At least three GTA hospitals do not proactively audit their patient records to detect privacy breaches, the Toronto Star has learned.
A survey of 24 hospitals and health-care centres found that more than half say they check their information systems for inappropriate access at least once a month. In contrast, one hospital — Providence Healthcare — still uses paper-based record keeping and reported that it could not conduct audits until a future electronic system is implemented.
“There’s a spectrum out there,” acting Privacy Commissioner Brian Beamish told the Star. “There are hospitals that have very robust systems put in place. And then there are ones where there may be something lacking and it takes an incident to bring that to light.”
In recent months, thousands of patients at hospitals across the region have had their confidential medical records accessed for no medical reason. Incidents ranged from hospital staffers providing baby photographers with new mothers’ contact information to nurses peeking at former Mayor Rob Ford’s files when he started treatment for cancer.
Last week, Beamish released a damning report on Rouge Valley Centenary Hospital, which had a massive privacy breach involving more than 14,000 patients and still lacks the ability to track staff access to confidential files. Shaida Bandali, a former Rouge Valley clerk, was charged with selling securities without a licence last month for allegedly providing medical records of new mothers from the hospital to financial companies peddling Registered Education Savings Plans.
“I hope that this kind of an order brings some publicity and raises some awareness out there for hospitals to go back and take a look at how they are auditing and make sure that their audit is comprehensive enough,” Beamish told the Star.
Rouge Valley Centenary Hospital declined to comment for this story, citing ongoing litigation.
Lakeridge Health in Oshawa has a monthly auditing program, and also does targeted audits at the request of a patient. It was the monthly audit that an inappropriate access revealed this past June, which then prompted a manual review of access to records. As a result, the hospital determined that 14 staff members in the mental health program had inappropriately accessed 578 patients’ records going back to 2004.
“Our recent experience is why we’re looking at our monthly audit program to validate we are meeting an appropriate standard,” said spokesman Aaron Lazarus.
There are no specific audit requirements in the province’s Personal Health Information Protection Act, which sets out rules health-care providers must follow when collecting and disclosing personal health information. It is left up to health-care providers to determine how best to comply with privacy requirements, and what disciplinary measures should be taken if a breach has occurred.
Of the 24 health-care institutions contacted by the Star, 22 maintained that they do conduct some form of an audit, but their frequency and scope varies widely among facilities.
Bridgepoint Health says it conducts audits on its system daily, and reviews the information weekly. Providence Healthcare, however, has no proactive auditing at all. Spokesperson Patti Enright said the centre has a paper-based system for “charting personal health information.” She referred to a privacy breach protocol, but that has not had to be used for inappropriate access to patient records.
“We are working towards implementation of electronic charting, but we are still many years away from making this happen,” she said. “In the meantime, through our Privacy Committee, we are developing an overarching privacy audit (in preparation for an eChart) that will ensure all future systems that house patient information will be audited regularly.”
Of the 22 hospitals that have auditing procedures in place, the frequency of those audits varies widely: daily (1), weekly (2), monthly (10), every two to three months (1), quarterly (1), no set frequency (6), unclear frequency (1).
The hospitals surveyed said that typically, a staff member is found to have inappropriately accessed a patient’s record if they are not a member of that patient’s “circle of care,” meaning not directly responsible for their treatment. Disciplinary measures have ranged from letters in their human resources file to firing.
All said they have their employees sign a confidentiality form upon hiring and provide some kind of regular privacy training.
“I think it’s fair to say that there should be audits,” said Beamish. “I think we’ve been pretty clear that audits have to be a substantial part of any safeguards that a hospital is going to have in place.”
Nineteen of the hospitals conduct random proactive audits, while three only conduct audits if privacy concerns have been raised. Trillium Health Partners, comprising three Mississauga hospitals, manually conducts weekly audits on 10 random patients’ records, as well as upon request.
“In early 2015, we are moving to a new privacy auditing solution called Security Audit Manager, which will be able to provide real-time privacy auditing,” said spokesman Chris Carson. “In the future, the auditing tool will have the capacity to proactively flag questionable access to charts for additional followup by the Privacy Office.”