For Release April 21, 1999


Manitoba X-Ray Clinic Undertakes Security Audit following Ombudsman's Office Recommendations

Winnipeg - The Manitoba Ombudsman's Office has completed an investigation into reports that patient health files were left in a dumpster behind one of the premises of the Manitoba X-Ray Clinic for disposal. Barry Tuckett, the Manitoba Ombudsman found that the Clinic failed to comply with section 17(3) of The Personal Health Information Act which requires a personal health information trustee "…ensure that personal health information is destroyed in a manner that protects the privacy of the individual the information is about."

The investigation was launched on the Ombudsman's own initiative when the media reported on March 5, 1999 that exposed patient files were found following a call from a member of the public. It was confirmed that the files were being disposed of by the Manitoba X-Ray Clinic.

Six recommendations were made by the Ombudsman in his report to the Clinic dated March 12, 1999:

1. That the Manitoba X-Ray Clinic (the "Clinic") immediately cease any and all destruction of personal health information contrary to The Personal Health Information Act.
   
   
2. That the Clinic consider measures to ensure that personal information sent in recent months to any landfill site is not susceptible to unauthorized access and disclosure, and that these measures be reported to the Ombudsman's Office as part of the Clinic's response to the Ombudsman's recommendations.
   
   
3. That the Clinic undertake forthwith an audit of its compliance with sections 17, 18, and 19 of The Personal Health Information Act and with the Regulation.
   
   
4. That the Clinic identify measures to correct the deficiencies identified through this audit on a priorized and urgent basis.
   
   
5. That the Clinic provide a copy to the Office of the Ombudsman of this audit and the proposed timelines for correcting the specific deficiencies identified in relation to sections 17, 18, and 19 of The Personal Health Information Act and to the Regulation.
   
   
6. That the Clinic take steps to inform its directors and employees about the intent and implications of The Personal Health Information Act.

Under The Personal Health information Act, the Clinic was given 14 days to respond to the Ombudsman's recommendations.

"The Clinic met the timeline," said Mr. Tuckett, "and gives every indication of coming into compliance with the Act as soon as possible. I was pleased with the seriousness and sincerity that was displayed during our investigation, and that the Clinic met each of our recommendations in a satisfactory manner."

The Clinic advised that its audit dealt with seven areas and corrective actions include:

• A written policy and procedures manual is being developed and it to be completed by April 30, 1999.
  
• The Clinic is negotiating the purchase of shredders and a contract for shredding services. No destruction of personal health information is being done until these services are available. It is anticipated that these purchases will be completed by April 30, 1999.
  
• The written policies and procedures manual will deal with the record of destruction, security policy and procedures, access restrictions and other precautions, and will form the basis for employee orientation and training.
  
• A pledge of confidentiality has been developed and will be introduced together with the manual.

The Ombudsman said that there is a positive aspect to the incident in that the publicity generated will help alert other personal health information trustees and information managers about the requirements of The Personal Health Information Act. "I do have a lingering concern that there may be other trustees who have not yet complied with the Act," he said.

The Ombudsman's Office will follow up with the Clinic on the implementation of the recommendations and the compliance measures identified by the Clinic's security audit in relation to the requirements of the Act.

 

BACKGROUND

The Personal Health Information Act was proclaimed on December 11, 1997, by the Manitoba Government to:

• Provide individuals with a right to examine and receive a copy of personal health information about themselves maintained by a personal health information trustee, subject to limited and specific exceptions set out in the Act;
• Provide individuals with a right to request corrections to personal health information about themselves maintained by a trustee;
• Control the manner in which trustees may collect personal health information;
• Protect individuals against the unauthorized use, disclosure or destruction of personal health information by trustees;
• Control the collection, use and disclosure of an individual's Personal Health Identification Number; and
• Provide for an independent review of the decisions of trustees under the Act.

The Act affects nearly every person or organization that maintains health information in Manitoba, including all health information networks. A "trustee" under the legislation is defined as a health professional, health care facility, public body, or health services agency that collects or maintains personal health information.

The legislation allowed personal health information trustees until December 11, 1998, to comply with the security and confidentiality provisions detailed in its Regulation with an additional two years permitted in relation to electronic personal health information.

The Act is the first of its kind in Canada dealing specifically with personal health information.

EXCERPTS FROM THE OMBUDSMAN'S REPORT AND RECOMMENDATIONS:

The investigation was based on a complaint initiated by the Ombudsman under Part 5 of The Personal Health Information Act, as follows:

Ombudsman may initiate a complaint
39(4) The Ombudsman may initiate a complaint respecting any matter about which the Ombudsman is satisfied there are reasonable grounds to investigate under this Act.

The investigation dealt with two basic matters: 1) the immediate alleged breach and related remedial actions, and 2) the associated issues of information retention and destruction policies and security safeguards under sections 17, 18, and 19 of The Personal Health Information Act (PHIA) and the Personal Health Information Regulation 245/97 (the "Regulation").

Based on the review by the Ombudsman's Office, the following report and recommendations were made.

