comply with the Freedom of Information and Protection of Privacy Act (FOIPPA). Secondly, you ask why the Office of the Information and Privacy Commissioner (OIPC) asked that you first send a complaint to the public body before filing a complaint with the OIPC.

Health authorities and hospitals are separate public bodies under FOIPPA and, as such, are independent from the Ministry in respect to complying with privacy requirements of the Act. The OIPC, as the overseeing body, is responsible for ensuring compliance with the FOIPP Act.
The Ministry is not in a position to comment on the OIPC process for dealing with complaints. I note that you have already been in contact with the OIPC, and I suggest that you continue to work directly with them to address your concerns.

As Providence Health Care is responsible for Mount Saint Joseph Hospital, I have forwarded a copy of your letter for their information."

Comment:
My understanding is that OIPC does not have the authority to force the hospitals or health authorities to comply with FOIPPA. They can only recommend. The Ministry of Health is not responsible (What are they responsible for?). We are paying these hospitals out of our tax dollars and yet no one can require that the hospitals/health authorities operate in accordance with FOIPPA.

December 1, 2005

Letter to George Abbott (this letter and the Nov. 29 letter from the Ministry of Health crossed the mail)

"I wrote to you on September 27, 2005 regarding Providence Health Care. I have not received a response and, based on information from your staff, I'm not likely to receive a reply. If you wish to show your contempt for the democratic rights of citizens, there are no direct actions that I can take. However, we shall see if you can show such disdain for my legal rights.

I don't believe that you have the legal right to charge me under MSP for services that I could not utilize because you were in violation of the Privacy Act. I want all monies paid returned and no additional amounts charged, covering the period February 24, 2005, when I first laid a complaint under the Privacy Act, to such time as the complaint is fully resolved and I can, once again, access medical services.

You have 30 days to comply. Otherwise, I will probably see you in court."

December 15, 2005

Letter from Patrick Egan:

"I regret to inform you that unavoidable delays have prevented me from sendng you my final report. I had hoped to have it mailed to you by now. The report is finished and is taking some time going through our review process. I assure you that as soon as it has been through its final review I will send it to you."

December 16, 2005

I e-mailed Gordon Campbell essentially the same letter that I sent to George Abbott on September 27, 2005.

December 21, 2005

E-mail from Gordon Campbell's office:

"Thank you for your e-mail regarding your February 18, 2005 visit to St. Joseph's Hospital. I'm sorry to hear it was such as frustrating experience for you.

My staff has made enquiries on your behalf and I understand Effie Henry, Executive Director of the Health Authority Branch responded to you on November 29 of this year.

I am sharing your latest e-mail with the Minister of Health Services, the Honourable George Abbott. I can assure you that he, or a member of his staff, will respond to your questions directly."

Comment:
Again, no one is responsible.

December 21, 2005

My response to Gordon Campbell's e-mail:

"I contacted George Abbott, Minister of Health & Effie Henry did reply on his behalf. They stated that the 'Health Authorities & hospitals are separate public bodies under FOIPPA and, as such, are independent from the Ministry in respect to complying with private requirements of the Act. The OIPC, as the overseeing body, is responsible for ensuring compliance with FOIPP Act.' So, I don't know why you would refer this back to them.

Now, my understanding of the Privacy Commissioner's office is that they respond to complaints, they do not go to each government body and review their privacy practices to ensure compliance before a complaint is laid. However, I may be wrong.

But I am not playing the 'this is not my responsibility, it's someone else's, and someone else says it's not my responsibility, it's someone else's and so on' game. Ultimately, Gordon Campbell is responsible and it is his name or the government of BC (Gordon Campbell) that will go on any legal action.

You may also wish to know how difficult it is to contact the Minister of Health. Apparently, they don't have an answering machine or voice mail. They just have one person to answer the phone and if that person is away from the phone, or whatever, the phone just rings. On the first occasion that I tried to contact the office by phone, the phone just rang, so the operator contacted the Deputy Minister of Health to see if there was a problem, the Deputy was able to contact the Minister's office and then the Deputy contacted the operator and said she could get through now. The second time I tried to contact the office, the operator, just said that the line was busy (which I assume probably mean't 'not answering') and to try again later."

January 3, 2006

Final Report by Patrick Egan:

"This letter is in response to your complaint, submitted to our office by letter dated April 19, 2005, that Mount Saint Joseph Hospital ('MSJH) contravened the Freedom of Information and Protection of Privacy act ('FIPPA'). I have been assigned to investigate this matter. In accordance with s. 40 of FIPPA, the Commissioner has delegated the authority to me under s. 42(2) of the Act to investigate the complaint. In conducting this investigation, I am exercising the delegated power to investigate, make findings and dispose of the complaint.

[A summary of events that lead to this report was inserted here].

Issue 1: Does MSJH have the authority, under section 26 of FIPPA, to collect personal information about a patient's citizenship, residency, religion, occupation and employer?

Legislation:
FIPPA governs the collection, use and disclosure of personal information by a hospital. The sections of FIPPA relevant to the collection of personal information are included below:

Purpose for which personal information may be collected
26 No personal information may be collected by or for a public body unless
(a) the collection of that information is expressly authorized by or under an Act,
(b) that information is collected for the purposes of law enforcement, or
(c) that information relates directly to and is necessary for an operating program or activity of the public body.

Other legislation that is relevant to the collection of personal information during the admitting process includes the Hospital Act, the Hospital Insurance Act and the Medicare Protection Act.

The Hospital Act states that certain personal information must be collected by the hospital when a patient is registered. The relevant section is copied here:

Register of patients
18 (1) The licensee of a hospital must keep at the hospital a register of patients in a form prescribed by the chief inspector, in which the licensee must enter the following:
(a) the full name, age and usual address of every patient, the date of the patient's admission to the hospital and the name and address of the patient's next of kin;
(b) the name of the practitioner attending each patient;
(c) the date on which each patient is discharged from the hospital, or, in the event of the death of a patient in the hospital, the date of the patient's death;
(d) other particulars prescribed by the chief inspector.

The Hospital Insurance Act states that only beneficiaries are eligible for the general hospital services provided for in this legislation.

The Medicare Protection Act defines who may be a beneficiary. A beneficiary is a resident who is properly enrolled in the Medical Services Plan (MSP) under this legislation. The Medicare Protection Act also defines the criteria for being a resident. The definition is provided below:

resident means a person who
(a) is a citizen of Canada or is lawfully admitted to Canada for permanent residence,
(b) makes his or her home in British Columbia, and
(c) is physically present in British Columbia at least 6 months in a calendar year, and includes a person who is deemed under the regulations to be a resident but does not include a tourist or visitor to British Columbia;

Discussion
According to FIPPA, there are only three circumstances under which personal information can be collected by public bodies. Section 26 of FIPPA states there must be legislation permitting collection, the collection of personal information is necessary for an operating program or activity, or the information is collected for law enforcement purposes.

Collecting personal information during the hospital's admitting process cannot be considered collection for law enforcement purposes. Therefore, under FIPPA, hospitals can only collect personal information when authorized by other legislation or when the information is necessary to run a hospital program or activity. The Hospital Act authorizes the MSJH to collect the full names, ages, addresses of patients as well as the names and addresses of their next of kin. Health care is the central program of a hospital and personal health information is gathered because it is necessary to provide health care. A related operating program is the payment for health care. In order to get paid for the services they provide, it is necessary for hospital's to collect personal information from patients to determine who is going to pay for these services.

Residency and Citizenship Status
The Ministry of Health and British Columbia Medical Services Plan (MSP) pays hospitals for the medical services they provide to provincially insured patients. A significant portion of a hospital's health care funding is paid through block funding provided by the Ministry of Health. This pays for hospital services provided primarily to inpatients that are insured under MSP. As its name implies, this funding is provided in a block and the hospital does not need to account for every single patient or procedure. Other funding originates from the daycare or outpatient services that are usually paid for by MSP on a billing and reimbursement basis, which must account for every patient service and procedure. When an inpatient or outpatient carries private insurance or is insured by another organization, the Workers Compensation Board (WCB) for example, the hospital will recover the health care costs from that insurer.

Hospitals are responsible for making sure they have identified the proper person and for ensuring that person qualifies to be a beneficiary of MSP or some other insurance plan. Currently, the interface between hospital systems and the MSP systems does not allow the hospitals to confirm a patient's MSP coverage electronically. To determine if a patient meets BC's residency requirements, the hospital has to determine that the patient meets all three criteria for the definition of a resident as presented in the above definition. The hospital must determine that the patient is a citizen or is lawfully admitted to Canada for permanent residence, that if they just moved to BC, that they have resided in BC for at least three months and that, as a BC resident, they have been present in BC for at least six months in a calendar year. This would include asking questions about an individual's citizenship, current address, length of residence at current address and previous addresses if the individual has lived less than six months at their current address.

On the evidence before me, I find that MSJH was authorized by section 26 of FIPPA to collect personal information about your citizenship and residency status.

Religion
Many hospitals run pastoral care programs. Providence Health Care states that it is a faith based-institution with a connection to the Catholic Church and that their health care facilities provide pastoral care on a voluntary basis. Providence's web site indicates that MSJH does run a pastoral care program and explains the services the program provides. MSJH states that a patient's religion is only collected with the voluntary consent of the patient. According to a copy of a Providence memo, dated April 28, 2005, Providence advises staff to ask the question in this way: Would you like your religion noted on your chart?

You have complained that this was not the question you were asked, that it was not presented to you as a voluntary choice and that you were not provided with an explanation of why it was needed.

Part of my investigation into this matter involved talking to other hospitals and health authorities about their handling of the collection of religious information. Vancouver Island Health Authority, for example, is in the process of revising their registration and admitting process to ensure it conforms to FIPPA. They recognize that spiritual or pastoral care is an important element of good health for some people. Rather than rule out the collection of religious information, they are changing how they ask the question. They now ask patients during registration if they would like their name added to a list that will be given to visitors from their faith-group and/or the hospital chaplain. If the patient says no the questioning stops there. If the patient says yes then the patient's religion is recorded. This process not only allows the patient to be informed about, and consent to, the collection of their personal information, it also informs the patient about how their personal information will be used and disclosed to others.

The Office of the Information and Privacy Commissioner has, in the past, commented on the collection and use of religious information by hospitals or care facilities. Excerpts from two case file summaries are provided below. The full file summaries can be viewed online by navigating to the Office of the Information and Privacy Commissioner's website (www.oipc.bc.ca) and navigating to the 1996/1997 and 1999/2000 Annual Reports.

In 1996, a chaplain at a hospital complained to the Commissioner that her hospital did not ask for a patient's religion upon admission to the hospital.
With respect to the collection of information about a patient's religion, the Office advised the chaplain that the issue for a hospital is whether the information is directly related to, and necessary for, the hospital providing health care or determining a patient's eligibility for benefits to cover the cost of the hospital stay. The Office clarified that, in the case of religious information, the purpose of the collection is for pastoral visits. In short, the hospital does not have a need-to-know this information, except to assist a member of the pastoral care team to visit a patient. Therefore, religious information may appropriately be collected only where a patient has clearly expressed a wish to see a member of the pastoral care team.

The Office also advised the chaplain that her right to access a hospital's list of patients was covered under the same principle. When patients provide their names and addresses to the hospital for the purpose of the provision of health care or administration of health care benefits, they would not reasonably expect that this information would be disclosed by the hospital to a member of the pastoral team when they have not indicated their desire for this to happen. The Office emphasized that it is the Commissioner's view that when a patient indicates a desire for a pastoral visit, it is appropriate for the hospital to release the name, religion, and perhaps address (in order to determine the suitable person to visit) and location of the patient in the hospital to the appropriate member of the pastoral team. In addition, some hospitals have taken the proactive step of having cards available at bedside for patients to request a visit.

In 2000, pastoral care providers and the managers of patients' records at some long term care facilities found themselves in a dispute over the release of patient information. Pastoral care providers were asking for routine access to patient files to set up visits with patients of their respective denominations.

The first issue that needed to be addressed was the automatic collection of patient's religious affiliation. According to the patient records manager, the only reason that this information is required is if the patient is interested in receiving pastoral care services. One of the key principles of privacy protection is to only collect that information which is necessary to the task. In this instance, asking the patient if they would like to receive pastoral care is the first step. Then if they answer, yes they can disclose what religious denomination they wish to receive a visit from. The pastoral care department would only receive the lists of those who positively identified a wish to access pastoral care. Those who did not wish to have this service would have their privacy protected.

In the long-term care setting, it was determined that the inclusion of a 'pastoral care consent form' in the admission package would be the most effective way to collect the necessary information. This form would contain all of the necessary details for the pastoral care provider on the condition of patient consent. The consent would be voluntary, and the information provided by the patient would be related only to their spiritual needs as opposed to their clinical needs. Pastoral care providers expressed concern that some patients may answer no and then change their minds at a later date, so the consent form was drafted to clearly state that a patient may consent to pastoral care at any time, and can do so by contacting the pastoral care office or by making an anonymous request.

Another issue that arose was the provision of the entire list of those patients seeking pastoral care to each provider. This again was determined to be more information than each individual group needed to have and an invasion of the privacy of those seeking the service. It was suggested each denomination should only receive the list of patients that were seeking pastoral care from that denomination. This was accomplished by establishing an honour based system of colour coded files that could be accessed by clergy and volunteers. Although it would have been more ideal to have the lists under lock and key or available only through a staff member these options were impractical in a situation where the information may be needed at any hour of the day by a wide range of individuals.

Pastoral care is clearly a legitimate program provided by hospitals. Under Section 26 of FIPPA, hospitals are authorized to collect information that is related to and is necessary to operate a pastoral care program. In order to operate this program hospitals must first determine if the patient wants to participate. Only when that question has been answered in the affirmative should the patient be asked if they want their religion noted on their chart. MSJH's question is a prompt for further discussion about pastoral care but it is not the correct question to start with. As the Commissioner's Office has suggested above, asking the patient if they want pastoral care may be more appropriate question than the one MSJH currently uses. A question such as this would also satisfy the hospital's obligation to inform the patient how the information will be used and who it will be disclosed to.

Based on the information above, I find that MSJH did not comply with section 26 of FIPPA when the admitting clerk requested the name of your religion.

Occupation
Providence Health Care, in response to this complaint, issued a memo, dated April 28, 2005, to registration staff about questions that may be sensitive for patients. These questions included requests for an individual's occupation and employer. The memo indicates that this information is required to substantiate the individual's eligibility for hospital benefits. My research into the reasons why an individual's occupation was required led me to find it is not necessary for a hospital to collect information about an individual's occupation.

VIHA indicated that if an individual presented a valid WCB claim number to them they would have no reason to collect additional information about the workplace. In cases where a workplace injury is presented and the WCB is not yet involved, the hospital would collect information about the accident, the employee's Social Insurance Number and the employer's name, address and postal code. If the individual wanted to make a WCB claim, the hospital would provide them with a WCB form to fill out. VIHA no longer collects information about occupations.

Based on the information above, I find that MSJH was not authorized by section 26 of FIPPA to collect personal information about your occupation.

Employer
My investigation into the reasons why information about an individual's employer was required led me to find it is not necessary for a hospital to collect this information unless the patient is being admitted for a work related injury or illness. In that case WCB may be the insurer and additional information about the patient's employer might have to be collected. If the reason for admitting has nothing to do with the workplace, there is no reason to collect employer information.

VIHA indicated that if an individual presented a valid WCB claim number to them they would have no reason to collect additional information about the workplace. In cases where a workplace injury is presented and the WCB is not yet involved, the hospital would collect information about the accident, the employee's Social Insurance Number and the employer's name, address and postal code. If the individual wanted to make a WCB claim, the hospital would provide them with a WCB form to fill out. VIHA no longer collects information about occupations.

Based on the information above, I find that MSJH was not authorized by section 26 of FIPPA to collect personal information about your occupation.

Employer
My investigation into the reasons why information about an individual's employer was required led me to find it is not necessary for a hospital to collect this information unless the patient is being admitted for a work related injury or illness. In that case WCB may be the insurer and additional information about the patient's employer might have to be collected. If the reason for admitting has nothing to do with the workplace, there is no reason to collect employer information.

VIHA indicated that if a patient presented a valid WCB claim number to them they would have no reason to collect additional information about the employer or workplace. In cases where a workplace injury is presented and the WCB is not yet involved, the hospital would collect information about the accident, the employee's Social Insurance Number and the employer's name, address and postal code. If the patient wishes to make a WCB claim the hospital provides them with a WCB form to fill out.

Based on the information above, I find that MSJH was not authorized by section 26 of FIPPA to collect personal information about your employer.

ISSUE 2: Does the MSJH have an obligation, under section 27(2)(a)(b) and (c) of FIPPA, to explain to a patient why personal information is being collected?

Legislation
FIPPA recognizes the individual's right to know and understand why personal information is being collected and how it will be used. Public bodies have an obligation to provide this information to enable individuals to make informed decisions when asked to provide personal information. Section 27(2) of FIPPA states:
How personal information is to be collected
27 (2) A public body must ensure that an individual from whom it collects personal information or causes personal information to be collected is told
(a) the purpose for collecting it
(b) the legal authority for collecting it, and
(c) the title, business address and business telephone number of an officer or employee of the public body who can answer the individual's questions about the collection.

Discussion
One of the questions you asked our office was why the admitting clerk at MSJH was not able to answer your questions about why certain personal information was being requested. Section 27(2) of FIPPA, quoted above, states that when a public body collects personal information from an individual they must tell the individual why the information is being collected and what it will be used for and with whom it will be shared. They must also inform the individual under what authority they are collecting the information. Finally, they must also provide the contact information for an officer of the public body who can answer the individual's questions about privacy and access. You stated that the admitting clerk at MSJH did not provide this information to you when you requested it.

Both the Vancouver Coastal Health Authority and the Vancouver Island Health Authority post their privacy statements at admitting points so they are easily accessible to incoming patients. These privacy statements include why information is being collected, how it will be used, who it may be shared with and under what authority it is being collected. Both statements indicate that information is primarily being collected to provide the best health care and for determining eligibility for health insurance benefits. They also provide contact information if further information is required. MSJH did not have posters or brochures available in the hospital to provide this information.

