Fraser Health Authority (FHA)
I had phoned Burnaby General and Royal Columbia hospitals and asked for the name of their privacy officer. Personnel at both hospitals not only didn't know the name of their privacy officer, they had no idea what I was talking about.
September 28, 2006
I sent letters to Burnaby General Hospital and Royal Columbia requesting:
(1) a copy of their admittance form and
(2) I also stated that “I would like to know, in detail, who has access to anyone's records at any time. For example, if someone had been in the hospital, for whatever reason, who would have access to their records – all doctors in the province/country/world or only certain doctors and, if so, which ones; all nurses, technicians, pastors, volunteers, etc.? Do they have access to all medical information or part of it (if so, who has access to what part)? If your access is limited, how is this enforced?”
I also asked “where are the records kept (under lock and key, or in an easily accessible file container); is it kept in electronic or paper form, is it ever left unattended by medical staff, what safety features protect my information (ex. firewalls if on a computer). Under the privacy act I am entitled to a reply within 30 days.”
October 11, 2006
A response was sent from the Health Records Department:
Question 1: No answer
Question 2: Answer; - “I would like to confirm that our records are kept under lock and key. Access into the the chart file room is limited to the Health Records Department staff only.”
Included with the reply was a copy of the Fraser Health Authority “informative” brochure on Confidentiality. It includes two paragraphs on access and security, as follows: “How are electronic health records kept secure? In the Fraser Health Authority, we are able to audit who has accessed a patient, client or resident electronic health record and to assess whether the access was appropriate or not. Also, anyone accessing the electronic health record needs to have an authorized user name and password. In addition, different levels of access are given to staff members depending on the nature of their work.
How does the Fraser Health Authority ensure that patient/client/resident information is kept confidential? Fraser Health Authority staff are trained in confidentiality and security procedures during orientation and annually thereafter. New staff members sign a pledge of confidentiality when they are hired. As well, random audits are done to ensure that there is no inappropriate access to patient, resident, and client health records”.
Problems: - It does not say exactly who accesses health records, ie. volunteers, pastors, vendors, researchers, etc.;
- They do not define “staff”.
- It does not explain the different levels of access, ie who has access at each level, how much information is available at each level;
- they audit themselves;
- it does not explain what happens if confidential information has been “inappropriately” accessed. For example, how do you discipline pastors or volunteers. Again, the information is so general as to be almost useless.
- The “informative” brochure also stated: “Who do I contact if I have any questions or concerns? For more information about accessing your personal information contact: xxxxxx (name stroked out), the Fraser Health Authority Privacy Coordinator, at 604-520-4250”.
Problem 1 – there was no address to write them.
Problem 2 – When I tried to phone I got the switchboard at Royal Columbia, who had no idea who the number belonged to, but when she tried to engage the number she got a “funny” ring (one she had never heard before) and told me that I would not be able to get through to this number.
Problem 3 – the brochure front page states: CONFIDENTIALITY, Trust, Respect, Privacy, Security. I have not gotten a sense of any of those qualities from FHA.
October 16. 2006
I wrote back to the Record Department with a number of questions. The unanswered questions are:
- “Why wasn't I given the person's name who wrote the letter. The signature, obviously intentionally, is illegible?
- Why was the letter to the Privacy Officer directed to you?
- I would like to know who has accessed my health records, if this information does not automatically come with a copy of my health records.
- Since this is my health record, what 3rd party information could possibly be on my record that would need to be removed (before it could be sent to me)?
- As stated, most health records are made up of paper. Are all paper records converted to electronic format and then destroyed? If not, how/where are the paper records kept and how are they kept secure? In essence, I had asked for a detailed reply on who has access to anyone's records at any time and got a very general reply. I would like a detailed reply. For example, do clergy and volunteers have access to personal information? How is this dealt with?"