THE LEGISLATION AND BACKGROUND

The Manitoba X-Ray Clinic (the "Clinic") is a trustee under The Personal Health Information Act, which is an enactment of the Manitoba Legislature. In addition to investigating personal health information access and privacy complaints under the Act, the Office of the Provincial Ombudsman has powers and duties such as to conduct investigations and audits and make recommendations to monitor and ensure compliance with the Act; to inform the public about the Act; and to comment on the implications for access and confidentiality of personal health information of programs and practices of trustees.

Specifically, section 17 of PHIA provides:

Retention and destruction policy
17(1) A trustee shall establish a written policy concerning the retention and destruction of personal health information and shall comply with that policy.

Compliance with regulations
17(2) A policy under subsection (1) must conform with any requirements of the regulations.

Method of destruction must protect privacy
17(3) In accordance with any requirements of the regulations, a trustee shall ensure that personal health information is destroyed in a manner that protects the privacy of the individual the information is about.

Record of destruction
17(4) A trustee who destroys personal health information shall keep a record of

1. the individual whose personal health information is destroyed and the time period to which the information relates; and
2. the method of destruction and the person responsible for supervising the destruction.

The Regulation sets out the following additional detail:

Written security policy and procedures
2 A trustee shall establish and comply with a written policy and procedures containing the following:

1. provisions for the security of personal health information during its collection, use, disclosure, storage, and destruction, including measures
   1. to ensure the security of the personal health information when a record of the information is removed from a secure designated area, and
   2. to ensure the security of personal health information in electronic form when the computer hardware or removable electronic storage media on which it has been recorded is being disposed of or used for another purpose;
2. provisions for the recording of security breaches;
3. corrective procedures to address security breaches.

Access restrictions and other precautions
3 A trustee shall

1. ensure that personal health informtion is maintained in a designated area or areas and is subject to appropriate security safeguards;
2. limit physical access to designated areas containing personal health information to authorized persons;
3. take reasonable precautions to protect personal health information from fire, theft, vandalism, deterioration, accidental destruction or loss and other hazards; and
4. ensure that removable media used to record personal health information is stored securely when not in use.

The Regulation, registered on December 11, 1997, allowed a period of one year to comply with the regulation with the exception of section 4 (Safeguards for electronic information). Section 9(3) requires compliance with the provisions of section 4 no later than December 11, 2000.

The importance attached to the legislative requirements under PHIA is emphasized by sanctions under the Act, which include:

Offences by trustees and information managers
63(3) A trustee or information manager who

2. fails to protect personal health information in a secure manner as required by this Act; is guilty of an offence.

Continuing offence
63(5) When a contravention of this Act continues for more than one day, the person is guilty of a separate offence for each day the contravention continues.

Prosecution within two years
63(6) A prosecution under this Act may be commenced not later than two years after the commission of the alleged offence.

Penalty
64(1) A person who is guilty of an offence under section 63 is liable on summary conviction to a fine of not more than $50,000.

Directors and officers of corporations
64(2) When a corporation is guilty of an offence, a director or officer of the corporation who authorized, permitted or acquiesced in the offence is also guilty of an offence and is liable on summary conviction to a fine of not more than $50,000.

THE IMMEDIATE ISSUE AND REMEDIAL ACTIONS

The immediate issue and the basis of the complaint reviewed by the office was the alleged breach of section 17(3) of PHIA which requires "…that personal information is destroyed in a manner that protects the privacy of the individual the information is about."

The Office learned on March 5, 1999 that personal health information, apparently under the custody and control of the Clinic, was found in an outdoor dumpster awaiting pick-up for disposal at a local dumpsite. A Compliance Investigator from the Ombudsman's Access and Privacy Division immediately contacted the Manager of the Clinic who confirmed that personal health information in the control of the Clinic had been placed in a dumpster and stated that these records had by then been picked up for disposal at a dumpsite. The Investigator examined the dumpster site and confirmed that records were no longer visible at the site. The Manager provided the Office with a statement of the Clinic's existing procedures for disposing of certain records containing health information. It was apparent that the Clinic had neither a written policy on retention and destruction of personal health information nor a record of destruction as required PHIA.

Following further investigation and a meeting with the President of the Clinic, the Ombudsman reported that:

I am satisfied that the Clinic acted with reasonable expedition to ensure that no files were loose at the dumpster and that the bin was emptied on schedule on the night of March 5. Nevertheless, I must advise the Clinic of my opinion that the bundling of personal health information and transporting it to a dumpsite does not meet the requirements of the legislation. Disposing of personal health information in outdoor garbage bins does not provide adequate security for personal information; it is not an appropriate designated area; it does not restrict access to authorized persons; and it is not subject to reasonable precautions to protect the personal health information from theft, foraging, vandalism or other hazards.

The Ombudsman also gave his opinion that the disposal of personal health information at a dumpsite neither ensures the destruction of the records nor the disposal of records in a manner that protects the privacy of the persons the information is about. Paper records have been known to remain intact and legible for years even under adverse conditions, and, at a dumpsite, are subject to access by others. There are existing mechanisms and industry standards readily available to ensure the complete destruction of recorded information including paper and other media.

Concern was also expressed that the records apparently transported to the dumpsite during the evening of March 5 could well be intact at this time and subject to unauthorized and improper inspection.

