For Release June 29, 2000


Five Winnipeg Chiropractors Follow Ombudsman's Recommendations

Winnipeg - The Manitoba Ombudsman's Office has completed an investigation into reports that certain Winnipeg chiropractors used their patients' personal health information to send a letter seeking support for a political nominee.

Barry Tuckett, the Manitoba Ombudsman, found that five Winnipeg chiropractors used and disclosed personal health information for a mailing and telephone solicitation not directly related to the purpose for which the information was collected, without the patients' consent or as otherwise authorized under The Personal Health Information Act, in contravention of the Act. Additionally, the Ombudsman found that the five chiropractors were not in substantive compliance with security safeguard provisions of The Personal Health Information Act.

The investigation was launched on the Ombudsman's own initiative when, in April 1999, the media reported that three named chiropractors had used personal information of patients to send a letter seeking support for a political nominee. Early in the investigation, it was learned that one of the chiropractors had been mistakenly identified by the media. In reviewing the matter, it came to the Ombudsman's attention that three other chiropractors may have used and disclosed patients' personal health information contrary to The Personal Health Information Act.
 

The Ombudsman's report to the five chiropractors, dated May 8, 2000, advised of his opinion that they were in contravention of provisions of The Personal Health Information Act. In the Ombudsman's report, four recommendations were made:

1. That a written apology be provided as soon as possible to your patients who have expressed concern about the unauthorized use and/or disclosure of their personal health information.
   
   
2. That reasonable steps be taken to ensure that the personal health information of your patients that was disclosed to Ted Murphy (the political nominee) and by him to any other person, as well as any other records generated from the use and disclosure of personal health information that would identify your patients, be destroyed.
   
   
3. That steps be undertaken immediately to identify any deficiencies relating to your compliance with section 17, 18 and 19 of The Personal Health Information Act and the Personal Health Information Regulation 245/97.
   
   
4. That steps be undertaken immediately to address any deficiencies identified to ensure compliance with The Personal Health Information Act and the Personal Health Information Regulation 245/97.

The written responses from the chiropractors indicated that these recommendations have been accepted. In brief, written apologies were provided where patients had expressed concern; the personal health information that was disclosed, as well as other records generated from the use and disclosure of the personal health information, was destroyed; and steps have been taken to identify and address deficiencies relating to security safeguards as set out in The Personal Health Information Act and Personal Health Information Regulation 245/97.

Mr. Tuckett noted: "We have found no evidence to conclude that the five chiropractors knew that the use and disclosure of patient lists for this purpose was in non-compliance with the Act. The attention and public scrutiny given to this improper use and disclosure will no doubt bring awareness of the obligations placed on health professionals by The Personal Health Information Act respecting the collection, use, disclosure and safeguarding of personal health information."

 

BACKGROUND PAPER:

BACKGROUND

In April 1999, the print media reported that three Winnipeg chiropractors had used personal health information of their patients to send a letter seeking support for a political nominee. The Manitoba Ombudsman's Office commenced an investigation into the matter based on section 39(4) of The Personal Health Information Act (PHIA), which sets out:

Ombudsman may initiate complaint
39(4) The Ombudsman may initiate a complaint respecting any matter about which the Ombudsman is satisfied there are reasonable grounds to investigate under the Act.

Early in the investigation, it was learned that one of the three chiropractors had been mistakenly named by the media. The other two were Dr. Alan Daien and Dr. Brian Mestdagh. In reviewing the matter, it came to the Ombudsman's attention that three other chiropractors may have used and disclosed patients' personal health information contrary to PHIA. They were Dr. Gilbert Bohemier, Dr. Gerald Bohemier and Dr. Henry Pops. Accordingly, five chiropractors were the subject of the investigation.

The investigation dealt with two basic matters: 1) use and disclosure of personal health information, and 2) the associated issues of information retention and destruction policies and other security safeguards under sections 17, 18 and 19 of PHIA and the Personal Health Information Regulation 245/97.