I note that MSJH has not been able to respond to this particular aspect of your complaint because you declined to allow MSJH to disclose your name to allow them them to determine which admitting clerk was involved in your registration. I am not able to fully investigate this part of your complaint without disclosing your name.

Based on the above, I am unable to determine whether MSJH complied with section 27(2). I have, however, provided MSJH with recommendations with respect to providing notice to patients.

Summary of Findings
I find that MSJH was authorized by section 26 of FIPPA to collect personal information about your residency and citizenship status.

I find that MSJH did not comply with section 26 of FIPPA when the admitting clerk requested the name of your religion.

I find that MSJH was not authorized by section 26 of FIPPA to collect personal information about your occupation.

I find that MSJH was not authorized by section 26 of FIPPA to collect personal information about your occupation.

I make no finding with respect to MSJH's compliance with section 27(2).

Recommendations
I recommend that MSJH review their practice of collecting information about a patient's religion and ensure their policies are compliant with FIPPA. I recommend MSJH modify their existing process by first asking patients if they want pastoral care and then providing individuals with enough information to allow them to understand how their personal religious information would be used and disclosed. A consent form would provide additional information and clarity about the program.

I recommend that MSJH stop their practice of collecting information about their patients' occupation.

I recommend that MSJH review their practice of collecting information about their patients' employer. Their policy and procedures need to clarify the narrow set of circumstances in which employer information can be collected.

I recommend that MSJH makes certain that staff who are collecting personal information are aware of MSJH's obligations under section 27(2) of FIPPA.

I recommend that MSJH create posters and brochures that provide information about:
- the purpose for collecting personal information;
- the authority to collect personal information; and
- the contact information of a MSJH employee who can answer questions about the collection and use of information.
The posters can be displayed at points visible to patients being registered or admitted. The brochures should be handed directly to patients.

Conclusion
I have talked to Ms. Sachedina about these findings and recommendations. Ms. Sachedina has stated that MSJH is using your complaint to create a learning opportunity and has agreed to make the following improvements:
1. Notification statements and brochures will be ready for use in January 2006.
2. MSJH will provide a comprehensive refresher course on privacy issues for admitting staff in January 2006.
3. MSJH will no longer ask questions related to employment and occupation; and
4. MSJH will follow my recommendations when asking questions about religion.

Based on MSJH's response it is my opinion that all outstanding matters have been resolved. Our purpose in enforcing FIPPA is not to impose penalties but to ensure public bodies understand their obligations under FIPPA and to ensure, when necessary, that public bodies change their practices so that they conform to FIPPA. Your complaint file is now closed.

Please call me at (250) 356-2529 before January 18, 2006 if you have any questions or comments on this report. I will inform MSJH of this result with a version of this letter with your identifying information removed.

Comments:
Under religion you will note that the memo advising staff how to ask the question, was dated after my complaint to the hospital and OIPC.

Under discussion, Issue 2, 3rd paragraph, you may note from previous correspondence that I made the disclosure of my name conditional. Conditions which MSJH did not want to meet. But then OIPC just took Ms. Sachedina's word and never discussed the matter with me.

Under Religion - When patients provide their names and addresses to the hospital for the purpose of the provision of health care or administration of health care benefits, they would not reasonably expect that this information would be disclosed by the hospital to a member of the pastoral team when they have not indicated their desire for this to happen. Yet this is still happening. Pastors still have access to the database with everyone's information. Vancouver Island Health Authority's method of providing a list to a pastor of those patients requesting his/her services protects patients privacy. Why isn't Providence Health Care required to implement the same procedure? Why does Providence Health Care allow pastors access to databases with all patients complete information?

Under discussion, Issue 2, 1st paragraph, it states a public body...must tell an individual why the information is being collected, what it will be used for and with whom it will be shared. This is interpreted so generally, by both the hospitals and OIPC, as to apply to almost anything and anyone and therefore is virtually useless. If it were interpreted more specifically, hospitals would be required to state, in more detail, who has access, why and how much.

Under discussion, Issue 2, 4th paragraph, I appreciate the fact that OIPC will not disclose my name. But the fact that I am obligated to contact the public body and give them an 'opportunity to respond to and attempt to resolve the issue', makes this point pretty much a facade. I think, in the majority of cases, the public body can figure out who laid the complaint by reviewing who has recently contacted them about that particular issue.

Again, the idea of enforcing FIPPA is deceptive because, my understanding, is that OIPC has no powers to enforce.

Also, OIPC does not penalize the public body, which, of course, is why they have no reason to proactively conform to the Act (the hospital has had 13 years to comply, and Ms. Sachedina is a lawyer). After all, nothing will happen to them if they are found guilty . In the meantime, people, like me, are penalized by the whole process. For 13 years they have been collecting information illegally.

January 8, 2005

My response to Patrick Egan, OICP

"While I disagree with a few of the statements that were made in the report, I am please that it is finally completed and that changes will be made. And, I do recognize the research that you have done.

But, I am appalled that Ms. Sachedina would blow this off as a learning experience. I would probably have agreed if this had been resolved a year ago. But, in my opinion, Providence Health Care made every effort to avoid compliance. Now, I can't begin to express my disgust, my contempt for the individuals, the faith, the god, that would put the collection of information (that, in my opinion, any reasonable person would know to be illegal) ahead of the health and welfare of a human being.

Now, by cc of this letter to Ms. Sachedina, I want all information removed from my files, in Providence Health Care hospitals, that does not conform with the law. I expect to be notified when this has been done.

Also, if I say "No" to pastoral care, are my personal records kept in a place inaccessible to anyone but medical staff?

Also, this file may not be completely closed as I have given the province (ie. Gordon Campbell) until this week to refund my MSP payments for the period when I was unable to access hospital care because the hospitals were in violation of the law, or I will be looking at legal action. So, you may be required to provide information.

I also hope that you plan to ensure that all hospitals, doctors, etc. are in compliance with the Privacy Act. My understanding of the Privacy Act is that an organization is suppose to be in compliance with the Act as of January 1, 2004. Plus, I was disappointed that I was not given any information on the committee looking into health care privacy.

Thank you again for the work you have done on this complaint."

Comment:
I confused the implementation of PIPA (January 1, 2004) with FOIPPA which is October 4, 1993.

January 19, 2006
Response from Ms. Sachedina.

"I am in receipt of a copy of your letter to Mr. Patrick Egan, Office of the Information and Privacy Commissioner.

I note that your letter requests the removal of information that does not conform with the law. Accordingly I have instructed, and can confirm, that the following information has been removed from the electronic system and from the registration information on your paper patient record.
1. Reference to your religion.
2. Reference to your occupation.
3. Reference to your employer.

Since changes to patient records require explanation, a copy of Mr. Egan's report, your letter dated January 8, 2006 and this response will be placed on your patient record to serve as the explanation for the changes to your patient record. I trust that this will meet with your approval.

I am aware that you are not satisfied with our response to your complaint. I had very much hoped to address your concerns with the specific clerk involved in your admission. However, in light of your refusal to consent to the disclosure of your name, this course of action was not possible. I do want to take this opportunity to acknowledge that your complaint has prompted a general review our processes and we have implemented the changes recommended by Mr. Egan."

January 23, 2006

Letter to Ms. Sachedina.

"You really amaze me. You write me a letter, again blaming the clerk and me for the lack of a speedy resolution to my case, completely ignoring the fact that your hospital, your organization were in violation of the law and you refused to do anything about it until the report came out. And, what, you think I'm going to buy into in? You know the only person you are really demeaning is yourself and your organziation when you refuse to accept responsibility for your own actions!!!

You told me what information you had deleted. But, as my letter stated, I want all information that is not in compliance with the law, deleted. If I find out that you have any information collected at any time, by whatever means, that is not in compliance with the law, I will sue your ass off. I am not playing games with you.

I also want to know who has access to my records. Since I have said no to pastoral care, are my personal records kept in a place inaccessible to anyone but the necessary medical staff. You have 30 days to provide a complete response or you will again be in violation of the law. I have a legal, not to mention a moral (look the word up in your dictionary), right to know who has access to my personal information (and this includes my medical and all other information relating to me just in case you decide to play semantics)."

March 15, 2006

I filed a complaint with the OIPC for Providence Health Care's refusal to respond to my question.

"I sent a letter to Providence Health Care on January 23, 2006 asking Since I have said 'no' to pastoral care, are my personal records kept in a place inaccessible to anyone but the necessary medical staff. Providence Health Care has, again, shown its contempt for the rights of individuals by refusing to respond.

This is an issue that arose from [an OIPC File Number]. The Privacy Commissioner's report stated: 'Another issue that arose was the provision of the entire list of those patients seeking pastoral care to each provider. This again was determined to be more information than each individual group needed to have and an invasion of privacy of those seeking the service. It was suggested each denomination should only receive the lists of patients that were seeking pastoral care from that denomination. This was accomplished by establishing an honour system of colour coded files that could be accessed by clergy and volunteers. Although it would have been more ideal to have the lists under lock and key or available only through a staff member these options were impractical in a situation where the information may be needed at any hour of the day by a wide range of individuals.'

Needless to say this greatly concerns me. I want to know exactly who has access to any and all of my records, and do they have access to all my information or part of it, and if so, who has access to which part. For example, where are my records kept (under lock and key, or in an easily accesssible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff and who has access. This would include information about the coded files again, where are they kept, what information is accessible, and who are the wide range of individuals who may need this information.

My medical information is confidential, or suppose to be, and yet it seems that everyone and their brother has access to it.

I also want to know why Providence Health Care, which is essentially a government agency, is allowed to continually show such contempt for the laws of this province."

March 20, 2006

Letter from Rebecca Harvey, Ministry of Health

"In order for the Ministry to investigate the alleged MSP charges you refer to, we require more information on these charges. Could you kindly provide invoices and proof of payment and any other relevant details on the charges so Ms. Rajinder Manak, Supervisor, Customer Service MSP, 4464 Markham St., Victoria, BC, V8Z 7X8, can investigate them and address your concerns.

Thank you in advance for providing the additional information on the alleged MSP charges."

March 24, 2006

Letter to Rebecca Harvey

"Alleged MSP charges? If this weren't so sad, it would be humourous. You are telling me that your American company doesn't know if it invoiced me for MSP premiums for the period stated in my letter? You are telling me that your American company doesn't know if it received and cashed a cheque from me for part of that period? Your telling me that your American company doesn't know that they are sending me threatening letters because I have not continued to pay for services that are not available to me because your hospitals are in violation of the privacy laws. You give my private, confidential medical information to an American company, and now, to add insult to injury, you want me to do your goodamn American company's work for them. Get real.

I will be happy to provide invoice and proof of payment, in court. Then you can explain why you are taking money out of my pocket and giving it to this goddamn American company, who, apparently, have no record of what they have done and are doing. You can also explain why you are allowing hospitals to violate people's rights."

Comments:
I really do feel that this was just a scam, supported by the fact that I never heard from them again. They do, or should have, this information since that is they're job; how else do they do they're billing. But I think they were just looking for an excuse. Unlike most people, I actually do have this information. But on principle I will not submit to, what I consider, is a con.

April 3, 2006

Letter from Barbara Haupthoff, OIPC

"We have received your correspondence dated March 15, 2006 alleging that Providence Health Care has not responded to your letter requesting information about how your personal information in the custody of Providence Health Care is secured against unauthorized access.

It is the policy of the Office of the Information and Privacy Commissioner to refer a complaintant back to the organization, where the complaintant has not first given the organization an opportunity to respond to and attempt to resolve the issue. You have indicated in your letter that you have written to Providence Health care regarding your concerns on January 23, 2006.

In order for this office to open a file on your behalf, we require certain documents in support of your concerns. We need a copy of your January 23, 2006 letter to Providence Health Care. Our records suggest that Ms. Zulie Sachedina is the Freedom of Information Coordinator for Providence Health Care and her address is: 1081 Burrard Street, Vancouver, BC V6Z 1Y6. Ms. Sachedina is the appropriate person to respond to your concerns on behalf of Providence Health Care. You may wish to forward your January 23, 2006 letter to Ms. Sachedina for response.

Until we receive this additional information we are unable to proceed with this matter. If we have not received this information from you by April 18, 2006 we will assume that you no longer require the assistance of this Office and will consider the matter closed."

Comment:
This information was forwarded to Ms. Haupthoff, OIPC as requested.

May 2, 2006

Response from Providence Health Care:

"In response to your questions as to who has accessed your records. Providence Health Care has reviewed its processes and conducted an audit on your file.

According to our audit, your electronic record was accessed one time by Kit Schindell, Director of Patient Records, in response to your initial complaint. A copy of the audit is attached for your information.

As previously communicated to you, your paper Health Record File is available to you at no charge and you can request a copy of your record from Health Records, you will be able to review the current status of your file. For information on accessing your file, further information is found on our website: www.providencehealthcare.org info for patients & residents/patient records."

Comments:
The audit on my file was puzzling:
1. This was not the question asked. My question was "I also want to know who has access to my records. Since I have said no to pastoral care, are my personal records kept in a place inaccessible to anyone but the necessary medical staff." The question answered was wrong and incomplete. Ms. Sachedina is a lawyer, so I have a very difficult time believing that this was an error.
2. Only one person had accessed my records and on 12/9/2005. Providence Health Care was certainly eager to access my records to determine who was the admissions clerk who had initially entered my information but her name is not identified;
3. As late as January 19, 2006 Ms. Sachedina was upset because I would not give unconditional permission to access my admission records and yet the Director of Patient Records accessed my records on 12/9/2005 without my permission and for purposes unknown. Ms. Sachedina says that it was in response to my initial complaint. But my initial complaint was almost a year prior and, during December 2005, the only thing happening on my complaint was the OIPC finishing the report.
4. The audit identifies the occupation of use (occupation of the person using my information) as patient representative. I consider a patient representative as a person I select to make decisions on my behalf because I am incapacitated which, of course, does not fit this situation.
5. In addition, I did have the initial outpatient procedure at the hospital but apparently that didn't require anyone to access my records.
6. It was between January 6 and 19 that the illegally collected information was removed from my file but supposedly they did this without accessing my records because no name is identified for that period.

May 18, 2006

This letter is inserted before my May 10, 2006 letter because, according to the OIPC, it appeared that my letter was not put in the system before this letter was sent)

Response from Barbara Haupthoff:

"This letter is in response to your complaint under the Freedom of Information and Protection of Privacy Act (the Act) that Providence Health Care had not responded to your inquiries concerning possible unauthorized access to your personal information. I had spoken to Zulie Sachedina at Providence Health Care about your complaint. I have now received a copy of Ms. Sachedina's response to you.

Since you have now received a response to your inquiries to Providence Health Care, it would appear that there is no further issue for review by our office. Our file is now closed.

If you are not satisfied with the response, however, please provide written details of any further issues you would like this office to address."

Comments:
I guess there are one of three explanations: both organizations read the question incorrectly and didn't notice that the answer was still incomplete, neither one of the organizations can read, or they just want to sweep the real questions under the rug.

May 10, 2006

My response to Barbara Haupthoff:

"I received a letter from Providence Health Care, dated May 2, 2006 and it indicates that you also received a copy.

Obviously it doesn't come anywhere near answering my question. Again, Providence Health Care has violated the Privacy Act, as I am entitled to know who has access to my information.
Since this issue will likely end up in court, I am going to restate my question. I want to know who has access to anyone's records at any time. For example, if someone had been in the hospital, for whatever reason, who would have access to their records, all doctors in the province/country/world or only certain doctors and, if so, which ones; all nurses, technicians, pastors, volunteers, etc.? Do they have access to all the medical information or part of it (if so, who has access to what part)? If your access is limited, how is this enforced?

Where are the records kept (under lock and key, or in an easily accessible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff, what safety features protect my information (ex. firewalls if on a computer). This would include information about the coded files -- again where are they kept, what information is accessible, and who are the wide range of individuals who may need this information? If a person opts out of pastoral care, does this affect who has access to their records?

I am sending this directly to you as Providence Health Care has shown that they don't respect people's rights, and will only respond to a question if directed to do so by you and then they only give a facade of complying by actually avoiding the question.

However, I will be able to show in court that I have given you and Providence Health Care every opportunity to resolve this matter.

In a letter from Providence Health Care, dated January 19, 2006 they state: "Since changes to patient records require explanation, a copy of Mr. Egan's report, your letter dated January 9, 2006 and this response will be placed on your patient record to serve as the explanation for the changes to your patient record. I trust this will meet with your approval". It does not, I do not want any of that information on my file. You are removing information that was illegally obtained so no additional information should be required. Also, there is the potential for this information to be used to discriminate against me especially since I don't know who has access to my records.

Everyday that you delay protecting my privacy, which is my legal right, is another day that I am denied medical care which is another legal right. This puts you and Providence Health Care in a very precarious position. As stated before, I was suppose to be in the hospital a year ago."

June 7, 2006

Letter from Ms. Haupthoff, OIPC

"We have received your complaint that Providence Health Care allegedly has not provided you with sufficient information concerning the security of your personal information under the Freedom of Information and Protection of Privacy Act (the Act). Your case has been opened as of May 12, 2006 and has been assigned to Patrick Egan, who will be the Portfolio Officer responsible for mediation of this matter. By copy of this letter, I notify Providence Health Care of the investigation and provide Providence Health Care with a copy of your letter to this office."

July 19, 2006

Email to Ms. Haupthoff, OIPC

"I sent you a letter re Providence Health Care May 10, 2006. Would you tell me when I can expect to receive a reply?"

Comment:
My error. I forgot that the case had been assigned to Patrick Egan.

July 28, 2006

I have not received a reply to this email. If I do not receive a reply by August 3, 2006 I will pursue this through other avenues."

Comment:
I had attached the email of July 19.

July 28, 2006

Reply from Ms. Haupthoff, OIPC

"A new file was opened with regard to your May 10, 2006 letter to our office. Your file number is (xx) and your Portfolio Officer is Patrick Egan. Your message has been forwarded to Mr. Egan, who is currently away from the office. Mr. Egan will return to the office on August 8 should you wish to contact him."

August 8, 2006

Email to Patrick Egan, OIPC

"I have been very patient. So, if I do not have a reply by August 11, 2006, I will take action."