ASSOCIATED ISSUES OF SECURITY SAFEGUARDS

In the course of the investigation, it also became apparent that the Clinic was not in substantive compliance with the provisions of the PHIA Regulation. The Regulation headings themselves indicate the areas which need to be addressed by the Clinic: (2) Written security policy and procedures, (3) Access restrictions and other precautions; (4) Safeguards for electronic information, (5) Authorized access for employees and agents, (6) Orientation and training for employees, (7) Pledge of confidentiality for employees, and (8) Audit.

The Regulation's Audit provision states:

Audit
8(1) A trustee shall conduct an audit of its security safeguards at least every two years.
8(2) If an audit identifies deficiencies in the trustee's security safeguards, the trustee shall take steps to correct the deficiencies as soon as practicable.

OMBUDSMAN'S RECOMMENDATIONS

The Personal Health Information Act sets out reporting mechanisms for the Ombudsman:

Report
47(1) On completing an investigation, the Ombudsman shall prepare a report containing the Ombudsman's findings and any recommendations the Ombudsman considers appropriate about the complaint.

Recommendations about privacy
47(3) In a report concerning a complaint about privacy, the Ombudsman

1. shall indicate whether, in his or her opinion, the complaint is well founded; and
2. may, as long as the trustee has been given an opportunity to make representations about the matter, recommend that the trustee
   1. cease or modify a specified practice of collecting, using, disclosing, retaining or destroying health information contrary to this Act….

Based on the provisions of PHIA and the information obtained in the Office's review, the Ombudsman's finding was that the Manitoba X-Ray Clinic had failed to comply with section 17(3) of PHIA which requires a trustee to " ensure that personal health information is destroyed in a manner that protects the privacy of the individual the information is about."

Accordingly, it was recommended:

1. That the Manitoba X-Ray Clinic (the "Clinic") immediately cease any and all destruction of personal health information contrary to The Personal Health Information Act.
   
   
2. That the Clinic consider measures to ensure that personal information sent in recent months to any landfill site is not susceptible to unauthorized access and disclosure, and that these measures be reported to the Ombudsman's Office as part of the Clinic's response to the Ombudsman's recommendations.
   
   
3. That the Clinic undertake forthwith an audit of its compliance with sections 17, 18, and 19 of The Personal Health Information Act and with the Regulation.
   
   
4. That the Clinic identify measures to correct the deficiencies identified through this audit on a priorized and urgent basis.
   
   
5. That the Clinic provide a copy to the Office of the Ombudsman of this audit and the proposed timelines for correcting the specific deficiencies identified in relation to sections 17, 18, and 19 of PHIA and to the Regulation.
   
   
6. That the Clinic take steps to inform its directors and employees about the intent and implications of The Personal Health Information Act.

In making these recommendations, it was recognized that the Clinic may feel the need for assistance in ensuring that its policies and practices comply with the Act. It is the Office's impression that Manitoba Health will provide assistance in understanding the meaning and intention of the Act's provisions, but should not be regarded as a source of legal interpretation or counsel. The Clinic was advised that it may wish to consult with its own counsel regarding compliance matters. The Ombudsman's Office is an office of independent review, and while it may extend some informal suggestions to the Clinic from time-to-time, these would be without prejudice to any subsequent oversight activity that the Ombudsman's Office may undertake.

The Ombudsman also noted that while the recommendations were directed toward obtaining, in effect, an overall plan of action and a record of compliance measures undertaken immediately by the Clinic, it would be in the best interests of its patients and of the Clinic itself to ensure expeditious action to bring the Clinic's information management policies and practices in line with the requirements of PHIA.

The Manitoba X-Ray Clinic's Response

Where the Ombudsman makes recommendations relating to a complaint, PHIA sets out:

Trustee's response to the report
48(4) If the report contains recommendations, the trustee shall, within 14 days after receiving it, send the Ombudsman a written response indicating

1. that the trustee accepts the recommendations and describing any action the trustee has taken or proposes to take to implement them; or
2. the reasons why the trustee refuses to take action to implement the recommendations.

Compliance with recommendations
48(6) When a trustee accepts the recommendations in a report, the trustee shall comply with the recommendations within 15 days of acceptance, or within such additional period as the Ombudsman considers reasonable.

The report and recommendations were sent to the Manitoba X-Ray Clinic on March 12, 1999 and the Clinic's response was received on March 25, 1999.

The Clinic advised that its audit dealt with seven areas: policy for retention and destruction of personal information, method of destruction of information to protect privacy of the individual, record of destruction, written security policy and procedures, restrictions to access and other precautions, orientation and training for employees, and pledge of confidentiality. Corrective actions include:

• A written policy and procedures manual is being developed and it to be completed by April 30, 1999.
• The Clinic is negotiating the purchase of shredders and a contract for shredding services. No destruction of personal health information is being done until these services are available. It is anticipated that these purchases will be completed by April 30, 1999.
• The written policies and procedures manual will deal with the record of destruction, security policy and procedures, access restrictions and other precautions, and will form the basis for employee orientation and training.
• A pledge of confidentiality has been developed and will be introduced together with the manual.