LEGISLATIVE PROVISIONS

USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION
PHIA, an enactment of the Manitoba Legislature, governs the use and disclosure of personal health information.

A registered, licensed chiropractor, who collects and maintains personal health information, is a trustee under PHIA. The definition of personal health information under the legislation includes recorded information about an identifiable individual that relates to the provision of health care to the individual and includes any identifying information about the individual that is collected in the course of, and incidental to, the provision of health care.

Specifically, section 20 of PHIA provides:

General duty of trustees re use and disclosure
20(1) A trustee shall not use or disclose personal health information except as authorized under this Division.

Limit on amount of information used or disclosed
20(2) Every use and disclosure by a trustee of personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.

Limit on the trustee's employees
20(3) A trustee shall limit the use and disclosure of personal health information it maintains to those of its employees and agents who need to know the information to carry out the purpose for which the information was collected or received or to carry out a purpose authorized under section 21.

SECURITY SAFEGUARDS
In addition to investigating complaints concerning personal health information access and privacy under PHIA, the Office of the Manitoba Ombudsman has powers and duties that include conducting investigations and audits and making recommendations to monitor and ensure compliance with the Act; informing the public about the Act; and commenting on the implications for access and confidentiality of personal health information relating to programs and practices of trustees. In addition to addressing the use and disclosure of personal health information, PHIA sets out the following about information security safeguards:

Retention and destruction policy
17(1) A trustee shall establish a written policy concerning the retention and destruction of personal health information and shall comply with that policy.

Compliance with regulations
17(2) A policy under subsection (1) must conform with any requirements of the regulations.

Method of destruction must protect privacy
17(3) In accordance with any requirements of the regulations, in a manner that protects the privacy of the individual the information is about.

Record of destruction
17(4) A trustee who destroys personal health information shall keep a record of

1. the individual whose personal health information is destroyed and the time period to which the information relates; and
2. the method of destruction and the person responsible for supervising the destruction.

Duty to adopt security safeguards
18(1) In accordance with any requirements of the regulations, a trustee shall protect personal health information by adopting reasonable administrative, technical and physical safeguards that ensure the confidentiality, security, accuracy and integrity of the information.

Specific safeguards
18(2) Without limiting subsection (1), a trustee shall

1. implement controls that limit the persons who may use personal health information maintained by the trustee to those specifically authorized by the trustee to do so;
2. implement controls to ensure that personal health information maintained by the trustee cannot be used unless
   1. the identity of the person seeking to use the information is verified as a person the trustee has authorized to use it, and
   2. the proposed use is verified as being authorized under this Act;
3. if the trustee uses electronic means to request disclosure of personal health information or to respond to requests for disclosure, implement procedures to prevent the interception of the information by unauthorized persons; and
4. when responding to requests for disclosure of personal health information, ensure that the request contains sufficient detail to uniquely identify the individual the information is about.

Additional safeguards for information in electronic form
18(3) A trustee who maintains personal health information in electronic form shall implement any additional safeguards for such information required by the regulations.

Safeguards for sensitive information
19 In determining the reasonableness of security safeguards required under section 18, a trustee shall take into account the degree of sensitivity of the personal health information to be protected.

The Regulation sets out the following additional detail:

Written security policy and procedures
2 A trustee shall establish and comply with a written policy and procedures containing the following:

1. provisions for the security of personal health information during its collection, use, disclosure, storage, and destruction, including measures
   1. to ensure the security of the personal health information when a record of the information is removed from a secure designated area, and
   2. to ensure the security of personal health information in electronic form when the computer hardware or removable electronic storage media on which it has been recorded is being disposed of or used for another purpose;
2. provisions for the recording of security breaches;
3. corrective procedures to address security breaches.