August 8, 2006

Letter from Patrick Egan:

"Your Tuesday, August 08, 2006 11:09 AM email was forwarded to me this afternoon. As you know, this file was assigned to me on June 7, 2006. I am investigating your complaint that Providence health care did not provide you an adequate answer to your question concerning the security of your personal information, specifically your questions about who has access to your records and whether your records are inaccessible to everyone but the necessary medical staff.
I am in the preliminary process of speaking with Ms. Sachedina about your complaint and am providing her with more detailed questions as you have provided to us in your May 10, 2006 letter.

I hope to complete my investigation as soon as possible. However, complaints are investigated in the order they are received and I am still investigating a number of complaints that preceded yours. As a result, I am not yet able to say when I will be finished."

September 5, 2006

E-mail to Patrick Egan:

I was told that last fall an organization had been formed to look into privacy matters in the medical field. Yet, almost a year later they are still treating people's privacy rights with contempt. Of course, I don't know anything about this organization or whose interests they are trying to protect since you refused to provide any other information.

I understand your constraints in this matter but I am not prepared to wait another year or more to have this resolved. I need medical care and I have a legal right to medical care, and this does not mean a right subject to blackmail, so I will be pursuing this through other avenues, as well."

September 5, 2006

I wrote to Tony Clement, Federal Minister of Health. I outlined what had happened to date. I also stated:

"I am contacting you because I believe the federal government has a responsibility under the Health Act and Privacy Act to ensure that people have access to health care. I believe the Health Act states that all people will have equal access to necessary medical care. It does not say, access if you submit to blackmail, or access if you give up your rights, etc. I believe the provincial government is in violation of the Health Act and it is your role to ensure its enforcement. I also believe that you have a responsibility to ensure that my money, that you send to the provincial government, is spent appropriately (and that means to provide me with medical care).

Also, I understand that the provincial governments were allowed to pass their own privacy laws, as long as those laws were, in essence, the same as the federal privacy laws. While your federal privacy commissioner's office has said that the Office of the Privacy Commissioner of Canada does not supercede the Office of the Information and Privacy Commissioner for BC, I believe you do have a right, if the provincial act is not operating in conformance with the federal act. I believe the provincial government has violated the Privacy Act by:
1. Not having their organizations in compliance with the privacy laws as of January 1, 2004.
2. By taking an extraordinarily long time to resolve privacy matters, thereby jeopardizing a citizen's health. It took the provincial privacy commissoner's office approximately nine months to make a decision on the initial complaint and to have the information removed from my file. It has been over 8 months since I asked who has access to my medical information and I am still waiting for an answer.

I hope that you will step in and have this situation resolved soon. I need medical care (in addition to the tests I needed over one and a half years ago), my doctor has told me that I am long overdue to see her and yet I sit here, waiting, because the hospitals, apparently, have no idea who has access to my medical records (or don't want to answer). Either way it is a really appalling situation. My question is not a trick question. It is a basic question that the hospitals should have no problem answering and the fact that they do should raise serious concerns with you, as it does me.

As I said, I believe you have a responsibility in this. If anything happens to me due to lack of care because the hospitals were in violation of the law, I will take legal action and hold everyone involved responsible. I am also investigating other avenues to resolve this problem, such as the press.

I can think of absolutely no justifiable excuse for what is happening, and I don't think any court would either".

Comments:
I erred in using the date January 1, 2004. That applies to PIPA, which is for private organizations. The FOIPPA, which applies to public bodies, came into effect October 4, 1993 (OIPC, Role and Mandate, pg. 2) .

November 28, 2006

Response from Tony Clement, Minister of Health (apologized for delay in responding):

"I would like to clarify that the Canada Health Act is the federal legislation that sets out the basic criteria and conditions that provincial and territorial health insurance plans must meet to qualify for federal transfer payments under the Canada Health Transfer. The Act's criteria relate to such matters as the comprehensiveness of insured services covered, universality of population covered, reasonable access to insured services without impediment by way of user charges or otherwise, portability of benefits and public administration of the health insurance plans on a non-profit basis. Residents of a province or territory are entitled to have access to insured health care services in the setting where the services are provided and as the services are available in that setting. The Act does not address matters related to personal health records or privacy issues.

The situation you described involves the collection of personal information by a provincial health care organization. The Privacy Act applies only to personal information collected, used and disclosed by federal departments and agencies. The federal Personal Information Protection and Electronic Documents Act protects personal information held by private sector organizations, with the exception of those jurisdictions in which provincial legislation has been deemed substantially similar. Consequently, it is the provincial Information and Privacy Commissioner, rather than the federal Privacy Commissioner or Minister of Health, who is responsible for reviewing your case.

The provincial and territorial governments have primary responsibility for matters related to the administration and delivery of health care services, including setting their own priorities, administering their health care budgets and managing their own resources. Therefore, I recommend that you share your concerns with the Minister of Health...."

December 12,

My response to Tony Clement:

"I did contact the Minister of Health of B.C. but he, like you, claim no responsibility. Apparently, nobody is responsible. How convenient.

It is your responsibility to enforce the Canada Health Act. As you state, 'The Act's criteria relate to such matters as reasonable access to insured services without impediment by way of user charges or otherwise.' You also state, 'Residents of a province or territory are entitled to have access to insured health care services...'. I don't have access to health care services without an impediment, ie the violation of my rights.

You also state that 'the federal Personal Information Protection and Electronic Documents Act protects personal information held by private sector organizations, with the exception of those jurisdictions in which provincial legislation has been deemed substantially similar'. So, are you saying that the federal Privacy Commissioner does nothing to protect people's privacy, that he does not respond to complaints, that the federal act (like the provincial) is just a convenient piece of paper (a fantasy that sounds good at first -- your privacy rights are protected -- we have passed an act) but, in reality, means absolutely nothing and people can just ignore it? At the provincial level, I have learned that one can just ignore the FIPPA and any other privacy act. Nothing will be done about it, there's no enforcement (hell, the Privacy Commissioner's Office doesn't even bother to respond to any complaint they don't like). So, you are saying that provincial privacy laws mirror the federal, ie they are both a farce.

You have a responsibility to step in if a provincial government or its agencies are not fulfilling their obligation and are impeding access to health care either directly or by lack of action. I understand that about 30% of my tax dollars paid to the federal government goes to provide me with health care. Well, you have collected my money, now give me health care.
I hear that an election is likely very soon. I can assure you that if this situation is not fully resolved by then, I will make it an issue."

December 1, 2006

Report from Patrick Egan:

"This letter is in response to your complaint under the Freedom of Information and Protection of Privacy Act ('Act} that Providence Health Care (Providence) has not provided you with sufficient information about the access to and security of your personal information. Specifically you want to know who would have access to your patient records if you were admitted to a Providence hospital and how your personal information in both electronic and paper form are secured against unauthorized access. I have been assigned to investigate this matter. In accordance with s. 49 of the Act, the Commissioner has delegated the authority to me under s. 42(2) of the Act to investigate the complaint. In concluding this investigation, I am exercising the delegated power to investigate, make findings and dispose of your complaint.

Background
On January 23, 2006, you wrote to Providence and requested to be told who had access to your records. You also wanted to know if your personal information was kept in a place that was inaccessible to anyone but the necessary medical staff.

On March 15, 2006, you wrote to our office with a complaint that Providence did not respond to your January 23, 2006 letter. File .... was opened and Providence was contacted regarding their lack of response.

On May 2, 2006, Providence responded to your question about who has had access to your personal information. Providence conducted an audit of the electronic records containing your personal information and provided you with a copy of the audit. Our file was closed.

On May 10, 2006, you wrote to our office stating that Providence's response did not answer your question. You restated your question as: Who has access to anyone's records at any time.

On May 12, 2006, File .... was opened to investigate your complaint that Providence did not provide you with sufficient information concerning the access to and security of your personal information.

Issues
The following issues have been investigated:
1. Has Providence made reasonable security arrangements to protect against unauthorized access or disclosure under s. 30 of the Act?
2. Has Providence ensured that personal information in its custody is disclosed only as permitted under s. 33.1 or s.33.2 of the Act?

Investigation
Issue 1 Has Providence made reasonable security arrangements to protect against unauthorized access or disclosure under s.30 of the Act?

Section 30 of the Act states:
Protection of personal information
30. A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

Your complaint letter only spoke of your concern about inappropriate access by or disclosure of your personal health information to other care providers or employees and what security measures were in place to prevent this. As a result, I have investigated Providence's security arrangements in general and with respect to unauthorized access or disclosure by care providers or employees.

I spoke with Mr. Yoel Robens-Paradise, Director of Health Records Services for Providence, about the security arrangements in place for patient health records. Mr. Robens-Paradise noted that all health records created since April 1, 2006 are kept in electonic form. Since April 1, 2006, Providence has embarked on a project that will see it scan all patient paper records and convert them to electronic records. This is part of a wider federal and provincial initiative to shift from paper records to electronic health records.

Paper Records
Prior to April 1, 2006, when a patient was admitted to a Providence hospital and moved to a unit any existing patient records were requested from the Health Records Department (HRD). The HRD was responsible for finding the records and sending them to the appropriate unit. While not in use, patient records are stored in a locked file room in the basement of the hospital. Access to the storeroom is only available to HRD staff that are retrieving or returning records. The HRD does not store patient records other than those that are in transition between a unit and the storeroom. The HRD is staffed 24/7 and is not accessible to the public or non hospital personnel. During night shift the HRD is locked and admittance is gained only by having HRD staff unlock the door.

During a patient's stay at the hospital their health records are kept on the unit. Patient records are typically kept in binders and stored on shelves behind the unit's nursing station and inaccessible to passing members of the public. Nursing stations are staffed 24/7 by unit clerks or nurses. While on the unit, health records are not kept under lock and key. During a patient's stay the health records are accessed by health care providers and the patient's health care is documented in the records by hand. When a patient is discharged, their health records are returned to the HRD. Since April 1, 2006 HRD has been scanning returned paper records and adding them to the patient's electronic health record. It is my understanding that once paper records have been scanned the scanning is validated as complete and the paper records are securely destroyed and disposed of.

Prior to April 1, 2006, a patient's paper health record was tracked by using a bar code on the file folder. The bar code was swiped when it left storage and then was swiped again when it was returned to storage. While on the unit the paper health records required every health care provider to log each entry so the person who made the entry could be identified. When care providers only viewed the record they were not required to log this fact.

When an individual visits an out-patient clinic they usually get same day treatment or treatment over a number of days without staying overnight. Out-patient clinics keep records for every visit by a patient. In the past, each clinic would create and store its own paper patient records much the same way as a dentist's or doctor's office would. Health records are stored in the clinic on shelves, sometimes locked file rooms but always behind locked doors when the clinic is closed. Providence is in the process of changing this practice so that all out-patient records are returned to HRD when a patient does not need to return for further treatment.

Electronic Records
According to Mr. Robens-Paradise, electronic health records are stored on secure servers and not on individual computer hard drives and therefore, not at risk by theft. The secure servers are situated in the hospital.

Electronic records can only be accessed through hospital computer terminals. At this time, electronic health records created at Mount Saint Joseph Hospital cannot be accessed by another Providence employee at another hospital. They cannot be accessed by any doctor outside the hospital.

To access electronic patient health records on the secure servers, hospital employees or health care providers require an assigned user ID and a password. Each person with access rights is assigned a profile which defines the limits of their access. There are approximately 30 different profiles. For example, nurses who are working on the fifth floor will have a profile that only permits them to access electronic health records for patients who are on the fifth floor. Providence describes this type of access as geographic access. Doctors may have a profile that permits them to access the health records for all patients in the hospital. Pastoral care providers and hospital social workers are also provided with geographic access when a patient requests their services. If pastoral care is being provided to someone in the renal unit the pastoral care provider will have access to the records for patients in the renal unit. The narrowest profile available is by individual unit. When an electronic records is accessed, it is electronically stamped with the time, date and name of the individual who accessed the record. When a patient is discharged, their electronic health records are no longer accessible.

Providence has an agreement with the Vancouver Coastal Health Authority in which they share an Information Technology team who maintain Providence's computer networks and ensure the networks are kept secure.

Issue 2 - Has Providence ensured that personal information in its custody is disclosed only as permitted under s.33.1 or s.33.2 of the Act?

Your complaint did not allege a specific case of unauthorized disclosure but rather questioned what assurances Providence could provide you about their ability to prevent possible disclosure of your personal information to unauthorized employee's or service providers. The Act restricts a public body's ability to disclose personal information in its custody. In this case, the Act permits the disclosure of personal information to an employee or service provider of a public body if it is necessary for those individuals to carry out their duties. The relevant provisions are copied below.

Disclosure of personal information
33 A public body must ensure that personal information in its custody or under its control is disclosed only as permitted under section 33.1 or 33.2.

Disclosure inside or outside Canada
33. (1) A public body may disclose personal information referred to in section 33 inside or outside Canada as follows:
...
(e) to an individual who is a minister, an officer of the public body or an employee of the public body other than a service provider, if
(i) the information is necessary for the performance of the duties of the minister, officer or employee, and
(ii) in relation to disclosure outside Canada, the outside disclosure is necessary because the individual is temporarily travelling outside Canada;
(e.1) to an individual who is a service provider of the public body, or an employee or associate of such a service provider, if
(1) the information is necessary for the performance of the duties of the individual in relation to the public body, and
...
Disclosure inside Canada only
33. A public body may disclose personal information referred to in section 33 inside Canada as follows:
...
(c) to an officer or employee of the public body or to a minister, if the information is necessary for the performance of the duties of the officer, employee or minister;
...
When I asked Providence how they met their obligations to restrict disclosure of patient personal information to that required by employees or service providers to carry out their duties, they provided me with a copy of their 'Confidentiality/Access to Information Policy and Procedures'. This document outlines Providence's policies on maintaining privacy and providing access to information. This policy is required reading for all new Providence employees or others doing business for or with Providence (including contractors, volunteers, reseachers and physicians) and is included in Providence's orientation package. All new employees or others doing business with Providence are also required to indicate their understanding of the policy by signing the 'Pledge of Confidentiality/Statement of Understanding Form' within the first month of being hired. Providence has recently hired a Privacy, Access and Information Manager who will take part in the new employee orientation process by explaining Providence's privacy policy. Privacy and access matters were previously the responsibility of the Vice President of Human Resources.

The policy states that all information including computer generated data concerning patients, residents, employees, and corporate operations is strictly confidential. A breach of confidentiality is defined as an intentional or inadvertent unauthorized access to, or disclosure of, confidential information including clinical or personal information regarding patients, family members, visitors, friends or colleagues. The policy also states that Providence employees have the responsibility to report a breach of confidentiality. Further, if Providence confirms that a breach of confidentiality has occurred, the employee(s) involved may be subject to disciplinary action up to and including dismissal.

With respect to maintaining confidentiality, Providence provides the following procedures to new employees or others doing business with Providence:
- Obtain or access only enough information that is necessary for performing your job duties. Do not share information with others unless they need to know the information to carry out their duties. Viewing information other than that required to perform job duties is a violation of confidentiality even if the information is not disclosed to another person.
- Do not discuss personal information in any area where individuals who are not authorized to receive the information are present, unless required to do so by law or with the permission of an authorized individual.
- If an intentional or inadvertent breach of confidentiality occurs notify the appropriate person.

Analysis
It is my opinion that Providence has made reasonable security arrangements to protect the personal information in its custody from unauthorized access or disclosure. Their paper records are either behind locked doors or are under the supervision of hospital staff at all times. Electronic records containing patient personal information are stored on secure servers and are only accessible through the in-hospital computer network which is maintained by information technology professionals. Approved hospital employees, physicians or service providers who need to view electronic health records are provided with a profile which includes a user ID and an individual password. Only individuals with an approved user ID and password are able to access electronic health records. Access to electronic records is restricted by a user's need to know profile. At this time electonic health records cannot be accessed by users outside of the hospital.

Based on my review of the 'Confidentiality/Access to Information Policy and Procedures' it is my opinion that Providence has reasonable procedures in place to ensure that personal information is disclosed to its employees only as permitted by ss. 33, 33.1 and 33.2 of the Act. Providence has implemented and maintains a need to know policy with respect to access to or disclosure of patient information. Only employees or service providers who need access to your personal information to carry out their employment duties are permitted to look at your records. This means, for example, that pastoral care providers are not permitted to access or view a patient's personal information if that patient has declined their services. Pastoral care providers have been informed of this policy and have signed a pledge indicating that they understand this policy. The policy includes sanctions against those who contravene the policy.

Findings
Based on my investigation I find that Providence is complying with s. 30 (Protection of personal Information) and ss. 33, 33.1 and 33.2 (Disclosure of personal information).

Considering your original questions, I believe my investigation has addressed and resolved your concerns.

Comments:
Under Electronic Records it says that health records created in Mount Saint Joseph cannot be accessed by another Providence employee at another hospital. They cannot be accessed by any doctor outside the hospital and Electronic records containing patient personal information are stored on secure servers and are only accessible through the in-hospital computer network. Yet, on July 21, 2005, Ms. Sachedina states that PHC has one database for all of it's member hospitals. That was the explanation as to why they already had information on me even though I had never been to Mount Saint Joseph's Hospital before. So obviously they were able to access personal information from another hospital.

Again, pastoral care providers should not have access to the computers.

January 11, 2007

My response with Concerns/Questions to Patrick Egan's letter of December 1, 2006, is identified in his January 22 reply as questions, with the exception of the paragraph below,
"Please note that when I refer to personal information that includes all information that the hospital has on the person."

January 22, 2007

Patrick Egan's response:

"I have copied your questions below and will attempt to respond to each one immediately after the question. I consulted with Inta Sloman, Providence's Privacy, Access and Information Manager, to assist in answering some of your questions.

Question 1:
pg. 2 - You state that "Your complaint letter only spoke of your concern about inappropriate access by or disclosure of your personal health information to other care providers or employees..." This is incorrect. I asked "I want to know exactly who has access to any and all of my records....". There were no limitations. So, I want to know if anyone else has access to a person's records. Perhaps this boils down to what is included in other care providers. Does that include everyone who is not an employee who has access to personal information (such as computer technicians, etc.)?

