Doctors’ offices regularly breach patients’ privacy so clinics across B.C. must do more to protect the information in their possession, says a report released Wednesday by the Office of the Information and Privacy Commissioner for British Columbia (OIPC).
The audit and compliance report is based on 22 randomly selected medical clinics where at least five doctors worked. The audit sought to find out whether clinics and their staff are meeting legal obligations under the Personal Information Protection Act (PIPA). The act dictates how private organizations collect, use and disclose personal information.
Medical clinics were chosen for the review because of the massive amount of sensitive personal information they collect and because relative to other private sector organizations, physicians’ offices, medical clinics and labs “account for the largest number of complaints and breach files received by the OIPC over the past five years.”
The scope of the review did not entail a physical inspection of electronic medical records systems, patient files storage systems or actual visits to the clinics. Rather, designated staff at the clinics answered questions and provided written material.
Even without a physical inspection of such clinics, the review discovered numerous problems with the way clinics handled patient information. Many lacked a designated privacy officer, put insufficient resources into privacy procedures and failed to stay abreast of technological advances that would help protect information.
The compliance review report says although there’s an inherently strong bond of trust between doctors and patients, the “troubling reality” is that privacy issues occur regularly in the medical field and the privacy commissioner routinely hears complaints about privacy breaches. Such breaches include accidental disclosures by email, files stolen from doctors’ vehicles, and computer systems that are compromised.
“The harms caused by these breaches can be very serious, leaving victims vulnerable to everything from damaged relationships to humiliation, financial loss and more.”
Michael McEvoy, B.C.’s information and privacy commissioner, said the compliance audit focused on medical clinics because of the large volume and sensitivity of the personal information they collect.
“The results show that while some clinics were complying with their obligations, many have work to do when it comes to improving their privacy practices. There is no question about the intense demands medical professionals face. However, respecting and protecting patients’ private information is critically important.
“Doctors and staff at clinics not only owe it to their patients to do their utmost to build and maintain strong privacy programs, but they are also legally obligated to abide by privacy legislation. I hope that the focus of this report underscores the need for clinics to address gaps in how they protect this sensitive personal information and my office’s willingness to assist them in doing so.”
The report has 16 recommendations aimed at helping clinics address the gaps in their privacy management programs, building better policies and safeguards, and ensuring they provide adequate notification about the purposes of collecting personal information online. The report recommends that clinics develop more robust privacy protocols, better responses to breaches, improved monitoring to ensure compliance and prevent breaches, provide more training for staff, and use more caution when collecting and sharing information online.
More to come.