Access to restrictions and other precautions
3 A trustee shall

1. ensure that personal health information is maintained in a designated area or areas and is subject to appropriate security safeguards;
2. limit physical access to designated areas containing personal health information to authorized persons;
3. take reasonable precautions to protect personal health information from fire, theft, vandalism, deterioration, accidental destruction or loss and other hazards; and
4. ensure that removable media used to record personal health information is stored securely when not in use.

The Regulation, registered on December 11, 1997, allowed a period of one year to comply with the Regulation with the exception of section 4 (Safeguards for electronic information) which, it is set out, shall be complied with no later than December 11, 2000.

The audit provision of the Regulation states:

Audit
8(1) A trustee shall conduct an audit of its security safeguards at least every two years.
8(2) If an audit identifies deficiencies in the trustee's security safeguards the trustee shall take steps to correct the deficiencies as soon as practicable.

The Regulation headings indicate the areas which need to be addressed by a trustee: (2) Written security policy and procedures; (3) Access restrictions and other precautions; (4) Safeguards for electronic information; (5) Authorized access for employees and agents; (6) Orientation and training for employees; (7) Pledge of confidentiality for employees; and (8) Audit.

OMBUDSMAN'S FINDINGS AND CONCLUSIONS

USE OF PATIENTS' PERSONAL HEALTH INFORMATION
The investigation into this matter was launched by the Ombudsman in response to media reports alleging breach of section 20 of PHIA: "A trustee shall not use or disclose personal health information except as authorized under this Division."

Based on information provided by the chiropractors concerned, it was apparent that information concerning approximately 2,300 patients, collected in the course of, and incidental to, the provision of chiropractic care (personal health information), was used for a mailing and subsequent telephone follow-up in March 1999 relating to the support of Mr. Ted Murphy, who was seeking nomination for a political party in the Springfield constituency.

Our office was advised that the personal health information used for the mailing and the telephone follow-up consisted of patient name, address and telephone numbers. The chiropractors confirmed that this personal health information was not used for the purpose for which it was collected and that consent was not obtained from the patients for this use of their personal health information.

The Ombudsman advised the chiropractors that, in his opinion, the use of personal health information for a mailing and telephone solicitation not directly related to the purpose for which the information was collected was, without the patient's consent or as otherwise authorized under PHIA, in contravention of the Act.

DISCLOSURE OF PATIENTS' PERSONAL HEALTH INFORMATION
Facts varied, depending on the individual chiropractor, with respect to the disclosure of personal health information. We understand that two chiropractors did not personally undertake the preparation of the letters or mailing in which their patients' personal health information was utilized. They provided the information to Mr. Murphy. One chiropractor advised that he prepared the letters and then provided them to Mr. Murphy for mailing. The preparation of the letter and mailing by the two other chiropractors was conducted in their office after work hours.

In the case of four of the chiropractors, it is clear that telephone follow-up to the letters was conducted by a call centre. Apparently Mr. Murphy's campaign manager, Mr. Frank Clark, provided the patients' information to the call centre, where staff attempted to contact the patients. It is evident from this paperwork that identified individuals were shown to be recipients of chiropractic care. In the case of one chiropractor, we did not encounter evidence of patients' personal health information being handled by the call centre.

Early in the investigation, two of the chiropractors sought return of their patients' personal health information from Mr. Murphy. We were advised that the information had been destroyed.

During the investigation, our Office encountered paper records at the call centre concerning certain patients of two chiropractors. These included a page of a spreadsheet containing names, addresses and telephone numbers of individuals shown to be patients of the chiropractors. There was also a "Chiropractic Study Comment Sheet" concerning a patient of one of these chiropractors, that included his name, address and telephone number and notes about the telephone contact. Our Office advised the chiropractors of the existence of these records.