Response:
When I, and Providence, use the term access we refer to lawful access. Lawful access refers to the situation when an individual is authorized to access (look at) patient health records in circumstances that are consistent with the 'Freedom of Information and Protection of Privacy Act (FIPPA). Providence has, in my opinion, implemented reasonable physical security and policies and procedures to prevent unlawful, unauthorized or inappropriate access to patient records. Who has lawful access? Only those individuals who require access to a patient's records to carry out their duties, whether that duty is medical care, file administration or converting paper records to digital format by scanning them, are authorized to access a patient's records. Providence's policy on access may be defined as a need to know policy, meaning if you do not need to know the information you have no right to be looking at it (or accessing it). According to Providence, this policy is strictly enforced and continually reinforced with everyone who works or volunteers at their hospitals.

Given my findings that Providence has implemented reasonable policies to prevent unauthorized access, this is not an issue I will investigate further.

Providence allows only employees to have access to patient records. An employee refers to people employed by the hospital, medical personnel with working privileges at the hospital and service providers (or contractors) who are providing services (for example, contracted food services). Health care providers would include all those people involved in a patients' care including nurses, social workers, doctors, specialists and physiotherapists. All these people are bound by Providence's policy and procedures and sign a pledge of confidentiality to indicate their understanding of the policy. Anyone working at the hospital under contract is contractually obliged to follow the same confidentiality policies as employees. The contract language provides for sanctions if the policy is breached.

Question 2:
pg. 2 - Paper Records - This does not seem to make sense. While not in use, patient records are stored in a locked file room in the basement of the hospital... The HRD does not store patient records other than those that are in transition between a unit and a storeroom. So who is storing the records?

Response:
If St. Josephs has a medical file on a person who is not in the hospital for medical care their file is in the basement storage. When a person needs medical care and is registered as a patient, the Health Records Department (HRD) is notified by the unit clerk. HRD then retrieves the file from the basement. The HRD may retain the file for a short while to update it and then they move it on to the unit where the patient is staying. When I said the HRD does not store records, I meant they do not provide long term storage of files in their offices. The files are only in the HRD offices long enough to prepare them for either the ward unit or the basement storage room as they move from storage to the unit and back again. That process is changing as records become electronic.

Question 3:
pg. 2 - last paragraph - During a patient's stay the health records are accessed by health care providers - Who do you define as health care providers.

Response:
Health Care Providers are people who provide direct health care to a patient. Nurses and Doctors, any specialists or therapist who might also be involved. Anyone who provides care would likely need to know what care has already been provided. They would also need to document the care they have provided. If a patient has requested spiritual or pastoral care then they would be included as one of that patient's care providers. Providence has a need to know policy. Therefore, a care provider who is not providing care to a patient has no right to look at the patient's records.

Question 4:
pg. 3 - It is 'my understanding' that once paper records have been scanned the scanning... Was this not confirmed by Providence Health Care?

Response:
As part of my original conversation with Providence we talked about the conversion of paper files to electronic files in the context of a file's movement from secure storage to unit clerk when a patient is admitted. At the time, Providence confirmed the process in a general way and that was sufficient for my investigation. For your information, Providence has stated that, during the start-up phase of this program, scanned records are being held back from destruction until consultations with the Ministry of Health are complete. Providence expects to soon implement their policy that requires scanned records to be shredded 60 days later.

Question 5:
pg. 3 - Health records are stored in the clinic on shelves.... Who attends to these files and are they ever left unattended?

Response:
According to Providence, during office hours clinic staff monitor these files. Outside office hours the clinic is closed and locked.

Question 6:
pg. 3 - paragragh 5 - At this time...cannot be accessed by another Providence employee.... They cannot be accessed by any doctor.... Are they plans to change this?

Response:
Yes. There are national and provincial initiatives to create electronic health records that can be accessed remotely by authorized individuals. I do not know what the security protocols will be. Eventually, for example, a BC resident requiring medical attention in Ontario will be able to access their medical records via computer.

Question 7:
pg. 3 - Pastoral care providers and hospital social workers are also provided with geographic access when a patient requests their services. If pastoral care is being provided to someone in the renal unit the pastoral care provider will have access to the records for patients in the renal unit. The narrowest profile available is by individual unit.

I object to pastoral care providers and hospital social workers having access to the records of patients who do not request them. I suggest the hospital provide an individual profile. I know this can be done with computers because Revenue Canada does it; I also know that you can even restrict people to certain information, for example a pastor could enter an ID number and the only information that would appear is the names of those patients who requested their services; lots of different programs do this. I don't see why these people should get preferential treatment. Or, if someone wants pastoral care, they or their families could call the appropriate church and request it.

Response:
Providence is a Catholic organization which has the legal right to provide spiritual or pastoral care in their hospitals. Every patient, however, also has the right to refuse spiritual care if they desire.

Again, I refer back to my discussion about the term access. In this context the term access refers to lawful access, that is, being authorized to look at the files. If a pastoral care provider reads a file they did not have a need to see, that is, they accessed the file inappropriately, they would be subject to sanctions outlined in either the policy or their contracts.

As you know, the electronic patient record system includes the ability to audit access so if there was a concern an electronic trail of who had access could be viewed. Ms. Sloman has informed me that the audit system is being updated to a pro-active system that will notify the proper authorities in real time if an electronic record is accessed by an unauthorized individual. If you enquire, Providence may be able to explain to you why individual profiles are not provided. This is not an issue I will investigate further.

Question 8:
pg. 4 - 1st paragraph- Again, my question was not limited to employees or service providers. In fact, service providers is a very vague term. Who are the service providers and why would they need access to an individual's information. Is a service provider the same as a care provider?

Response:
Sorry if I am mixing my use of the terms care provider and service provider. A more descriptive term for care provider is health care provider. Generally, I may use the term employee when referring to employees and service providers. Employees are those who are employed by the hospital in the typical sense of the word. Nurses, nurses aides and clerks for example, who are hired and paid by the hospital and have an employment relationship with the hospital as their employer. When I refer to service providers I refer to people who may work for a company which has a contract with the hospital and who are directly employed by the contractor rather than the hospital. In some cases a service provider could also be a single person with a contractual relationship with the hospital. Common examples of service providers might be janitorial services, food services, communication services, security services and perhaps some kinds of specialized medical services. As I noted above, contracted service providers are subject to contractual language which requires that they maintain a high level of confidentiality when working with hospital records, including patient records. A care provider would be someone who provides some kind of health care. They could be an employee, a service provider or a volunteer.

Question 9:
pg. 4 - Again, it states "The Act permits the disclosure of personal information to an employee or service provider of a public body if it is necessary for those individuals to carry out their duties. It is not necessary for pastors, etc. to have access to the information of people who have not requested their services.

Response:
If a patient does not want pastoral care, their personal information will not be disclosed to a pastor or spiritual care provider. Pastors are not permitted to access the personal information of patients who do not want pastoral care.

Question 10:
pg. 4 - last paragraph - Do contractors, volunteers, researchers, etc. also have access to personal medical files? If so, why? (This may be the same question as the paragraph above). What is the process for screening volunteers, etc. who may have access to personal medical files? Obviously, people, such as volunteers, have nothing to lose by breaking a confidentiality pledge.

For that matter, what is the process for screening pastoral care providers.

Response:
The need to know policy means only those who need to know can look at a patient's personal information. I am not sure what you mean by screening. If you mean what procedures do volunteers or pastoral care providers go through to ensure they are aware of the confidentiality policies and procedures, they go through the same procedures as employees and service providers and sign a confidentiality pledge. As I noted above, people under contract are subject to contractual obligations to maintain confidentiality and report privacy breaches.

Question 11:
pg. 4 - last paragraph - re hiring a Privacy, Access and Information Manager Is this more than a name change?

Response:
This Manager is a new person hired by Providence to take on the responsibility previously covered by the Vice President of Human Resources. This is a management position.

Question 12:
1. pg. 4 - last paragraph - you state that "The Privacy, Access and Information Manager will take part in the new employee orientation". Does this also apply to contractors, volunteers, etc. (this may be included in the question above)? It would appear from my experience that current employees also need training in privacy rights and legislation. I also know that many people sign forms indicating their understanding without having even read the appropriate material much less understanding it and how it affects their particular obligations. So, telling me that people are required to read Providence Health Care's very general and vague Confidentiality/Access to Information Policy does not give me comfort that my rights will be protected.

Response:
Yes, see above answers about service providers contracts. According to Ms. Sloman, there is an ongoing process of education with both the new workers and the existing workers with respect to privacy obligations and rights.

Question 13:
pg. 5 - first paragragh - employees have a responsibility to report a breach of confidentiality - what about contractors, volunteers, etc.

Response:
Contractors and volunteers are contractually obliged to report breaches.

Question 14:
pg. 5- first paragraph - "...that a breach of confidentiality has occurred, the employee(s) involved may be subject to disciplinary action up to and including dismissal". Again, what action is taken against contractors, volunteers, etc.

Response:
According to Providence, there are provisions in each contract regarding privacy and the sanctions possible if the contractor breaches confidentiality.

Question 15:
Is the breach of confidentiality reported to the patient so they have the option to lay charges against the person involved or even the hospital since the hospital is responsible for the actions of the people they authorize or is the breach of confidentiality hidden?

Response:
Breaches of this type are reported to our office. The public body's analysis of the breach will determine if the individual whose information was disclosed need to be notified. We have more information on privacy breaches on our website at http://www.oipc.bc.ca/. Follow the Government and Public Bodies link under the Public Sector graphic.

Question 16:
pg. 5 - "Obtain or access only enough information that is necessary for performing your job duties". I fail to see how Providence Health Care is ensuring this if, for example, they allow pastoral care providers/volunteers, etc. access to every patients complete information. Obviously, they don't need that much information. In fact, pastoral care providers would need, at most, the names of those who chose their services.

Response:
Providence does not allow care providers and others access to every patients' complete information. See above answers for more information.

Question 17:
pg. 5 - again the statement "Providence has implemented and maintains a need to know policy with respect to access to or disclosure of patient information seems to conflict with the statement that people have access to all patients complete information on a unit". Same with the statement "pastoral care providers are not permitted to access or view a patients personal information if that patient has declined their services". How do they know which patients have requested their services and how do they access that information without seeing other people's information.

Response:
The pastoral care provider would be told who has requested his or her service. Patient records are kept separate from each other. If a pastoral care provider had permission to access a patient's record they would not need to flip through another patient's records to find what he or she was looking for.

Question 18:
According to Providence Health Care (stated on a sign posted at the hospital) a person's personal information can be used to support research as outlined under S35 of FOIPPA. Please explain why and how a person's information is used.

Response:
If information is disclosed to research a number of conditions set down in s. 35 of FIPPA have to be met. This includes rendering the information anonymous as soon as possible. Please contact Mount Saint Joseph's Hospital if you require more information about research projects they support.

Question 19:
Also stated on a sign at St. Joe's is:
Please note that the following questions will be asked by the admitting staff:
(1) Do you want callers or visitors to know of your presence here in the hospital and of general conditions?
NOTE: A NO response applies to all callers and visitors including all your family members, friends and florists.

Question: Does this mean that if I chose not to have pastoral services that their NO response will be activated and no information will be given to anyone?

Response:
According to Ms. Sloman, the answer is no.

Question 20:
Has Providence Health Care confirmed that the information in your letter is accurate.

Response:
Yes. I often provide public bodies with a draft copy containing the facts I have gathered so they have a chance to review and comment on the accuracy of my facts. I spoke with Ms. Sloman about my answers in this letter to confirm their accuracy and completeness.

Question 21:
I've also heard that you recently got powers to take information from people/organizations that were not being cooperative. Is that what happened here?

Response:
I'm not aware that our office has received any new powers. Under various provisions of the Freedom of Information and Protection of Privacy Act the Commissioner has certain powers. One of them is the power to require any record to be produced by a public body to the Commissioner (see s.44). Providence was always cooperative, no legislative powers were enforced to carry out my investigation.

If you have any further questions about Providence's privacy policies or how they collect, use and disclose patient information please call Inta Sloman, Providence's Leader Privacy, Access and Information, on her direct line at (604)806-8336. Our file is now closed."

Comment:
You may have noticed that several of the answers were non-answers. That is to say, words were put on paper but they did not answer the question.

February 18, 2007

Letter to Ina Sloman.

"Again I ask, who exactly has access to personal/medical information? Who exactly are the service providers, ie specifically are they vendors, if so, what do they sell, are they janitors, etc. and why and how much access do they have to personal/medical information? When I refer to access I refer to being able to obtain information because there is no physical obstacle.

'Providence's policy on access may be defined as a 'need to know' policy, meaning if you do not need to know the information you have no right to be looking at it (or accessing it)', [letter from Privacy Commissioner's office dated 1/22/2007 herein referred to as letter 2]. 'According to Providence, this policy is strictly enforced', [letter2]. How do you enforce this if the lowest profile available is by individual unit (ie floor) [letter from Privacy Commissioner's office dated 12/1/06 herein referred to as letter 1]?

The same question with regard to care provider, second paragraph. 'A care provider who is not providing care to a patient has no right to look at the patient's records' [letter 2]. How do you know whose records they have accessed and how much information they have seen?

I would like to know why individual profiles are not provided.

'..the audit system is being updated to a pro-active system that will notify the proper authorities in real time if an electronic record is accessed by an unauthorized individual' [letter 2]. When will this happen? How does this operate, ie. how would you know if an unauthorized individual accessed an electronic record; what does an electronic record consist of, ie how much information - all the person's information, or part, etc.?

'If a patient does not want pastoral care, their personal information will not be disclosed to a pastor or spiritual care provider. Pastors are not permitted to access the personal information of patients who do not want pastoral care', [letter 2]. Again, how do you stop them; when they access the computer on a floor, how do they know who they are looking for, or access who they are looking for without seeing other people's information? 'The pastoral care provider would be told who has requested his or her service', [letter 2]. In which case, why do they even need to access people's information?

Why do volunteers need to access personal information? Why do contracted food services need access to personal information, is the access limited to specific personnel, and how do you know how much information they have accessed?

What is the process for screening volunteers, pastors, service providers, etc. to ensure that they do not have a criminal, or other inappropriate, background?

I understand that you will take part in the new employee orientation regarding privacy. Does this also apply to contractors, volunteers, pastors, etc.?

'...that a breach of confidentiality has occurred, the employee(s) involved may be subject to disciplinary action up to and including dismissal' [letter 1]. What sanctions could you apply against a pastor or volunteer that would discourage them from breaching confidentiality?

I would like to know which research projects you support and who is involved, ie which organizations and companies?"

March 7, 2007

Response from Ms. Sloman:

"I would like to acknowledge receipt of your letter, which is dated February 18, 2007. I would also like to acknowledge that I have reviewed the findings of the OIPC as contained in their letter to you of December 1, 2006. It is my understanding that a full investigation was completed and the file is now closed.

The investigation concluded that St. Paul's has made reasonable security arrangements to protect personal information and has reasonable procedures in place to ensure that personal information is disclosed in an appropriate manner.

The questions that you are raising in your letter relate to questions around the specifics of the current and future auditing systems, screening of volunteers, etc., our orientation program, specifics about how we would deal with a pastor or volunteer re breach of confidentiality, and which research projects we support and who is involved.

With respect to the following questions, these are outside my job duties and I would direct/advise you as follows:

Auditing/IT compliance questions: Information Technology Department
IMIS
Vancouver Coastal Health
(IT is a shared function led by VCH)

Screening for volunteers, pastors, etc. Providence Health Care Human Resources

Research Projects: Not possible to provide this information

With respect to how we would deal with a breach of confidentiality situation; this is totally dependent on the circumstances of the breach. We would follow sound labour relations practice and the sanction would be commensurate with the seriousness of the breach.

Finally, with regard to the new orientation program, this is being developed and the specifics have not been determined yet.

You have asked some further questions around access and these were answered through the investigation process conducted by the OIPC."

Comments:
Two pages that didn't provide a single answer. I certainly feel that the change in personnel was a name change only.

May 5, 2007

Letter to Ms. Sloman:

"In a letter from Ms. Sachedina, dated May 2, 2007 (actually dated 2006 in error), then responsible for privacy issues, she stated that only one person had accessed my records. This was not the question asked but I do have questions with the response.
1. Why did Ms. Schindell, Director of Patient Relations, access my records on December 9, 2005? Ms. Sachedina said that it was in response to my initial complaint, but that complaint was laid March 1, 2005. Why would she be accessing my records nine months later?
2. Ms. Sachedina complained, as late as January 2006, that I would not give her (unconditional) permission to access my records to determine the name of the admitting clerk. Yet, the name of the admitting clerk was not identified on the record. And Ms. Schindell went ahead and accessed my records without my knowledge, much less my permission. Please explain.
3. Why was Ms. Schindell identified as patient representative under occupation of user? She obviously wasn't representing me.
4. I also had an outpatient procedure on February 18, 2005. Was no one required to access my records at that time?
5. Between January 6 and 19, 2006 illegally collected information was removed from my records. Did no one have to access my records to remove the information?"

May 8, 2007

Letter to Human Resources, Providence Health Care

"According to Providence Health Care, volunteers and pastors are allowed access to patient information in the database. Do you screen volunteers and pastors, ie. do you check to see if they have a criminal background, do you check that the pastors claim to work for a church is true, before they are allowed to access patients confidential information, etc."

May 8, 2007

Letter to Information Technology. IMIS, Vancouver Coastal Health.

"I understand that IT is a shared function with Providence Health Care. Ms. Sloman, Leader, Access, Information and Privacy, Providence Health Care told me to contact you regarding the following questions.
Ms. Sloman had stated:' ..the audit system is being updated to a pro-active system that will notify the proper authorities in real time if an electronic record is accessed by an unauthorized individual' [letter 2].
My questions:
1. When will this happen?
2. How does this operate, ie. how would you know if an unauthorized individual accessed an electonic record?
3. What will be the lowest level of access, ie. a unit, an individual, sections of an individual's records?
3. What does an electronic record consist of, ie how much information all the person's information, or part, etc.?"