November 7, 2006
I received a letter from Seana Hamilton, Manager, Information Privacy, Fraser Health. She states:
“Fraser Health does not have an admissions form. The reason for this is that upon registration, information is entered directly into our electronic health record. We are directed by FOIPPA to provide notification of our authority to collect personal information and so at the point of registration with our patient/resident/client notification poster. I have included a copy of this poster for your information and reference.
Within Fraser Health, access to the electronic and paper health records is provided on a “Need to Know” basis. Basically, access is granted as authorized by a department manager in order for an employee to perform his or her duties in a position with Fraser Health. Acess is limited to only what each employee requires to perform his or her duties within Fraser Health. Access to our electronic health records is also audited regularly by my office.
Disclosure of personal information within and outside of Fraser Health occurs only as outlined by FOIPPA.
In terms of security of personal information (both paper and electronic records), I can assure you that Fraser Health is in compliance with established industry best practices and is in compliance with Section 30 of FOIPPA to “ensure the personal information in its custody and control is secure from unauthorized access, use and disclosure”. Fraser Health ensures Privacy Impact Assessments are done on any new initiatives, projects, and system implementations.
I am sending you a copy of two Fraser Health policies that address confidentiality and security of personal information and electronic communications."
Fraser Health may not have an “admissions form” but they could provide a list of admission questions, if them chose, as other authorities have done. The fact that they refuse to let people know what questions will be asked until they are at the hospital, sick and vulnerable, appalls me.
As I had been to Burnaby General Hospital several years ago, I requested a copy of my record. It should be noted that I did not find any questions that I would consider illegal on my record. However, I do not know what questions Royal Columbia asks. Although, Ms. Hamilton implies the admission “form” is the same for both.
A NOTICE TO OUR PATIENTS/RESIDENTS/CLIENTS ABOUT THE COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
While you are receiving care within Fraser Health (FH), staff and physicians will collect personal information from you. To aid in your care, there may be some cases where you family or friends may be able to provide information, or we may obtain a copy of your health record from other health care organizations. We also obtain information from external sources for diagnostic results and medication information.
We collect personal information under the authority of the Hospital Act and the Health Authorities Act, in addition to other legislation, including, but not limited to, the Health Care (Consent) and Care Facility (Admission) Act, the Hospital Insurance Act, the Continuing Care Act, the Health Act, and the Mental Health Act.
We are committed to ensuring that your personal information is treated in a confidential manner according to the BC Freedom of Information and Protection of Privacy Act (FOIPPA).
The information collected is used in providing you with care and services and for determining your eligibility for services and benefits.
We will only share information for the purposes of:
- Your ongoing care
- Maintaining contact with you to assist us in continually improving the quality of our care and services
- Education and research with consent or as authorized under FOIPPA and;
- As prescribed by law, including FOIPPA
The poster was, again, so general as to be virtually meaningless. For example, it lists the authorities under which they have the right to collect personal information, including FOIPPA. However, that does not mean that they can collect all personal information, as noted by other hospitals found to be collecting personal information illegally (see Providence Health Care). Public bodies must "Determine the minimum amount of personal information needed to administer a program during the design of forms, questionnaires or other collection instruments." (FOIPPA – Policy and Procedures Manual – Section 26). After reading this poster, can you tell me who, specifically, has access to patient's information?
Also, according to FOIPPA "a public body must tell you the purpose for collecting your personal information and give you the business title, address and telephone number of one of its officers or employees who can answer your questions about the collection.” (Guide to FOIPPA, June 2004, pg. 12). I don't see an address or telephone number. Plus, it does not point out that you are entitled to ask why certain information is requested, ex. religion, occupation, etc. so you can determine if the information is necessary for your care.
Fraser Health Authority did send two policies (so at least they have some). The one regarding “Electronic Communications” referred to e-mails, fax, internet, telephone, etc. and essentially says that they must only be used for business purposes; “FHA internal information should not be place in any location, on machines connected to FHA internal networks or on the Internet, unless the persons who have access to that location have a legitimate need-to-know” (page 2).