The chiropractors provided a context for their actions. One stated that he was not aware that this use and disclosure of his patients' personal health information was contrary to the law and, had he known, he would not have acted as he did. Two others stated that they had not thought that this use and disclosure was in breach of the law. Three noted that Manitoba chiropractors have had a history, over the years and especially around the time of elections, of supporting political candidates sympathetic to chiropractic issues. Some suggested that patient information had been utilized in this way before. There was another chiropractor who advised that this was a single event on his part and that he has not used or disclosed personal health information for this purpose before or since this one event.

Under PHIA, the provision of patients' personal health information to a person outside of the trustee's office is a disclosure. The chiropractors confirmed that the personal health information was not collected for the purpose for which it was disclosed and that consent was not obtained for this disclosure. Accordingly, the Ombudsman advised that, in his opinion, this disclosure was in contravention of PHIA.

SECURITY SAFEGUARDS
It was apparent when the chiropractors made representations to our Office in this matter that they did not have a written security policy about the retention and destruction of personal health information, a written security policy and procedures or a signed pledge of confidentiality for employees and agents making reference to a written security policy and procedures. Four of the chiropractors did not have orientation and training for employees and agents and two did not secure hard copy patient records in their office. None had conducted an audit of their security safeguards.

Accordingly, the chiropractors were not in substantive compliance with sections 17, 18 and 19 of PHIA and the provisions of the Personal Health Information Regulation 245/97.

AWARENESS OF OBLIGATIONS UNDER PHIA
The Ombudsman found that before the unauthorized use and disclosure under PHIA took place and for a time while the chiropractors' security safeguards were in non-compliance, the chiropractors had not received information or training about their obligations under PHIA from the Manitoba Chiropractors' Association, the professional and regulatory body. While this does not absolve a professional from familiarizing himself or herself about legislation affecting his or her practice, it is a factor that was considered in the investigation.

OMBUDSMAN'S RECOMMENDATIONS

PHIA sets out reporting mechanisms for the Ombudsman:

Report
47(1) On completing an investigation, the Ombudsman shall prepare a report containing the Ombudsman's findings and any recommendations the Ombudsman considers appropriate about the complaint.

Recommendations about privacy
47(3) In a report concerning a complaint about privacy, the Ombudsman

1. shall indicate whether, in his or her opinion, the complaint is well founded; and
2. may, as long as the trustee has been given an opportunity to make representations about the matter, recommend that the trustee
   1. cease or modify a specified practice of collecting, using, disclosing, retaining, or destroying health information contrary to this Act; or
   2. destroy a collection of personal health information that was collected in a manner contrary to this Act.

Based on our investigation, the Ombudsman was of the opinion that the five chiropractors had used and disclosed patients' personal health information for a mailing and telephone solicitation not directly related to the purpose for which the information was collected or received and without the patients' consent or as otherwise authorized under PHIA. Additionally, the Ombudsman was of the opinion that the five chiropractors were not in substantive compliance with security safeguard provisions of the Act.

Our Office finalized the investigation and it was recommended:

1. That a written apology be provided as soon as possible to your patients who have expressed concern about the unauthorized use and/or disclosure of their personal health information.
   
   
2. That reasonable steps be taken to ensure that the personal health information of your patients that was disclosed to Mr. Ted Murphy and by him to any other person, as well as any other records generated from the use and disclosure of personal health information that would identify your patients, be destroyed.
   
   
3. That steps be undertaken immediately to identify any deficiencies relating to your compliance with section 17, 18 and 19 of PHIA and the Personal Health Information Regulation 245/97.
   
   
4. That steps be undertaken immediately to address any deficiencies identified to ensure compliance with PHIA and the Personal Health Information Regulation 245/97.

THE CHIROPRACTORS' RESPONSES

The written responses from the chiropractors indicated that these recommendations have been accepted. In brief, written apologies were provided where patients had expressed concern; the personal health information that was disclosed, as well as other records generated from the use and disclosure of the personal health information, was destroyed; and steps were taken to identify and address deficiencies relating to security safeguards as set out in The Personal Health Information Act and Personal Health Information Regulation 245/97.