MAY 8 (or 9), 2007

Phone call from Inta Sloman, Providence Health Care

"Good morning, it's Inta Sloman, from Providence Health Care. I am the Leader of Access, Information and Privacy. I'm calling about your latest letter and I'm just wondering if it might be better if I met with you in person and got a feel for really what your issues are and I'm just thinking it may be better to talk in person and get a sense for what exactly you are looking for and perhaps how I could help you. So, if you could call me back, my phone number is 604-806-8336, and just let me know what you think of this proposal. Otherwise I most certainly can reply to your letter in writing but my thought is it might be an idea to meet in person. So give me a call either way. Thanks, bye"

MAY 12, 2007

Letter to Into Sloman

"I have no doubt that you would like to meet in person. We would no doubt be on your turf, behind closed doors, no openness, no transparency, you could say anything and, later, deny everything.

You are stating that after more than two years of correspondence you don't have an understanding of “my issues”. If the questions “who specifically has access to personal/medical information”, “why did Ms. Schindell access my records”, are “too complex” for you, then perhaps you need a different job, one that is less “challenging”.

Also, I did not give you my phone number nor did I give you permission to call me. I know I have said this before, but now it's in writing, you and everyone in your organization will contact me only in writing."

May 18, 2007

Letter from Inta Sloman, Leader, Access, Information and Privacy.

“As per your wishes, we will only communicate in writing. However, I truly regret your rejection on my offer to meet to see whether or not we might be able to resolve your questions, issues, and concerns.

Accordingly, the following is Providence's response to the questions raised in your letter of May 8th.

With respect to your questions (one through five) the following is our response:

QUESTIONS ONE AND TWO: I have spoken to Ms. Schindell and from her recollection, she would probably have had a brief scan of your records in response to medical staff letting her know that you were expressing concerns. At an early stage in a possible complaint to come, she would have checked to see if you were an inpatient or outpatient or discharged, etc. This type of scan by Ms. Schindell occurs regularly throughout her work-day.

As a Director of Patient Relations, it is Ms. Schindell's job role to ensure that client complaints and concerns are addressed. Accordingly, she would have looked at your records as a proactive measure to a formal complaint by you.

In summary, her access to your records was done on the basis that St. Paul's takes all complaints seriously, and she was exercising due diligence with respect to her job duties. Under the law (FOIPPA), this is allowed as complaint investigation and management is a quality assurance function, which is permitted under the legislation.

QUESTION THREE: The title Patient Representative is no longer used within this organization. The Director of Patient Relations represents Providence Health Care and deals with the complaints, concerns, commendations and inquiries concerning patient care that are presented by physicians, leaders, staff, patients and families.

QUESTIONS FOUR AND FIVE: In response to these questions, I will be making enquirires and will get back to you as soon as is possible with answers.

On behalf of Providence Health Care, I would like to wish you the best.”

Comments:
I have no doubt Ms. Sloman regrets my rejection of her offer to meet. Since she refuses to answer the questions, I have no doubt that the purpose of the meeting would be to sweep this “problem” under the carpet and get rid of me. But, of course, she doesn't want that in writing, she doesn't want the general public to know. Also, lies can't be proven to have been said because they wouldn't be writing.

Again, Providence Health Care doesn't answer the question. Ms. Sloman has “conveniently” ignored several things that I had specifically pointed out. For example, she states that Ms. Schindell “...had a brief scan of “my” records...you were expressing concerns”, “at an early stage of a possible complaint to come, she would have checked”, but, as I pointed out, my records were accessed nine months after I expressed concern, after I laid a complaint. At this time, the only thing happening was that the OIPC report on this complaint was in the final stages of review.

Also, her letter states that Ms. Schindell would have accessed my records “in response to medical staff letting her know that you were expressing concerns.” I didn't talk to medical staff, other than the admitting clerk (nine months earlier) and Ms. Sachedina, who is a lawyer not medical staff.

And, why would Ms. Schindell be accessing the information when the responses were coming from Ms.Sachedina and Ms. Sloman.

Ms. Sloman states “as Director of Patient Relations, it is Ms. Schindell's job role to ensure that client complaints and concerns are addressed.” Providence Health Care refused to respond to my complaint until they were contacted by the OIPC. Again, Ms. Schindell never addressed any of my concerns; I hadn't heard of her until I read my record. And many questions are still unanswered.

Ms. Sloman also states “that St. Paul's takes all complaints seriously”. Apparently, so seriously that she doesn't even have the right hospital; my complaint was laid against Mount St. Joseph.

Also stated in her letter “complaint investigation and management is a quality assurance function”. Then I guess we are assured of low quality in our hospitals that Providence Health Care manages.

I have better things to do than meet with Providence Health Care (note that I did not say Ms. Sloman because she did not specify who or how many people would be involved) and listen to their verbal bullshit.

May 30, 2007

Letter from Ms. Sloman.

“Further to my most recent letter, I indicated that I would be providing you with further information with respect to questions four and five of your letter dated May 8, 2007.

You are requesting information (not records) so, accordingly I am providing you with two contact names who you may get in touch with to obtain the information you require.

With regard to question four – Ms. Debbie Kwan, Professional Practice Leader, Health Records Services (604-806-9288) will help.

With regard to question five – Ms. Vicki Johnson, Leader, Client Registration and Information Services, (604-806-8198) can be of assistance.”
Comments

Again, Ms. Sloman falls back on the difference between requesting information and a record. And Ms. Sloman is not concerned that people, who apparently should have left an audit trail, haven't.

As stated Dec 1, 2006, by OIPC, “Prior to April 1, 2006 ....While on the unit the paper health records required every health care provider to log each entry so the person who made the entry could be identified”. Yet, the admissions clerk, who entered information into my health record, is not identifiable.

Letter of Dec. 1, 2006 states, “When an individual visits an out-patient clinic they usually get same day treatment or treatment over a number of days without staying overnight. Out-patient clinics keep records for every visit by a patient.” And yet, apparently, no one made any record of my visit on Feb. 18, 2005.

Letter dated Jan. 22, 2007, OIPC - "As you know, the electronic patient record system includes the ability to audit access so if there was a concern an electronic trail of who had access could be viewed". Yet, the person who accessed my file to remove the illegal information is not identifiable.

June 13, 2007

Letter to Debbie Kwan, Professional Practice Leader, Health Records Services, Providence Health Care

“I was referred to you by Ms. Sloman. I received a copy of the audit of my electronic health records as at February 28, 2006. The only name showing on the audit was Ms. Schindell when she accessed my records in December of 2005. I was registered at Mount St. Joseph on February 18, 2005. Why isn't the name of the registration clerk, who would have entered my information, shown. Also, I had an outpatient procedure on February 18, 2005, at Mount St. Joseph. Was no one required to access my records at that time?

Please note that I only accept responses in writing.”

Letter to Vicki Johnson, Client Registration and Information Services, Providence Health Care

"I was referred to you by Ms. Sloman. I received a copy of the audit of my electronic health records as at February 28, 2006. The only name showing on the audit was Ms. Schindell when she accessed my records in December of 2005. But, I was registered at Mount St. Joseph on February 18, 2005. Why isn't the name of the registration clerk, who would have entered my information, shown. Also, between January 6 and 19, 2006 illegally collected information was removed from my records. Did no one have to access my records to remove the information?

Please note that I only accept responses in writing.”

Comments
You may note that I have not yet received a response from Information Technology. IMIS, Vancouver Coastal Health or Human Resources, Providence Health Care (both dated May 8, 2007), the last referrals

8. Vancouver Island Health Authority

2007-04-16T17:28:00.000-07:00

Vancouver Island Health Authority (VIHA)

November 27, 2006
I e-mailed the privacy officer;

I requested a copy of their admittance form. I also stated that
“I would like to know, in detail, who has access to anyone's records at any time. For example, if someone had been in the hospital, for whatever reason, who would have access to their records – all doctors in the province/country/world or only certain doctors and, if so, which ones; all nurses, technicians, pastors, volunteers, etc.? Do they have access to all medical information or part of it (if so, who has access to what part)? If your access is limited, how is this enforced?
I also asked “where are the records kept (under lock and key, or in an easily accessible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff, what safety features protect my information (ex. firewalls if on a computer).”

November 27, 2006
I received an e-mail from Audrey Larson, Communication Assistant, VIHA, with cc's to Cathy Yaskow, Marybeth Corbeil,and Lori Bird;

“By way of this email I'll ask one of our I & P folks to reply to your query."

January 5, 2007
As no one replied to my query, I laid a complaint with the OIPC:

“Attached is a letter that I sent to the Vancouver Island Health Authority. It is over 30 days and I have not received an answer to my questions.

Please deal with this matter.”

January 11, 2007
An e-mail from Ms. Larson, with cc's to Cathy Yaskow, Marybeth Corbeil,and Lori Bird,stating that Elizabeth from the Minister of Information and Privacy's office called to follow up on this request. And that Elizabeth would be contacting Cathy or Sam.

January 12, 2007
E-mail from M.B. Corbeil:

“I am responding to your e-mail of November 27, 2007 in which you request
general information on access to health records versus a Section 5 FOI access request for your own personal health records.

As part of your e-mail you indicate you wish a copy of our "admittance form". I am unsure as to what you are referring to but I am assuming it is the form that is created electronically when first admitted to hospital. We refer to this form as a Record of Admission-Separation. We do not have "blank" copies of these forms as they are created electronically but I have been able to get printed a "mock patient" Record of Admission-Separation Form which I would be pleased to send to you but, unfortunately, you did not include your address with your e-mail.

As to the other questions you had related to access, storage, etc., if you will provide your phone number along with your address, someone from the Privacy Office will be pleased to contact you and discuss the answers to these questions with you.

Please feel free to call me at the number listed below if you wish to
discuss this e-mail with me further.”
M.B. "Sam" Corbeil
Release of Information & Privacy Administrator
Health Records, VIHA South Island
Phone: (250) 370-8549
Fax: (250) 370-8550 (RJH)
(250) 727-4114 (VGH)
E-mail: marybeth.corbeil@viha.ca

January 14, 2007
I e-mailed M.B. Corbeil;

“Re: Record of Admission - Separation Form - do you have a scanner?
Re: Access, etc., I would like the information in writing.”

Comments:
I had wanted them to e-mail me the Record of Admission and other information.
They replied that they did not have a scanner so I e-mailed my address.

January 18, 2007
Letter from M.B. Corbeil:

“I am responding to your request initially received via e-mail on November 27, 2006 for access to a copy of an “admittance form” used within the Vancouver Island Health Authority (VIHA). Unfortunately, your original e-mail did not contain your address, which you subsequently provided to me on January 16, 2007.

A copy of a mock Record of Admission-Separation form is enclosed as per your request for an 'admittance form.'

Also, as per my e-mail to you of January 12, 2007, I did indicate that someone from VIHA's Information and Privacy Office would be contacting you to discuss other general questions related to the privacy and security of your personal information. The Freedom of information & Protection of Privacy Act was established to provide access to records within the custody and control of the public body, rather than to answer questions. Accordingly, questions such as you posed in your original e-mail are typically addressed through a conversation with VIHA's Information & Privacy Office.

However, I note that in your January 16, 2007 e-mail to me you did not include your phone number as requested, just your address. In light of that, VIHA's Information & Privacy Office has requested that I ask you to please contact them directly at either (250) 370-8043 or (250) 370-8686 to discuss your questions. This will allow VIHA's Information and Privacy Office to clarify what information you are specifically seeking and respond accordingly. If you choose not to contact VIHA's Information and Privacy Office by phone, please clarify by e-mail to Ms. Lori Bird, Regional Coordinator, Information & Privacy Office at lori.bird@viha.ca what specific information you are seeking and Ms. Bird will respond back to you.

If you have any further questions related to the 'admittance form', please feel free to contact me at (250) 370-8549.

Comments:
As noted in correspondence from OIPC (Providence Health Care, Jan. 3, 2006) “Vancouver Island Health Authority, for example, is in the process of revising their registration and admitting process to ensure it conforms to FIPPA.” While I am pleased that this is finally being done, why wasn't it done 13 years ago. FIPPA came into effect in 1993.

They sent a copy of their admittance form. Concerns:
1. They have a place for religion on the form and the question is not identified as optional.
2. Application for Benefits/release of Information: I don't know why people would be required to make application under the BC Hospital Insurance Act (I assume most people are covered by MSP).
There are other questions under this section but, as long as people can stroke out what they don't agree with, I don't see a problem.

January 18, 2007
Letter from Elizabeth Darche, OIPC:

“I am writing in response to your request for a review by our office of the failure of the Vancouver Island Health Authority (“VIHA”) to respond to your request of November 27,. 2006 as outlined in your letter of January 5, 2007.

In response to your letter, I contacted Marybeth.Corbeil of the VIHA regarding the status of your request, who provided our office with a copy of their response of today's date. As VIHA has now responded to your request, it appears there is nothing further that our office might review on the matter.

You may, however, wish to request a review of the response itself. Should this be the case, such a review would be a separate matter from the WIHA's failure to respond and would require the submission of a separate request for review. As you are aware, if you wish to request a review on a decision to refuse access to all or part of a record, you must include a copy of your original request for access to information, as well as a copy of the VIHA's decision letter.

If you have any questions regarding this letter, please do not hesitate to contact me at(250)387-5629 or by calling the toll-free Enquiry BC number which is 1-800-663-7867, where an operator will transfer you free of charge."

February 18, 2007
Letter to Ms. Darch, OIPC:

“I wish a review of the response by VIHA. In their response they state that FIPPA 'was established to provide access to records, rather than to answer questions. Does this mean that I am not entitled to know who has access to my personal/medical information?

They also state that they imply that questions “such as I pose” (ie privacy) is addressed through conversation. Am I not entitled to a response in writing? I am aware of the convenience of 'conversation' in that it allows 'denial' of anything said. In other words, its not worth the air it takes for a 'conversation'.”

Comments:
In hindsight, I realize that I had missed the part in the letter (January 18) from VIHA giving me the option to e-mail (see March 1).

February 22, 2007
Letter from Ms. Darche, OIPC:

“We have received your complaint about the response that you received from the Vancouver Island Health Authority (VIHA) further to your access request under the Freedom of Information and Protection of Privacy Act (the Act).

Your complaint appears to be further to VIHA's offer to have you call and speak to the VIHA Information and Privacy Office in order to respond to the questions you raised in your November 27, 2006 email request to their office rather than provide a written response.

As previously advised by VIHA, the Freedom of Information and Protection Privacy Act was established to provide access to records within the custody and control of the public body, rather than to answer questions. Should a public body deny you access to all or part of a record your requested, our office would be able to review the matter. However, our office cannot review the failure of a public body to answer questions in response to an access request.

I would refer you to subsection 2(1)(a) of the Freedom of Information and Protection of Privacy Act (the Act) which states:
The purposes of this Act are to make public bodies more accountable to the public and to protect personal privacy by giving the public a right of access to records.
Your complaint does [not] seem to pertain to inappropriate collection, use, or disclosure of your personal information in a record under the custody or control of a public body in BC, therefore our office cannot be of assistance at this time.”

Comment
I interpret this to mean that I do not have the right to know who has access to medical records. I would not know if there has been “inappropriate” use or disclosure of “my” personal information since I am not entitled to know who has access. Presumably, as long as the hospitals do not written, detailed privacy policies and procedures (ie. records), they do not have to tell people who they give the information to. How does this make public bodies more accountable? How does this protect personal privacy?

March 2, 2007
E-mail to Lori Bird, VIHA:

“I would like to know, specifically, who has access to medical records at any time. For example, if someone had been in the hospital, for whatever reason, who would have access to their records - all doctors in the province/country/world or only certain doctors and, if so, which ones; all nurses, technicians, pastors, volunteers, etc.? Do they have access to all the medical information or part of it (if so, who has access to what part)? If your access is limited, how is this enforced?

Where are the records kept (under lock and key, or in an easily accessible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff, what safety features protect medical information (ex. firewalls if on a computer)?”

March 20, 2007
Email from Ms. Bird, VIHA:

“ I am responding to your email of March 1st, requesting information regarding access to medical records, both electronically and in paper format within the Vancouver Island Health Authority (VIHA). Please be advised that this request is not covered under the Freedom of Information and Protection of Privacy Act (the Act) as you have requested information versus access to specific records. My apologies for the delay in getting a response to you.

I would like to assure you that we take the privacy of your personal information very seriously. We take measures on a daily basis to ensure that personal information is treated in a confidential manner in accordance with the Act as well as VIHA's Confidentiality Policies. VIHA has posted Notification Signage throughout our facilities stating the reasons for the collection, use and disclosure of personal information and highlight the reasons under which we may share your information.

You have asked the question of who would have access to your personal health information and if the information is kept in a secure manner.

I can assure you that not just anyone can see your health information. To ensure you receive safe and comprehensive care, relevant "need-to-know" information is shared with your referring physician, other care providers, or health care agencies and facilities who demonstrate they are directly involved in your ongoing care. Under certain circumstances, other individuals who may be acting on your behalf or have demonstrated their legal authority to have access to specific information in your record may be provided with some or all of your records. These individuals may include, but are not limited to, Personal Representatives, Committees of Person, Executors, or a lawyer acting on your behalf. Each request would be considered individually and involve the submission of proof of the proper authority to receive access to your personal health information.

You wish to know if Pastors and Volunteers would have access to your health information. If you have requested to see a Pastor, the Spiritual Care team would only have access to information that you have consented to. Additionally, VIHA volunteers do not have access to electronic or paper health records. If a volunteer is assigned to a specific individual, for example, to help feed, they would be advised verbally of the necessary "need-to-know" information in order to feed that individual in a safe manner.

You have requested information relating to electronic health records as well as actions taken to ensure that both paper and electronic records are held in a secure manner. Please find below two frequently asked questions that I believe will answer your question around security of personal information kept electronically and in paper format.

What is the electronic health record?
An electronic health record is a computerized version of the paper health record that is used to document your care over time in the same way as your paper record.
A major advantage of an electronic health record is that it allows authorized health care providers to access "need-to-know" information about you in a timely fashion to support safe and comprehensive health care. The VIHA currently uses both paper and electronic mediums to document your personal health information.
How does VIHA ensure that your personal health information contained in electronic or paper records is kept confidential?
Strict physical and electronic security protections are in place to ensure only those individuals (doctors, nurses, direct care providers) with the proper authority are accessing your record. VIHA staff are trained in confidentiality and security procedures during their orientation and have ongoing educational opportunities in confidentiality, privacy and security responsibilities. Random audits are done to ensure ongoing appropriate access to patient health records, electronically by a systems audit and through random site visits within the VIHA.