The second policy “Confidentiality and Security of Personal Information” states that “the information belongs to the person about whom the information is recorded”. It's just too bad that we don't have control over, or even knowledge of, who accesses, our information.
It also states that “Should an investigation determine that a breach of confidentiality has occurred, the employee, volunteer, student or physician will be subject to discipline, up to and including termination of employment or privileges”. How do you discipline a volunteer other than terminating their privilege to volunteer which is no loss at all.
While I commend FHA for at least sending information, the information provided is still too general to answer my questions. And, again, apparently I am not entitled to know who has access to my personal information, how well it is protected, or who has accessed it.
The policy also states: “Fraser Health Authority employees (this term includes volunteers and service providers) have an obligation to report any unauthorized disclosures or demands for disclosure from outside of Canada, including subpoenas, warrants, or court orders, to the Fraser Health Authority's Information Privacy Office”. The problem, as noted before, is that no one seems to know what a privacy officer is, much less who they are.
Ms. Hamilton is long on assurances and very short on facts, which always makes me suspicious. If they are so confident that they are doing everything correctly why are they afraid to provide supporting information.
November 24, 2006
A letter from Ms. Hamilton:
“I am writing in response to your letter dated October 16, 2006. I believe some of the questions you posed were addressed in a previous response (November 7,2006). As per your request, my office has conducted an audit on your electronic health record at Fraser Health and there has been no unauthorized access to your records.
Within Fraser Health, access to all personal health information is granted on a “need to know” basis. This means access is restricted only to those who require the information in order to perform their job duties. Our notification poster (sent to you in my previous correspondence) clearly outlines our duties under BC's Freedom of Information and Protection of Privacy Act (FOIPPA).
Our duties in regard to protecting privacy of a third party are outlined in FOIPPA. If you have concerns about a request processed by Fraser Health in regard to third party information, please indicate in writing what this concern is and I will be pleased to address it with you”
1. I did not ask if there had been unauthorized access of my records. I had asked who had accessed my records.
2. Again they refuse to answer “who specifically has access to records”. I did not think the poster clearly outlined their duties.
3. Would I be informed if Fraser Health has processed a request by a third party, for my personal information?
November 27, 2006
I filed a complaint with the OIPC as my questions were not being answered.
January 29, 2007
Letter from OIPC:
“As for your letter to Burnaby Hospital, the time limit set out in section 7 of Freedom of Information and Protection of Privacy Act (the Act) applies to requests for records. The Fraser Health Authority has provided a November 10, 2006 response to your inquiry letter providing contact information should you wish to request access to existing records.
As you are aware the Freedom of Information and Protection of Privacy Act (the Act) applies to all records in the custody or under the control of the public body. A record, as defined in Schedule 1, includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other things on which information is recorded or stored by graphic, electronic, mechanical or other means.” After reading your letter to the hospital, it is clear that you have asked questions regarding specific issues and that you expected the hospital to provide a written response to those questions.
Our office would be able to review a public body's decision to deny you access to all or part of a record you requested, for example. This office does not have authority to review the failure of a public body to answer questions about its operations. I note you have indicated to me that you have raised similar questions with Royal Columbia Hospital, which you have also correctly identified as part of the Fraser Health Authority. If you wish to pursue answers to questions regarding the obligations of the Fraser Health Authority under the FOIPP Act, I recommend you contact the Seana Lee Hamilton, Central City, 100 – 13450 102nd Avenue, Surrey, BC, V3T 5X3.
This became a standard response from OIPC. I'm not sure which is scarier. A hospital authority with privacy information it refuses to divulge or a hospital authority which has no policies or procedures which identifies who specifically has access to patient information, under what circumstances, how this is protected and enforced, etc.
