HomeEn FrancaisContact the Ombudsman
About the OfficeAccess and Privacy DivisionOmbudsman Division










Legislation
Legislation
Legislation



What's New
Site Map
Search
Privacy & Site Policy
 Access and Privacy Division




For Release November 27, 2001


Manitoba Ombudsman Issues Conclusions in Investigation of Breach of Privacy Allegations concerning the Health Sciences Centre

Winnipeg - The Manitoba Ombudsman's Office has completed an investigation into several allegations of breach of personal health information privacy made by a patient of Winnipeg's Health Sciences Centre (HSC), a trustee under The Personal Health Information Act.

Barry Tuckett, the Manitoba Ombudsman, found that one complaint, relating to inappropriate changes to the patient's demographic information (personal health information in this context), was substantiated; however, it could not conclusively be established that the complainant did not participate in the incident together with an HSC employee who had been her friend. The Ombudsman was of the opinion that other allegations made by the complainant were not substantiated.

Mr. Tuckett stated: "The complainant's public allegations brought into question the integrity of records management in the largest health care facility in Manitoba, making this a matter of public interest."

The investigation was launched after a complaint was made to the Manitoba Ombudsman and the media reported that an employee of the HSC had tampered with and disclosed the complainant's personal health information. The complaints investigated by the Ombudsman's Office were as follows:

  1. that an employee of the HSC allegedly tampered with (altered) the complainant's personal health information;
  2. that the employee allegedly mailed copies of the complainant's altered personal health information to twelve of the complainant's friends and relatives;
  3. that the employee allegedly mailed a letter containing the complainant's personal health information to two of the complainant's friends; and
  4. that, with respect to concerns raised by the complainant with the HSC about these allegations, the facility did not: a) take her concerns seriously, b) report the findings of its investigation to her and c) provide her with a copy of her restored personal health information.  
 



The complainant also expressed concern that the HSC did not take safeguards to ensure that personal health information held at the facility was secure. A review of the facility's compliance with the security safeguard provisions of The Personal Health Information Act is the subject of a separate investigation opened by the Ombudsman.

After her initial contact with the Ombudsman's Office, the complainant ceased to cooperate with investigators. Specifically, she failed to provide information that was required to investigate fully the allegations she made. Nevertheless, these allegations were very serious and the Ombudsman was not prepared to discontinue the investigation. After repeated attempts to obtain the complainant's cooperation, a subpoena was issued to her pursuant to the powers of the Ombudsman under The Personal Health Information Act and The Manitoba Evidence Act requiring her to answer questions relating to the matter.

The Ombudsman's report, dated November 14, 2001, concluded that:

  1. While the Ombudsman's investigation supported that an employee had changed the complainant's demographic information, the circumstances are in dispute. The employee's version is that the changes were made in the complainant's presence as a joke, with a copy being provided to her, following which the records were put back to their original wording. The complainant denied any involvement in the matter. On balance, the investigation supports the employee's version of the event.
  2. The investigation found no substance to the complaint that the HSC employee mailed copies of the complainant's electronic demographic data to twelve of the complainant's friends and relatives.
  3. The investigation found no substance to the complaint that the HSC employee mailed a copy of a letter referring to the complainant's surgery to two of the complainant's friends.
  4. The investigation found that the HSC took the matter seriously, conducted an investigation, and took what appears to be appropriate action. While the HSC did not report its findings to the complainant, the HSC is giving consideration to incorporating such reporting into its facility practices. In addition, the complainant's personal health information records at the HSC were available for her to review upon request.

"The HSC, as a trustee under The Personal Health Information Act, is responsible for the integrity of the records it maintains. Employees of the trustee who undertake responsibilities for the maintenance of personal health information are deemed to be acting on behalf of the trustee."

"In the circumstances of this case, my opinion is that the HSC had taken reasonable steps as a trustee to protect the personal health information it maintained," said Tuckett. "The facility also has a system in place to monitor changes made to electronic records which substantiated that personal health information in this case had been altered inappropriately."

Created in 1970, the Office of the Manitoba Ombudsman exists to promote fairness, equity and administrative accountability through independent and impartial investigation of complaints and compliance reviews. An Access and Privacy Division was established in 1998 to investigate complaints and review compliance under The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act.


 






HEALTH SCIENCES CENTRE BACKGROUND PAPER

BACKGROUND

On July 9 and 10, 1999, articles appeared in The Winnipeg Sun newspaper reporting on an individual's allegations that an employee of Winnipeg's Health Sciences Centre (HSC) had tampered with and disclosed her personal health information. These public allegations brought into question the integrity of records management in the largest health care facility in Manitoba. Accordingly, the HSC was advised that the Ombudsman intended to initiate a complaint respecting the allegations under The Personal Health Information Act.

Shortly thereafter, the individual provided a letter of complaint to our office and met with two of our Compliance Investigators. Based on the complainant's written complaint to our office and our interview with her, her privacy concerns were as follows:

  1. that an employee of the HSC allegedly tampered with (altered) the complainant's personal health information;
  2. that the employee allegedly mailed copies of the complainant's altered personal health information to twelve of the complainant's friends and relatives;
  3. that the employee allegedly mailed a letter containing the complainant's personal health information to two of the complainant's friends; and
  4. that, with respect to concerns raised by the complainant with the HSC about these allegations, the facility did not: a) take her concerns seriously, b) report the findings of its investigation to her and c) provide her with a copy of her restored personal health information.

The complainant also expressed concern that the HSC did not take sufficient precautions to ensure that personal health information held at the facility was secure. Our review of the facility's compliance with the security provisions under The Personal Health Information Act is the subject of a separate investigation opened by the Ombudsman.