To answer your question regarding the security of paper records I offer you the following:
When a patient is discharged from hospital, staff within the Health Records Department will receive the paper record for processing prior to filing in the secure records room. Authorized Health Records staff are the only individuals' who have access to the secure file storage rooms and can retrieve a file only for those authorized to have access to the information (e.g. direct care provider). In addition, a family physician and/or a referring specialist will receive copies of any test results and discharge summaries for continuity of care purposes and in order for them to provide you with ongoing care and treatment after your discharge from hospital.

I trust that the above information has answered your questions and that no further action with regard to your file is required of this office. You may find more information by visiting our website at .
If you have any further questions regarding the above you may contact me by phone at (250) 370-8043 or via email, lori.bird@viha.ca.

Comments:
It's good that they have signage throughout their facilities. It, hopefully, makes people aware that they have rights and, hopefully, who to contact regarding questions. But signage doesn't usually state the hospitals limits on the collection of information and the reasons for sharing information can be stated so generally that it could include almost anyone.

I was pleased to hear that volunteers and pastors do not have access to patient information. This is the only health authority with this restriction, although I believe that this should be a standard policy at all hospitals.

However, VIHA does not identify who are the “other care providers”. Nor is there any reference to service providers.

Apparently, strict physical and electronic security protections are in place but they are unwilling to state what those security protections. We are just to take their assurance. Their assurances imply that I must trust them, but my trust in hospitals has been severely damaged over the last two years.

Again, there are no independent audits.

March 29, 2007
E-mail to Marybeth.Corbeil, VIHA:

“On your 'admittance form' you have identified as questions: Pastoral Care Visit (with a ? after it) and Religion. Why are these questions not identified as optional?"

April 2, 2007
Response from Marybeth.Corbeil:

“The admittance form is not a form filled out by the patient on their own. It is a form completed with the questions being asked by the admitting clerk and, therefore, the patient has the 'option' to say yes or no to this question.

I trust this addresses your concern as to why these questions are not identified as 'optional' on the form.”

Comments:
This does not address my concern. This is the same situation that led to my rights being violated by Providence Health Care. The questions were not identified as optional and so the admitting clerk demanded that I answer the questions or I would not be admitted to the hospital.

7. Vancouver Coastal Health Authority

2007-04-15T20:26:00.000-07:00

Vancouver Coastal Health Authority (VCHA)

I phoned the Vancouver General Hospital and UBC Hospital to ask for the name of their privacy officer. Not only did the hospitals not know the name of their privacy officer but they had absolutely no idea what I was talking about. Obviously, they have not had any instructions regarding the privacy legislation.

September 26, 2006

I wrote to the privacy officer at UBC Hospital and Vancouver General Hospital requesting:

1) a copy of their admittance form and
(2) I also stated that "I would like to know, in detail, who has access to anyone's records at any time. For example, if someone had been in the hospital, for whatever reason, who would have access to their records all doctors in the province/country/world or only certain doctors and, if so, which ones; all nurses, technicians, pastors, volunteers, etc.? Do they have access to all medical information or part of it (if so, who has access to what part)? If your access is limited, how is this enforced?
(3) where are the records kept (under lock and key, or in an easily accessible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff, what safety features protect my information (ex. firewalls if on a computer)."
October 16, 2006

Letter from Leslie Kitchen, Sit Coordinator, Health Records, UBC Hospital (this was a form letter):

"In reply to your request for information on the above named patient, please note that the following apply: Your request has been forwarded to Traci de Pape, Vancouver Coastal Health's Freedom of Information Coordinator."

Comments:
I don't recall every being a patient at Vancouver Health but I suspect that the mail room didn't know who the privacy officer was so forwarded my letter to health records.

November 27, 2006

Two letters to OIPC, re UBC and Vancouver General Hospital. Each letter stated:

"Attached is a letter that I sent to UBC Hospital. It is over 30 days and I have not received an answer to my questions.

Please deal with this matter."

January 26, 2007

E-mail to OIPC:

I sent complaint letters to your regarding Vancouver General Hospital on
November 27, 2006. Please advise me of the status of this complaint."

January 31, 2007

Reply from OIPC

A response letter has been sent to you in the mail yesterday."

January 29, 2007

Letter dated January 29 from Barbara Haupthoff, OIPC:

"I apologize for the delay of my response. We have received your correspondence pertaining to questions you submitted to Vancouver General Hospital, to which you indicate you have not received a response. I recommend you contact Traci de Pape, the Information and Privacy Coordinator for Vancouver Coastal Health Authority (VCHA) to inquire about the status of VCHA's response to your questions."

Comments:
I can only assume that they believe that no one at the hospitals knows who she is, or what she does, or that mail isn't delivered to her.

February 16, 2007

Letter to Traci de Pape:

"On September 28, 2006 I sent letters to Vancouver General Hospital and UBC Hospital asking the same questions I am asking below. I did not receive a response so I contacted the Privacy Commissioner's Office. They suggested I contact you. Doesn't anyone at your hospitals know who the privacy coordinator is (in which case why didn't they reply stating as much) or are they instructed not to respond to any questions regarding privacy?

I would like a copy of your admittance form.

I would also like to know, in detail, who has access to anyone's records at any time. For example, if someone had been in the hospital, for whatever reason, who would have access to their records all doctors in the province/country/world or only certain doctors and, if so, which ones; all nurses, technicians, pastors, volunteers, etc? Do they have access to all the medical information or part of it (if so, who has access to what part)? If your access is limited, how is this enforced? Where are the records kept (under lock and key, or in an easily accessible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff, what safety features protect my information (ex. firewalls if on a computer).

Comments:
Actually there was an error on my part. Someone did know who she was (Leslie Kitchen) and forwarded my questions to her. So, either their internal mail delivery doesn't work or she couldn't be bothered to respond until possibly contacted by the OIPC.

February 26, 2007

This letter from Suzanne Kennedy at VCH didn't reach me until about 2 weeks later:

" We write to acknowledge receipt of your request dated February 16, 2007 for information under the Freedom of Information and Protection of Privacy Act (the Act) which was received by the Vancouver Coastal Health Authority on February 20, 2007.

You have requested a copy of the Vancouver Coastal Health Authority admittance form. We assume that you are specifically requesting those forms that are used by the Vancouver General Hospital and the UBC Hospital, but would be grateful if you would please confirm that this is the case. In the meantime, we will proceed with locating the above referenced forms.

You have also requested information about who within the Vancouver Coastal Health Authority has access to patient information. In order to process this request we will require some further clarification from you. Specifically, the Act provides the public with a right to access currently existing records. Therefore, in order to respond to your request we require a request that identifies what type of records you are seeking. We assume, for example, that you are seeking copies of any policies that set out access rights to patient information. As well, it would assist us in responding to your request if you could identify more specifically which facilities and types of patient information you are concerned about.

Please contact us at your convenience to discuss the clarification requested above. Before March 13, 2007, you may contact Suzanne Kennedy, at 604-643-6470 or skennedy@davis.ca to clarify your request or to respond to any questions regarding the processing of your request. From and after that date, please contact Traci de Paper at Tel: 604-708-5338 Fax: 604-708-5330."

March 23, 2007

Letter from Ms. S. Kennedy:

"Further to my letter dated February 27, 2007 responding to your February 16, 2007 request for information under the Freedom of Information and Protection of Privacy Act, we enclose copies of the following:
1. A document entitled 'Inpatient Registration Facesheet'.
2. A document entitled 'Supplementary Application for Benefits under the Hospital Insurance Act';
3. A copy of the Vancouver Coastal Health Authority Information, Privacy & Confidentiality Policy; and
4. A copy of the Vancouver Coastal Health Authority 'Management of Information Privacy Incidents Policy

As per my earlier letter, we are having some difficulty ascertaining what other types of records you may be seeking, and are unable to process the remainder of your request without further clarification from you.

If you wish to proceed with the remainder of your request, would you kindly contact Traci de Pape, the Vancouver Coastal Health Authority Freedom of Information Coodinator. Her contact information is set out below.
Traci de Pape
Freedom of Information (FOI) Coordinator
Vancouver Coastal Health
Tel: 604-708-5338
Fax: 604-708-5330
Email: traci.depape@vch.ca"

Comments:
1. The inpatient registration asks for employment information, marital status, religion, guarantor information. None of these questions are identified as optional. Is marital status and guarantor information necessary?

I noted with amusement a paragraph at the bottom of the registration: There is a minimum find of $100.00 and/ornot less than 10 days in jail for making false statements in application for benefits, or for failing/refusing to complete such an application when required to do so by an officer of any hospital in British Columbia. And, yet, these same hospitals can demand illegal information from you with impunity.

2. I don't know what that application is about so I will have to look into it.

3. This is 8 pages and gives more detailed, useful information than the others I've read (of course, some authorities, apparently, don't even have one).
However, on page 5 it states that VCH will make available, directly to individual, specific information about its policies and practices related to the management of Personal Information. So why are they refusing to state specifically who has access to our information.
Assuring Clients that their information will be kept confidential is essential to the establishment of a trust-based relationship, which improves the quality of care because Clients will provide better and more complete information for decisions made with care providers'. It's hard to develop trust when the hospital authority refuses to provide details.
Staff should take all reasonable steps to ensure no unauthorized personnel or third parties are provided with access to records containing Personal Information. Any third party who requests access should be asked to produce identification and confirmation that they have signed an agreement in accordance with this Policy. How do they know who is authorized, or who should be authorized, if there are no detailed guidelines?
I found another paragraph interesting, Requests by researchers are to be directed to the Vancouver Coastal Health Research Institute. How much of our confidential information is being given to researchers without our knowledge, much less our consent.

4. Essentially this outlines what happens if confidential or sensitive information has been lost, stolen or mistakenly disclosed.
"2.4 Notification - The Information Privacy & Steering Committee decides whether affected individuals or organizations should be notified of a privacy incident, in order to avoid or mitigate harm to them, and how these individuals or organizations should be notified, including the Office of the Information and Privacy Commissioner.
The factors relevant to deciding it, when and to whom to provide notification include:
- the sensitivity of the information
- what harm might arise from the incident, including whether it could be used for identity theft or other harmful purposes.
- number of people affected and their relationship to VCH;
- whether the information could be easily exploited for reasons it was not intended for;
- the cause of the incident, whether or not the information was fully recovered; and
- the extent of any residual risks associated with the incident once it has been contained."
Disposal of Confidential Information: This policy generally states that Confidential Information in paper format that is not longer required for clinical or business purposes must be destroyed in a secure manner (i.e. shredding) to prevent any unauthorized retrieval and disclosure of the Confidential Information. It then talks about collection bins, security and disposal.
This policy also states re Disposal of Electronic Media: Detailed procedures for the disposal of Confidential Information can be found in the policy 'Waste Management Methods of Disposal (Confidential Material)'.

I appreciated the information that they sent. This was certainly the best information sent by the authorities. But I still don't know who, specifically, has access to personal information.

March 27, 2007

Letter Traci de Pape:

"With regard to the admittance form, yes I am referring to those used by Vancouver General Hospital and the UBC Hospital. What other health facilities do you operate?

I really don't know how much more detailed I can get from my last letter. I am not only seeking policies that set out access rights to patient information (which are usually so general it provides little information) but information that identifies exactly who has access, for example service providers, who are service providers and why would they need access to patient information; if you say employees, who do you include as employees. Surely, somewhere you must have something in writing which more clearly identifies who accesses patients information than general policies. Surely somewhere it is written which service providers, health care providers, volunteers, pastors, etc. are allowed to access patients information, under what circumstances and to what extent.

And, surely, somewhere there must policies and procedures, in reasonable detail, regarding the measures in place to protect patient information.

I am referring to all facilities and all types of patient information.

I would also like to know if you share patient information, without explicit patient consent, to research organizations."

2007-04-15T20:20:00.000-07:00

You can leave messages in the comment section of the blog. Or, for more privacy, you can contact me at searcher@imagen.ca.
If you send letters to Gordon Campbell (or others) I would appreciate a copy sent to me via e-mail so I have an idea of how many are being sent.
If you would like a copy of the petition sent to you so you can collect names from your friend, neighbours, co-workers, etc. sent a request to searcher@imagen.ca and specify if you want an 8-1/2 x 11 or 8-1/2 x 14 page.

I am just an average person, with no medical affiliation, who went to a hospital in this province. I did, however, know enough about the privacy laws to recognize that some of the questions being asked were illegal and that I was legally entitled to know why they were asking these questions. I did not know that they could not legally refuse me admittance to the hospital.

There was some (minor) confusion on my part between FOIPPA (the public body privacy act) and PIPA (the privacy act for the private sector, "including businesses, non-profits, landlords or doctors in private practice" – Guide to FOIPPA, June 2004, pg. 5). Essentially, I have been learning about FOIPPA and the actual process of trying to gain access to information as I went along.

I am a person who believes that if you don't stand up for your rights you won't have them. And the best time to stand up for your rights is when you don't need them. Although, for me, that doesn't apply in this case, because I wasn't aware my rights were being violated until I went to the hospital. I had no idea, when I started to ask questions, that it would become so time-consuming and complicated. It seemed to me, and still does, that the questions I asked were basic and should have been readily available to patients. The hospitals/authorities have danced around the questions "who has specifically has access to our personal information and how is our information protected", no doubt hoping that I would give up. I chose instead to go to the people. In hindsight, would I do this again? Yes, because again, I believe you have to stand up for your rights.

Please note that I am new to blogging so I welcome constructive suggestions (preferably with details on how to make the changes).

2007-04-15T18:46:00.000-07:00

HOSPITALS VIOLATE PRIVACY RIGHTS (This is an expanded version of the handout)

Are you aware that hospitals have the right to give your personal information (medical records, with your name, address, date of birth, SIN, etc.), to “research” organizations without your consent, but Providence Health Care refuses to give ANY information about these "research" organizations. Other people who have access to your medical records include, but are not limited to, hospital staff, pastors, volunteers, students, contractors, subcontractors, consultants, vendors, suppliers, and any individual directly or indirectly associated with the hospital. Among many other problems, identity theft becomes a concern.

Privacy is recognized as a fundamental right of every Canadian and is grounded in the Canadian Charter of Rights and Freedoms (1984).

QUESTIONS:
1. WHY ARE HOSPITALS REFUSING TO STATE, SPECIFICALLY, WHO HAS ACCESS TO MEDICAL RECORDS?? WHAT'S THE BIG SECRET??
2. WHY DO WE NOT HAVE A “RIGHT” TO KNOW WHO ACCESSES OUR MEDICAL INFORMATION??
3. WHAT INFORMATION WILL GO TO THE PROVINCIAL/NATIONAL MEDICAL DATABASE(S) AND WHO WILL HAVE ACCESS AND HOW MUCH??
4. WHY WON'T OIPC PROVIDE ANY INFORMATION ON THE NEW COMMITTEE SET UP TO LOOK INTO PRIVACY ISSUES IN THE HEALTH SECTOR? WHY SO SECRETIVE?
Some hospitals have provided information but it is so general as to be meaningless (see specifics under individual health authorities). By specifically, I mean are they computer companies, janitors, food services companies, toilet paper companies, volunteers, etc., why do they need to access medical information, how much can they access, and is access limited to certain people in the company.

GOALS:
1. To make people aware of the lack of privacy rights within the hospital/health system.
2. To encourage people to contact Gordon Campbell and demand the the FOIPPA be changed so that information may be collected, used and shared only with PATIENT CONSENT. And that we are entitled to know SPECIFICALLY to whom we are consenting to share the information and how much information we are consenting to share.
3. That the public be made aware of the provincial and national medical databases being created which will contain our medical information. We should be involved in the decision-making as to what information is included, who has access and how much information they can access. Our written consent should be required before putting any information on a provincial/national database. We should have the right to say “NO”. We should determine who accesses our information.
4. To, individually, monitor hospitals to ensure that they are sharing our confidential information only with authorized individuals; ie. when you are involved with the hospital system, watch, ask, etc.,who is accessing medical information.
5. To ensure that privacy audits are conducted by an independent organization to ensure compliance.
6. To have the hospitals remove all illegally collected information.

Definitions (I have found some of the hospitals definitions to be very deceptive):

Access: Providence Health Care and the OIPC's definition of access is “anyone who has legal access”. I consider this the equivalent of putting people's medical records on a table, at the front door, where anyone walking by could open and read the records, but then claiming that only doctors/nurses have access because the doctors/nurses are the only people who have authorization to look at the information.
Or, they state that people can access health records but are only authorized to look at specific information. Again, that's like giving someone a whole book and telling them they can only read page three. And then claiming these people only have “access” to page three.

Employee: (hospitals definition) – may include doctors, nurses, volunteers, pastors, vendors, contractors, service providers

Medical Information: (my definition) – It is used interchangeably with personal information as defined by FOIPPA. In other words, ALL the information of an individual that the hospital has access to, including your name, address, date of birth, SIN, employer, occupation, marital status, blood type, sexual orientation, religion, etc. This is essentially the same as personal information defined below.

FOIPPA (also called FIPPA): Freedom of Information and Protection Act
OIPC: Office of the Information and Privacy Commissioner

Personal Information: as defined by FOIPPA can be any recorded information about an identifiable individual (excluding contact information). Examples of personal information include but are not limited to:
- The individual's name provided with home address and/or home telephone number;
- The individual's race, national or ethnic origin, colour or religious beliefs or associations;
- The individual's age, sex, sexual orientation, marital status or family status;
- An identifying number, symbol or other particular assigned to the individual;
- The individual's fingerprints, blood type or inheritable characteristics;
- Information about the individual's health care history including a physical or mental disability;
- Information about the individual's educational, financial, criminal or employment history;
- Anyone else's opinions about the individual; and,
- The individual's personal views or opinions except if they are about someone else.