February 18, 2007
I tried again, sending a letter to Seana Hamilton:
“I would like a list of who exactly has access to personal/medical information. For instance, pastors, volunteers, service providers, care givers etc. Who exactly are service providers and care givers and why would they have access to this information? Under what circumstances would researchers be allowed access to personal/medical information? How much information do these people have access to; for example, do volunteers have access to all your personal/medical information or only part and, if so, what part and how is this monitored?
If there is a breach of confidentiality, do you advise the patient? What sort of discipline would a volunteer or service provider be subject to?
Is service provider the same as third party? If not, what third parties would have access to personal/medical information and why?”
March 19, 2007
A letter from Seana Hamilton:
“I am writing in response to your letter dated February 18, 2007. As per guidelines set out in BC's Freedom of Information and Protection of Privacy Act (FIPPA), I am responding within 30 days of the receipt of the request.
Within Fraser Health, access to all personal information is granted on a “need to know” basis. For instance, the registration clerks have limited access to personal information to perform their job duties of registering patients. The service and care providers have limited access to personal information to be able to provide care to the patients they are treating. The Volunteers do not have access to personal information unless they are directly involved in the patient's care. All access to personal information is audited by the Fraser Health Information Privacy Office. Physicians, nurses, clinicians, laboratory staff and etc. are categorized under service and care providers.
Section 35 of FIPPA permits research to be conducted within a public body. All researchers are required to be approved through the Fraser Health Director of Research. My office has confirmed that there has been no research conducted on your records.
When a privacy breach occurs, the patients/residents/clients whose information is breached are notified as per Fraser Health Managing Privacy Breaches Policy and OIPC guidelines. When notification occurs, a letter is sent to the affected patients/residents/clients informing them of the breach. As per the Fraser Health Confidentiality and Security of Personal Information Policy, any unauthorized access to personal information can result up to and including termination of employment.
FIPPA defines Service Provider as “a person retained under a contract to perform services for a public body.” A third party is defined as “in relation to a request for access to a record or for correction of personal information, means any person, group of persons or organizations other than the person who made the request or a public body.”. FIPPA defines Personal Information as “recorded information about an identifiable individual other than contact information."
Fraser Health would not release personal information to third parties unless it is for consistent purpose (such as another hospital or doctor's office treating the patient), as directed by an enactment of BC or Canada (such as Ministry of Family and Children Act, Coroners Act, a court order/search warrant) or with patient consent."
Again, it a case of what they are not saying that poses the problem. Problem:
1. “limited information” is a relative term. How limited is limited. Again they do not state specifically how much information can be accessed and by whom.
If volunteers are directly involved with patient care, how much information do they have access to. They are not doctors so surely they would not be entitled to access all of a patient's information.
2. Service and care providers. Physicians, nurses, clinicians, laboratory staff seem logical (although I would have considered them staff) but the “etc.” is interesting. They didn't mention pastors or volunteers. Later they state that a service provider is anyone under contract to perform services for a public body. So again, they have avoided being specific. So, painters, janitors, building cleaners, “ect.” would be service providers. Which service providers have a “need to know” and how much do they “need to know” is again not being answered.
3. Paragraph 4 sounded good at first. I interpreted it as saying that patients would be automatically notified if their privacy was breached until I realized that it said “per FH policy and OIPC guidelines”. Now I have to find out what the guidelines state.
4. paragraph 4 - “any unauthorized access to personal information can result up to and including termination of employment”. The question, of course, was “what sort of discipline would a volunteer or service provider be subject to”. I don't consider “terminating” a volunteer to be a deterrence or punishment.
March 26, 2007
Letter to Seana Hamilton:
“You still refuse to directly answer the question who exactly has access to personal/medical information and how much information do they have access to.
You stated: 'If you have concerns about a request processed by Fraser Health in regard to third party information, please indicate in writing what this concern is and I will be pleased ot address it with you'. If Fraser Health processed a request by a third party for my personal information, would I be informed?
Why isn't contact information considered to be confidential?
I would like a copy of your “Fraser Health Managing Privacy Breaches Policy.”
Waiting for a response.