Denial of Information

Hospitals are saying that if the information isn't in writing, they don't have to provide the information (see hospital authorities). I guess this why the health authorities kept trying to discuss the matter on the phone and not in writing. I'm not sure which scenario is worse:
1. that the hospitals have the information in writing and refuse to divulge it; or
2. that people at hospitals are giving access to our confidential information without having any written procedures or guidelines as to who has access, under what circumstances, and how much access. Are these people expected to remember verbal instructions or is it completely discretionary? This would also imply that the hospital has no record of all the people who have access to our confidential information so how do they know if records have been accessed illegally? How do they audit?
And yet the hospitals/authorites assure us that they take the protection of our privacy seriously; that every precaution is taken....
There are several references to telling us “who our information will be shared with”. For example:
1. “Section 27(2)...when a public body collects personal information...must tell an individual...with whom (the information) will be shared” (see Providence Health Care).
2. “Both the Vancouver Coastal Health Authority and the Vancouver Island Health Authority post their privacy statements at admitting points so they are easily accessible to incoming patients. These privacy statements include why information is being collected, how it will be used, who it may be shared with....” (see Providence Health Care)
This is being interpreted by the hospital authorities, Ministry of Health and OIPC in the vaguest possible manner.
I find it unconscionable that the government allows the hospitals to hide behind this flawed law. I consider it a violation of people's rights, immoral, and unethical to refuse to even state specifically who has access to a person's medical information, much less require consent to share this information.

Consent

What defines consent? When we sign a hospital “admittance” form are we consenting to our information being shared by whomever the hospital decides is appropriate? I don't believe that this would be considered a legitimate contract in court when pertinent information is being withheld (ie. who we are consenting to share this information with and how much information is being shared).
Hospitals also like to say that the information will only be shared by the consent of the patient or in accordance with the law (ex. FOIPPA). The problem is that the law is so broad and vague that, depending on interpretation it could include almost anyone. Do the people, accessing our confidential information, have a legitimate reason for needing it; we don't know because we don't know who they are or why they want our information.
However, if you don't sign the “admittance” form, you won't get in the hospital; a hospital you have paid for and will continue to pay for. What a “choice”.

A friend pointed out that he was asked, by a hospital, for his consent to share information with research organizations. This is deceptive.
A hospital has the legal right to give all your information to research organizations without your consent under certain conditions, for example if the research organization can't get the necessary information any other way. A hospital can also ask for your consent which will allow them to give your information to research organizations under any other situations.

SETTING - A Trip to a Catholic Hospital Opens Pandora's Box

In February 2005 I went to Mount St. Joseph's Hospital and I was asked questions that I believed to be illegal. When I protested I was told that if I did not answer all the questions that I would not be allowed in the hospital for tests (which I later found out was illegal). They also refused to explain why they wanted the information (also illegal) except to say, regarding the religion question, that they are a faith-based hospital (what happened to separation of church and state). Mount St. Joseph's Hospital is run by Providence Health Care, a catholic organization, which runs St. Paul's, etc.. During this time I was suppose to go for a procedure but I refused until the hospitals were in conformance with the law, plus I did not feel comfortable going to medical facilities that I was having investigated and who were contesting that investigation, and I was told that I would probably be asked the same questions. Also, I was assured by the Privacy Commissioner's Office that it would not take long to resolve the problem. It took almost a year but Mount St. Joseph was found to be in violation of the FOIPPA in several ways and suppose to make changes as of January 2006.
Providence Health Care was also asked, in 2005, who had access to my hospital records and I asked for this information in detail. They gave a very general answer. In January 2006, I discovered their answer was “incomplete” and “in error”. I again asked the question and insisted on a detailed answer. They refused to answer the question, again violating the privacy act (they are required to answer the question within 30 days). This has been done in the name of the Catholic religion and Catholic god (so you can imagine what I now think of them). It has taken almost a year for the Privacy Commissioner's Office to respond to this question. This is still ongoing.

I wrote to the other hospital authorities. Some hospitals provided answers so general as to be useless and others refused to answer at all. I have had to lay a complaint against every hospital authority in the province. These hospital authorities are doing everything they can to avoid answering the question “ Who has access to patients confidential information”. The health authorities are now claiming that they don't have to tell us who has access to our information.

The hospitals are operated by different organizations. So, they have different forms, procedures, etc. I understand the change required at Mount St. Joseph's does not apply to other facilities run by Providence Health Care since I have not lodged a complaint against them. Other health authorities have "problems" with privacy but OIPC won't do anything. I understand it's because I haven't actually gone to these hospitals, sick and vulnerable, and had my rights violated.

British Columbia's Freedom of Information and Protection of Privacy Act (FOIPPA) came into effect as of October 4, 1993. So, the hospitals have had years to comply with the privacy legislation. The government has had years to enforce compliance. Why does this government not ensure that the hospitals are in conformance with laws before giving them our money? Why do they not perform independent privacy audits and make them public (hospitals audit themselves, so why can't we do our own tax audits)? Why do they not have one set of forms/rules for all hospitals (see One Committee/Cost)? And this is the same government who, when they hired their U.S. company Maximus, assured us that our privacy was protected. Why doesn't FOIPPA address the concept of “consent”?

The government has set up a provincial database so information can be shared provincially, with plans to go national. The database is expected to be in effect soon. There are a lot of privacy concerns. For example, the Province has not specified who will be able to access your personal health information, has not specified that eHealth will keep your personal health information private from third parties and used a US-based multi-national to develop the systems. This information, opt out forms, and more can be found at www.bcoptout.ca, and www.fipa.bc.ca.
Also, the government has obviously not bothered to determine if the information has been legally collected and protected. I understand that the general public has not been consulted regarding this legislation. Apparently, the decisions regarding what gets included in the database and who has access is being decided out of public view. I recommend you contact Gordon Campbell and demand the public be informed and consulted. And, we have a right to hear all views to make an informed decision. We must ensure that information may be collected, used and shared only with PATIENT CONSENT. We must ensure that we know SPECIFICALLY to whom we are consenting to share the information. We must ensure that we have the right to "opt out" of having our information in this database.
The BC Medical Association opposes the concept of a single provincial data repository where identifiable patient information generated in physicians’ offices would be stored and, potentially, accessed by third parties such as Health Authorities, governments, and external agencies. (BCMA – Clinical Data Repositories, Sept. 2004)
The Office of the Privacy Commissioner of Canada, in response to the Romanow Commission report Building on Values: The Future of Health Care in Canada (2002), stated that having all health information including doctor and hospital visits, prescription, and lab tests in a central repository would significantly undermine privacy rights. (BCMA – Clinical Data Repositories, Sept. 2004).
I understand that a private clinic is now being allowed to operate in B.C. Will this clinic, plus the private diagnostic clinics, etc. have access to your confidential information in this database.
And this is the tip of the iceberg. Michael Vonn of the BC Civil Liberties Association has stated "the plan is ultimately for a Pan-Canadian e-health record system... This is a massive information-sharing project meant to encompass the entirety of social services in British Columbia and to link information about us from the Ministries of Employment and Income Assistance, Children and Family Development, Health, Education, Justice and the private sector contractors for all of the above. The government has already issued an RFP, (a Request for Proposals) for this project."

It is interesting that it says in the OIPC's Role and Mandate (www.oipbc.org)(page 2) that “It is a central tenet of democracy that public institutions are accountable to the citizens they serve, and accountability cannot survive in the absence of transparency”. It also says, on page 3, “People who have no rights of privacy are vulnerable to limitless intrusions by government, corporations, and anyone who choses to interfere in your personal affairs”.
A lawyer said to me that people are more concerned about the protection of their medical records than anything else, including financial information. A medical person told me that they believe that the loss of information from hospitals is not a leak but a flood and I now believe this. Changes have to be made to ensure that our privacy is protected and in such a way that we can easily see that it is protected.
When a person goes to the hospital they are at their most vulnerable. They should not have to deal with their rights being violated. And they should not have to make a choice between medical care and their rights (which I believe is a violation of the Health Act). And they should have the right to consent to who has access to their information.

The hospitals can violate people's privacy almost with impunity. When they make a report on a complaint in which the public body has violated privacy rights, the OIPC makes “recommendations”. The Guide to FOIPPA (pg. 14) states that: “If the Portfolio Officer finds that a public body has violated your privacy rights, the Commissioner may require the public body to change the way it collects, uses, discloses or secures your personal information.” To the best of my knowledge, FOIPPA does not provide the OIPC with the legal tools to force a public body to comply. The Privacy Commissioner's Office also has no authority to impose penalties for any violations by a public body.

And imagine what will happen to your confidential information if (or is it when) the system is privatized.

FOIPPA – Some Important Points

- Section 27(2) of FIPPA states that when a public body collects personal information from an individual they must tell the individual why the information is being collected and what it will be used for and with whom it will be shared. They must also inform the individual under what authority they are collecting the information. Finally, they must also provide the contact information for an officer of the public body who can answer the individual's questions about privacy and access. You stated that the admitting (OIPC, Providence Health Care, Jan. 3, 2006)
- The public body must determine the minimum amount of personal information needed to administer a program during the design of forms, questionnaires or other collection instruments. (FOIPPA – Policy and Procedures Manual – Section 26)
- The public body must have a demonstrable need for the information such that the operating program or activity would not be viable without it. (Section 26)

One Committee/Cost

From the OIPC regarding Providence Health Care:
– Oct. 26, 2005 - “Unfortunately, it has not been a simple process to determine what information must be collected and what information is voluntarily collected during a hospital admitting process. A survey of BC hospitals reveals every admitting form is different and there does not appear to be one person or government department who is able to say what has to be on the admitting form and what does not have to be on it. I have submitted a list of questions to a newly formed committee that is looking at privacy issues in the health care field and I am now awaiting their response before I finish my report.
– July 26, 2005 - "According to Ms. Sachedina the forms are designed by individual hospitals with input from the Health Authority and the Ministry of Health Services. In addition, a hospital Forms Committee reviews all the forms used in the hospital including the admitting form. Ms. Sachedina expects that as time goes on the forms will be more uniform across the province.” The hospitals are operated by different organizations. As noted, each hospital (not just each health authority) has different forms, procedures, rules, etc. I understand the change required at Mount St. Joseph's does not apply to other facilities run by Providence Health Care since I have not lodged a complaint against them. To deal with each hospital/clinic/authority costs the taxpayers, the expenses of the OIPC and the hospital/clinic/authority, and my time and expenses (no cost to taxpayers), to try to bring the hospitals, etc. into conformance with the law. Where is the effectiveness and efficiency, and the justice, in this? So take each form, etc. x the cost x the number of hospitals/health clinics and you can see where our money is going. Why not have one committee, for all hospitals/health clinic, who designs the forms, policies and procedures etc. and distributes them to each health entity. Then this committee could ensure that the forms, etc. are in compliance with the laws and when there is a change only one form, procedure, etc. has to be changed and distributed. Then again, if the system is privatized, it is unlikely that the individual owners will want to conform to the decisions of one committee.

HOSPITALS RESPONSES – (OR NOT)

I have entered almost everything from the communication between myself, the hospital/health authorities, OIPC, etc.. I have left out information that I considered trivial (ex. thank you for your letter of...)., or redundant (ex. a summation of previous correspondence). I have included names, and in some cases, contact numbers so that you can write and have information verified if you chose, or pursue your own privacy issues. Some people may feel there is too much information and may choose to skim, but others will find it very helpful in gaining some understanding of how the hospitals operate in terms of your personal information, and the process I had to go through to get what information I got, and I am sure you will sense, and hopefully understand, my increasing anger at the information not disclosed. Most importantly, by providing the correspondence almost in their entirety, you will be able to form your own opinions and questions. I have made my own comments, which you may, or may not, agree with. You must read the information from the hospitals/authorities very carefully. Sometimes it may sound good, until you think about it. Also, the dates identified are the dates on the correspondence, not the dates received, and anything in italics are quotes.

I continue to be amazed and more than curious, at the hospitals refusal to provide the information I have requested. The questions that I have asked the hospitals/health authorities, I consider to be very basic to privacy; ie. who has access and how is the information protected. I believe this information should be posted at the hospital and on their website. I am of the belief that people have the right to know this information. This is a patient's personal/confidential information and in many cases, if the information is improperly disclosed, it could have severe and wide-ranging negative impacts on that person. And, if the hospitals have a good handle on protecting our privacy, then this information should be at their fingertips.

I question many times why volunteers and pastors have access to patient information contained in the database. I do recognize that the majority of volunteers and pastors are honest, ethical people. However, the reality is, that if an insurance company, lawyer, irate family member, neighbour, employer, etc. wants to know you medical situation all they have to do is have someone volunteer (or start a new religion or pretend to be a pastor for an existing religion). That person, if assigned to your floor, at a hospital run by a health authority such as Providence, has access to the database containing all your confidential information. Some people would not want their pastor to know all their business and I take great offense at pastors who think they have a right to access hospital databases.

IF YOU ARE CONCERNED AND CARE, CONTACT GORDON CAMPBELL
E-mail – premier@gov.bc.ca
Phone – 250-387-1715
or 604-660-2421 and they will put you through to his office toll-free
TDD – 604-775-0303

Elsewhere in B.C.:
Phone – 1-800-663-7867
TDD – 1-800-661-8773

Mailing Address: PO Box 9041
STN PROV GOVT
Victoria, BC
V8W 9E1

5. Fraser Health Authority

2007-04-15T16:40:00.000-07:00

Fraser Health Authority (FHA)

I had phoned Burnaby General and Royal Columbia hospitals and asked for the name of their privacy officer. Personnel at both hospitals not only didn't know the name of their privacy officer, they had no idea what I was talking about.

September 28, 2006

I sent letters to Burnaby General Hospital and Royal Columbia requesting:
(1) a copy of their admittance form and
(2) I also stated that “I would like to know, in detail, who has access to anyone's records at any time. For example, if someone had been in the hospital, for whatever reason, who would have access to their records – all doctors in the province/country/world or only certain doctors and, if so, which ones; all nurses, technicians, pastors, volunteers, etc.? Do they have access to all medical information or part of it (if so, who has access to what part)? If your access is limited, how is this enforced?”

I also asked “where are the records kept (under lock and key, or in an easily accessible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff, what safety features protect my information (ex. firewalls if on a computer). Under the privacy act I am entitled to a reply within 30 days.”

October 11, 2006

A response was sent from the Health Records Department:
Question 1: No answer

Question 2: Answer; - “I would like to confirm that our records are kept under lock and key. Access into the the chart file room is limited to the Health Records Department staff only.”

Included with the reply was a copy of the Fraser Health Authority “informative” brochure on Confidentiality. It includes two paragraphs on access and security, as follows: “How are electronic health records kept secure? In the Fraser Health Authority, we are able to audit who has accessed a patient, client or resident electronic health record and to assess whether the access was appropriate or not. Also, anyone accessing the electronic health record needs to have an authorized user name and password. In addition, different levels of access are given to staff members depending on the nature of their work.

How does the Fraser Health Authority ensure that patient/client/resident information is kept confidential? Fraser Health Authority staff are trained in confidentiality and security procedures during orientation and annually thereafter. New staff members sign a pledge of confidentiality when they are hired. As well, random audits are done to ensure that there is no inappropriate access to patient, resident, and client health records”.

Comments:
Problems: - It does not say exactly who accesses health records, ie. volunteers, pastors, vendors, researchers, etc.;
- They do not define “staff”.
- It does not explain the different levels of access, ie who has access at each level, how much information is available at each level;
- they audit themselves;
- it does not explain what happens if confidential information has been “inappropriately” accessed. For example, how do you discipline pastors or volunteers. Again, the information is so general as to be almost useless.
- The “informative” brochure also stated: “Who do I contact if I have any questions or concerns? For more information about accessing your personal information contact: xxxxxx (name stroked out), the Fraser Health Authority Privacy Coordinator, at 604-520-4250”.
Problem 1 – there was no address to write them.
Problem 2 – When I tried to phone I got the switchboard at Royal Columbia, who had no idea who the number belonged to, but when she tried to engage the number she got a “funny” ring (one she had never heard before) and told me that I would not be able to get through to this number.
Problem 3 – the brochure front page states: CONFIDENTIALITY, Trust, Respect, Privacy, Security. I have not gotten a sense of any of those qualities from FHA.

October 16. 2006

I wrote back to the Record Department with a number of questions. The unanswered questions are:
- “Why wasn't I given the person's name who wrote the letter. The signature, obviously intentionally, is illegible?
- Why was the letter to the Privacy Officer directed to you?
- I would like to know who has accessed my health records, if this information does not automatically come with a copy of my health records.
- Since this is my health record, what 3rd party information could possibly be on my record that would need to be removed (before it could be sent to me)?
- As stated, most health records are made up of paper. Are all paper records converted to electronic format and then destroyed? If not, how/where are the paper records kept and how are they kept secure? In essence, I had asked for a detailed reply on who has access to anyone's records at any time and got a very general reply. I would like a detailed reply. For example, do clergy and volunteers have access to personal information? How is this dealt with?"

November 7, 2006

I received a letter from Seana Hamilton, Manager, Information Privacy, Fraser Health. She states:

“Fraser Health does not have an admissions form. The reason for this is that upon registration, information is entered directly into our electronic health record. We are directed by FOIPPA to provide notification of our authority to collect personal information and so at the point of registration with our patient/resident/client notification poster. I have included a copy of this poster for your information and reference.

Within Fraser Health, access to the electronic and paper health records is provided on a “Need to Know” basis. Basically, access is granted as authorized by a department manager in order for an employee to perform his or her duties in a position with Fraser Health. Acess is limited to only what each employee requires to perform his or her duties within Fraser Health. Access to our electronic health records is also audited regularly by my office.

Disclosure of personal information within and outside of Fraser Health occurs only as outlined by FOIPPA.

In terms of security of personal information (both paper and electronic records), I can assure you that Fraser Health is in compliance with established industry best practices and is in compliance with Section 30 of FOIPPA to “ensure the personal information in its custody and control is secure from unauthorized access, use and disclosure”. Fraser Health ensures Privacy Impact Assessments are done on any new initiatives, projects, and system implementations.

I am sending you a copy of two Fraser Health policies that address confidentiality and security of personal information and electronic communications."

Comments:
Fraser Health may not have an “admissions form” but they could provide a list of admission questions, if them chose, as other authorities have done. The fact that they refuse to let people know what questions will be asked until they are at the hospital, sick and vulnerable, appalls me.
As I had been to Burnaby General Hospital several years ago, I requested a copy of my record. It should be noted that I did not find any questions that I would consider illegal on my record. However, I do not know what questions Royal Columbia asks. Although, Ms. Hamilton implies the admission “form” is the same for both.

Poster

A NOTICE TO OUR PATIENTS/RESIDENTS/CLIENTS ABOUT THE COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION

While you are receiving care within Fraser Health (FH), staff and physicians will collect personal information from you. To aid in your care, there may be some cases where you family or friends may be able to provide information, or we may obtain a copy of your health record from other health care organizations. We also obtain information from external sources for diagnostic results and medication information.

We collect personal information under the authority of the Hospital Act and the Health Authorities Act, in addition to other legislation, including, but not limited to, the Health Care (Consent) and Care Facility (Admission) Act, the Hospital Insurance Act, the Continuing Care Act, the Health Act, and the Mental Health Act.

We are committed to ensuring that your personal information is treated in a confidential manner according to the BC Freedom of Information and Protection of Privacy Act (FOIPPA).

The information collected is used in providing you with care and services and for determining your eligibility for services and benefits.

We will only share information for the purposes of:
- Your ongoing care
- Maintaining contact with you to assist us in continually improving the quality of our care and services
- Education and research with consent or as authorized under FOIPPA and;
- As prescribed by law, including FOIPPA

Comments:

The poster was, again, so general as to be virtually meaningless. For example, it lists the authorities under which they have the right to collect personal information, including FOIPPA. However, that does not mean that they can collect all personal information, as noted by other hospitals found to be collecting personal information illegally (see Providence Health Care). Public bodies must "Determine the minimum amount of personal information needed to administer a program during the design of forms, questionnaires or other collection instruments." (FOIPPA – Policy and Procedures Manual – Section 26). After reading this poster, can you tell me who, specifically, has access to patient's information?

Also, according to FOIPPA "a public body must tell you the purpose for collecting your personal information and give you the business title, address and telephone number of one of its officers or employees who can answer your questions about the collection.” (Guide to FOIPPA, June 2004, pg. 12). I don't see an address or telephone number. Plus, it does not point out that you are entitled to ask why certain information is requested, ex. religion, occupation, etc. so you can determine if the information is necessary for your care.

Fraser Health Authority did send two policies (so at least they have some). The one regarding “Electronic Communications” referred to e-mails, fax, internet, telephone, etc. and essentially says that they must only be used for business purposes; “FHA internal information should not be place in any location, on machines connected to FHA internal networks or on the Internet, unless the persons who have access to that location have a legitimate need-to-know” (page 2).

The second policy “Confidentiality and Security of Personal Information” states that “the information belongs to the person about whom the information is recorded”. It's just too bad that we don't have control over, or even knowledge of, who accesses, our information.
It also states that “Should an investigation determine that a breach of confidentiality has occurred, the employee, volunteer, student or physician will be subject to discipline, up to and including termination of employment or privileges”. How do you discipline a volunteer other than terminating their privilege to volunteer which is no loss at all.

While I commend FHA for at least sending information, the information provided is still too general to answer my questions. And, again, apparently I am not entitled to know who has access to my personal information, how well it is protected, or who has accessed it.

The policy also states: “Fraser Health Authority employees (this term includes volunteers and service providers) have an obligation to report any unauthorized disclosures or demands for disclosure from outside of Canada, including subpoenas, warrants, or court orders, to the Fraser Health Authority's Information Privacy Office”. The problem, as noted before, is that no one seems to know what a privacy officer is, much less who they are.

Ms. Hamilton is long on assurances and very short on facts, which always makes me suspicious. If they are so confident that they are doing everything correctly why are they afraid to provide supporting information.

November 24, 2006

A letter from Ms. Hamilton:

“I am writing in response to your letter dated October 16, 2006. I believe some of the questions you posed were addressed in a previous response (November 7,2006). As per your request, my office has conducted an audit on your electronic health record at Fraser Health and there has been no unauthorized access to your records.

Within Fraser Health, access to all personal health information is granted on a “need to know” basis. This means access is restricted only to those who require the information in order to perform their job duties. Our notification poster (sent to you in my previous correspondence) clearly outlines our duties under BC's Freedom of Information and Protection of Privacy Act (FOIPPA).

Our duties in regard to protecting privacy of a third party are outlined in FOIPPA. If you have concerns about a request processed by Fraser Health in regard to third party information, please indicate in writing what this concern is and I will be pleased to address it with you”

Comments:
Problems:
1. I did not ask if there had been unauthorized access of my records. I had asked who had accessed my records.
2. Again they refuse to answer “who specifically has access to records”. I did not think the poster clearly outlined their duties.
3. Would I be informed if Fraser Health has processed a request by a third party, for my personal information?

November 27, 2006
I filed a complaint with the OIPC as my questions were not being answered.

January 29, 2007

Letter from OIPC:

“As for your letter to Burnaby Hospital, the time limit set out in section 7 of Freedom of Information and Protection of Privacy Act (the Act) applies to requests for records. The Fraser Health Authority has provided a November 10, 2006 response to your inquiry letter providing contact information should you wish to request access to existing records.
As you are aware the Freedom of Information and Protection of Privacy Act (the Act) applies to all records in the custody or under the control of the public body. A record, as defined in Schedule 1, includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other things on which information is recorded or stored by graphic, electronic, mechanical or other means.” After reading your letter to the hospital, it is clear that you have asked questions regarding specific issues and that you expected the hospital to provide a written response to those questions.

Our office would be able to review a public body's decision to deny you access to all or part of a record you requested, for example. This office does not have authority to review the failure of a public body to answer questions about its operations. I note you have indicated to me that you have raised similar questions with Royal Columbia Hospital, which you have also correctly identified as part of the Fraser Health Authority. If you wish to pursue answers to questions regarding the obligations of the Fraser Health Authority under the FOIPP Act, I recommend you contact the Seana Lee Hamilton, Central City, 100 – 13450 102nd Avenue, Surrey, BC, V3T 5X3.

Comments:
This became a standard response from OIPC. I'm not sure which is scarier. A hospital authority with privacy information it refuses to divulge or a hospital authority which has no policies or procedures which identifies who specifically has access to patient information, under what circumstances, how this is protected and enforced, etc.

February 18, 2007

I tried again, sending a letter to Seana Hamilton:

“I would like a list of who exactly has access to personal/medical information. For instance, pastors, volunteers, service providers, care givers etc. Who exactly are service providers and care givers and why would they have access to this information? Under what circumstances would researchers be allowed access to personal/medical information? How much information do these people have access to; for example, do volunteers have access to all your personal/medical information or only part and, if so, what part and how is this monitored?

If there is a breach of confidentiality, do you advise the patient? What sort of discipline would a volunteer or service provider be subject to?

Is service provider the same as third party? If not, what third parties would have access to personal/medical information and why?”

March 19, 2007

A letter from Seana Hamilton:

“I am writing in response to your letter dated February 18, 2007. As per guidelines set out in BC's Freedom of Information and Protection of Privacy Act (FIPPA), I am responding within 30 days of the receipt of the request.

Within Fraser Health, access to all personal information is granted on a “need to know” basis. For instance, the registration clerks have limited access to personal information to perform their job duties of registering patients. The service and care providers have limited access to personal information to be able to provide care to the patients they are treating. The Volunteers do not have access to personal information unless they are directly involved in the patient's care. All access to personal information is audited by the Fraser Health Information Privacy Office. Physicians, nurses, clinicians, laboratory staff and etc. are categorized under service and care providers.

Section 35 of FIPPA permits research to be conducted within a public body. All researchers are required to be approved through the Fraser Health Director of Research. My office has confirmed that there has been no research conducted on your records.

When a privacy breach occurs, the patients/residents/clients whose information is breached are notified as per Fraser Health Managing Privacy Breaches Policy and OIPC guidelines. When notification occurs, a letter is sent to the affected patients/residents/clients informing them of the breach. As per the Fraser Health Confidentiality and Security of Personal Information Policy, any unauthorized access to personal information can result up to and including termination of employment.

FIPPA defines Service Provider as “a person retained under a contract to perform services for a public body.” A third party is defined as “in relation to a request for access to a record or for correction of personal information, means any person, group of persons or organizations other than the person who made the request or a public body.”. FIPPA defines Personal Information as “recorded information about an identifiable individual other than contact information."

Fraser Health would not release personal information to third parties unless it is for consistent purpose (such as another hospital or doctor's office treating the patient), as directed by an enactment of BC or Canada (such as Ministry of Family and Children Act, Coroners Act, a court order/search warrant) or with patient consent."

Comments:
Again, it a case of what they are not saying that poses the problem. Problem:
1. “limited information” is a relative term. How limited is limited. Again they do not state specifically how much information can be accessed and by whom.
If volunteers are directly involved with patient care, how much information do they have access to. They are not doctors so surely they would not be entitled to access all of a patient's information.
2. Service and care providers. Physicians, nurses, clinicians, laboratory staff seem logical (although I would have considered them staff) but the “etc.” is interesting. They didn't mention pastors or volunteers. Later they state that a service provider is anyone under contract to perform services for a public body. So again, they have avoided being specific. So, painters, janitors, building cleaners, “ect.” would be service providers. Which service providers have a “need to know” and how much do they “need to know” is again not being answered.
3. Paragraph 4 sounded good at first. I interpreted it as saying that patients would be automatically notified if their privacy was breached until I realized that it said “per FH policy and OIPC guidelines”. Now I have to find out what the guidelines state.
4. paragraph 4 - “any unauthorized access to personal information can result up to and including termination of employment”. The question, of course, was “what sort of discipline would a volunteer or service provider be subject to”. I don't consider “terminating” a volunteer to be a deterrence or punishment.

March 26, 2007

Letter to Seana Hamilton:

“You still refuse to directly answer the question who exactly has access to personal/medical information and how much information do they have access to.
You stated: 'If you have concerns about a request processed by Fraser Health in regard to third party information, please indicate in writing what this concern is and I will be pleased ot address it with you'. If Fraser Health processed a request by a third party for my personal information, would I be informed?

Why isn't contact information considered to be confidential?

I would like a copy of your “Fraser Health Managing Privacy Breaches Policy.”

Comments:
Waiting for a response.

6. Interior Health Authority

2007-04-15T15:51:00.000-07:00

Interior Health Authority (IHA)

November 27, 2006
E-mail to the Interior Health Authority, requesting:

(1) a copy of their admittance form and
(2) I also stated that “I would like to know, in detail, who has access to anyone's records at any time. For example, if someone had been in the hospital, for whatever reason, who would have access to their records – all doctors in the province/country/world or only certain doctors and, if so, which ones; all nurses, technicians, pastors, volunteers, etc.? Do they have access to all medical information or part of it (if so, who has access to what part)? If your access is limited, how is this enforced?”
(3) “where are the records kept (under lock and key, or in an easily accessible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff, what safety features protect my information (ex. firewalls if on a computer).”

November 28, 2006
E-mail from IHA, Jane Larocque:

“Our office received your email dated Monday, November 27, 2006 requesting an admittance form and patient record security procedures.

Some clarification is needed before we can proceed with your request, can you please provide a daytime phone number so that we may begin the process of providing you with the required information as quickly as possible.”

November 28, 2006
E-mail to Ms. Larocque:

“I prefer to do things in writing. So, if you have any questions, just e-mail them to me.”

November 30, 2006

E-mail from Patty Skultety, Leader, Risk Management, ERP, Policy Development, Performance Management:

“My assistant Jane Larocque e-mailed you on Monday November 27, 2006 to request a contact phone number so that I might clarify your request. On Tuesday November 28, 2006 you responded that you preferred me to e-mail my questions.

Under Section 5 of the FOIPPA the 30 day time limit to respond does not commence until I am certain that I understand the information you are requesting.

At this time I am not certain that I understand your request so I am unable to provide a date by which you can expect a response. The following are my questions and comments with regard to your request.
1. 'I would like a copy of your admittance form'. Can you please clarify what you mean by our 'admittance form'.
2. The remainder of your request involves general questions pertaining for the most part to our practices around privacy and security of health records. Section 3(1) of the Act (Scope of the Act) states: “this Act applies to all records in the custody or under the control of a public body...” As you have not asked for a specifc record under the Act the Public Body is not obliged to respond to this particular request. However it seems you may be interested in how we protect the confidentiality of our health records. I would suggest therefore that you may be interested in receiving our Policy on Privacy and Management of Confidential Information. Please let me know if this would satisfy your request.

I would like to stress that in order to adequately respond and facilitate your request it would be beneficial to communicate over the phone.”

December 1, 2006
My e-mail to Ms. Skultety:

“Admittance form – it identifies the questions asked when one enters the hospital, ex. name, address, etc.

I am asking about medical records. No, your Policy on Privacy and Management of Confidential Information would be too general. I am looking for more detailed information. For example, who has ACCESS to medical records – all doctors or only doctors assigned to an individual's care, all nurses or just nurses assigned to an individual's care, ministers..., volunteers..., pharmacists, technicians, etc. How much information can they access, for example ministers – do they have access to only your name and religion or more information.
How are medical records protected so that no one but those authorized can access your records. For example, are paper records kept under lock and key and how do authorized people access your information, same with electronic records.”

December 12, 2006
Letter from Ms. SkultetY:

“Interior Health received your request for access to information under the Freedom of Information and Protection of Privacy Act (the Act) on November 27th, 2006. Specifically, you have requested:”
They repeated my questions.

“We understand from your e-mail dated December 1st, 2006 you clarified your request to mean you have requested a copy of the Interior Health Admittance Form and that you do not require a copy of our Policy on Privacy and Management of Confidential Information. As the information requested in 2 and 3 above are not contained in any specific record in the custody of Interior Health under section 3(1) of the Act we will not be supplying any records.

We will make every effort to provide the information available to you under the Act as quickly as possible. The Act allows 30 working days to respond to your request, therefore unless we notify you otherwise, we will respond no later than January 17th, 2007.”

Comments:
Included was a copy of Section 3(1).

Finally, some honesty. I'm not happy that hospitals don't have detailed policies and procedures on who has access to patient information and how it is protected (which was being implied by other hospitals), but I do appreciate them being upfront about it.

However, it certainly concerns me that if a hospital has no written policies and procedures on who accesses confidential records, or protection of same records, I am not entitled to a reply. This implies that I do not have a right to know who accesses my personal/medical information or that they do not have adequate protection (if any). This situation seems to apply to all hospitals.

January 2, 2007
Letter from Ms. Skultety, Leader, Risk Management, Emergency/Disaster Management, Policy Development/FOI:

“I am responding to your request of November 27th, 2006, for access to information under the Freedom of Information and Protection of Privacy Act (the Act).

We are unable to provide you with:-
repeated questions 2 and 3
as there is no record in existence that outlines the answers to your questions.

Enclosed please find the other requested record.
A copy of the Interior Health Admittance Form. As this is an electronic processing form and not available in hard document format we have provided you with actual “screen shots” of the document.

If you have any further questions or concerns regarding your request, please contact me at (250)549-5731.

Under Section 52 of the Act, you may ask the Information and Privacy Commissioner to review Interior Health's response to your request. You have 30 days from receipt of this notice to reqest a review by writing to the Office of the Information and Privacy Commissioner. The procedure is outlined on the attached page.

Comments:
I appreciated the fact the they put together a form for me but I believe some questions violate FOIPPA. For example, they ask for insurance number, mother's name, employer's name and address, occupation, employment status, marital status. religion. Some of these questions have already been determined by the OIPC to be in violation of privacy rights.
Ms. Skultety also provided some additional information on my rights which was appreciated.

January 5, 2007
E-mail to Ms. Skultety:

“I will take a copy of your Policy on Privacy and Management of Confidential Information, although I suspect it does not offer the detail I want.”

January 8, 2007
E-mail from Ms. Skultety:

“In response to your emailed request dated Friday, January 5th, 2007 please find attached a copy of the Interior Health Policy AR0400-Privacy and Management of Confidential Information.”

Comments:
The policy and procedures consist of two pages, 25% of which lists sources. Needless to say, the information is very general and vague . For example, one paragraph says “Interior Health considers intentional viewing of Confidential Information that is not required to carry out work-related responsibilities or misuse of Confidential Information to be a breach of access rights/confidentiality”. In other words, people have access to confidential information not required to perform their work.

January 18, 2007
Letter to the OIPC:

“Attached is correspondence from the Interior Health.
Parts of the Interior Health Admittance form is obviously in violation of the Privacy Act. I would like to know exactly why they are asking these questions and, then, I would like you to assess which parts are violating the Privacy Act and have it corrected.

The Interior Health has refused to provide the information on who has access to personal information (which includes all information on a patient), and what steps are taken to protect a patient's confidential information. This is a violation of the Privacy Act and I would like it corrected.

I did request a copy of their Policy on Privacy and Management of Confidential Information. But since they admitted having no detailed information, it obviously will be insufficent to answer my questions.”

Comments:
Although Ms. Skultety, especially in hindsight, had been upfront, I decided to refer the matter to the OIPC to determine if this was correct, that I was not entitled to an answer. Also the admittance form appeared to have a number of violations so I believed it would save time to let the OIPC and Interior Health work to resolve this.

February 12, 2007
Letter from OIPC (Morag Ross):

“As you are aware the Freedom of Information and Protection of Privacy Act (the Act) applies to all records in the custody or under the control of the public body. A record, as defined in Schedule 1, includes “books, documents, maps, drawings, photographs, letters, vouchers, papers and any other things on which information is recorded or stored by graphic, electronic, mechanical or other means. After reading your e-mail to the Interior Health Authority, it is clear that you have asked questions regarding specific issues and that you expected the Interior Health Authority to provide a written response to those questions.
“Our office would be able to review a public body's decision to deny you access to all or part of a record you requested, for example. This office does not have authority to review the failure of a public body to answer questions about its operations.”

Comments:
This was the first time I received this response. It became a standard.

February 18, 2007
Letter to Ms. Ross:

“So you are saying that if the hospital has no records on protecting privacy, no records on who accesses confidential records and procedures, I am not entitled to a reply. This implies that I do not have a right to know who accesses my personal/medical information. Is this correct?

Also, I sent a copy of their admittance form which you did not address. I believe that parts of this are in violation of the law, for example it shows Pt. occup which I assume means patient's occupation, etc.”

Comments:
I am waiting for a response.

2007-04-15T13:01:00.000-07:00

I am new to blogging. So, I welcome any suggestions on layout and formatting, but please include "how to" instructions.