As the complainant's allegations were very serious and raised issues impacting on the public's confidence in the privacy of our health care system, the investigation began by our contacting the HSC, conducting interviews, and obtaining relevant information.

Unfortunately, after the complainant's initial contact with our office, she ceased to cooperate with our Compliance Investigators. Specifically, she failed to provide information to our office that was required to fully investigate the allegations made. Nevertheless, as these allegations were very serious, the Ombudsman was not prepared to discontinue our investigation.

After repeated attempts to obtain the complainant's cooperation, a subpoena was issued to her pursuant to the powers of the Ombudsman under The Personal Health Information Act and The Manitoba Evidence Act to require her attendance at our office to answer questions relating to this matter. She attended our office and responded to questions posed by our Compliance Investigators. At that time, an opportunity to make further representations was provided to her.

Our investigation is now complete, and the following are our findings and conclusions.

FINDINGS AND CONCLUSIONS

Our investigation centered on the complainant's concerns about the accuracy and the disclosure of her personal health information that is maintained by the HSC.

During the course of the investigation, enquiries were made with the HSC and several employees were interviewed. Additionally, the complainant was interviewed, including once when she was compelled by subpoena to attend our office. We interviewed individuals who the complainant identified as having received her personal health information from the HSC employee, with the exception of those we could not locate. The complainant claimed that there were other individuals who had received her personal health information, but she failed to provide our office with their names when requested. In addition, we believe that in the course of our investigation, we reviewed all of the records which were relevant to her complaint.

1. Allegation that an employee of the HSC tampered with (altered) the complainant's personal health information

At the outset, it is relevant to note that under the legislation, personal health information is defined as meaning recorded information about an identifiable individual and includes any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care. This would include demographic information such as name, address and telephone number collected in that context.

The HSC, as a trustee under The Personal Health Information Act, has a responsibility to take reasonable steps to ensure that personal health information is accurate, up to date, complete, and not misleading. Employees of the HSC who undertake responsibilities for the maintenance of personal health information records are deemed to be acting on behalf of the trustee.

The complainant advised our office that twelve of her friends and relatives provided her with, or told her they had received, HSC documentation containing demographic information about her. She advised us that this documentation displayed incorrect data, including a wrong telephone number, place of employment, religion and fictitious husbands. She alleged that her former friend, who had worked as a Unit Clerk at the HSC, was responsible for tampering with her information.

The complainant had made this allegation directly to the HSC, which undertook a review. By the time she made her complaint to our office, a newspaper had reported that the HSC had stated that an employee with authorized access to medical records breached confidentiality policies, had been suspended from her position, and had been transferred to another department where she would not have access to medical records.

In our investigation, the HSC advised us that only employees with authorized passwords have access to computerized demographic data records and that the employee in question did have this access. This is consistent with the following provision of The Personal Health Information Act:

Limit on the trustee's employees
20(3) A trustee shall limit the use and disclosure of personal health information it maintains to those of its employees and agents who need to know the information to carry out the purpose for which the information was collected or received or to carry out a purpose authorized under section 21.

Similarly, section 5 of the Personal Health Information Act Regulation provides:

Authorized access for employees and agents
5 A trustee shall, for each of its employees and agents, determine the personal health information that he is authorized to access.

We were also informed that any change made to the electronic demographic data records could be traced to the password of the employee and the date of the change could be established. This is consistent with section 4 of the Personal Health Information Act Regulation, as follows:

Safeguards for electronic information
4 A trustee who maintains personal health information in electronic form shall also

  1. keep an electronic record of every successful or unsuccessful attempt to gain access to personal health information maintained in electronic form;
  2. keep an electronic record of every addition to, deletion or modification of personal health information maintained in electronic form;
  3. ensure that every transmission of personal health information maintained in electronic form is recorded; and
  4. regularly review the electronic record to detect any security breaches.

The employee about whom the complaint had been made was identified as having made changes to the complainant's personal health information. Our office viewed the various versions of the documentation and the changes made to the record. We verified that, on the same day, certain records containing the complainant's personal health information were accessed, altered, and put back to their original wording.

The employee advised our office that she had made changes to the complainant's electronic demographic data. She stated that the complainant, who had been her friend, asked if her information could be changed as a "joke" and was present when the changes were made and hard copies were produced. The employee said she then re-entered the original demographic information onto the complainant's electronic record.

The complainant denied that she was present when the changes were made to the electronic record or that she played a part in the changes.

The employee referred our Compliance Investigators to another person who, she said, could give evidence that would support her version of events. We interviewed this person, who informed us that they had overheard the complainant and the employee laughing and joking about the changing of the records.

There is no question that the employee was involved in the changing of the records. This is contrary to The Personal Health Information Act and HSC policy. The HSC, as trustee, is responsible for the integrity of the personal health information it maintains. We note that the HSC has a procedure for informing employees about The Personal Health Information Act and, with respect to the Act, has policies concerning the confidentiality of, access to, and security of, personal health information, as well as for the reporting of security breaches and corrective procedures to be followed.

The HSC has a system in place to monitor changes made to electronic records, and to identify when the changes were made, and by whom. This system supported the complainant's allegation that changes were made to her personal health information and that her records were subsequently put back to their original wording. However, based on all the information received through our investigation, we could not conclusively establish that the complainant did not participate in this incident.

2. Allegation that the HSC employee mailed copies of the complainant's electronic demographic data to twelve of the complainant's friends and relatives

The Personal Health Information Act governs the use and disclosure of personal health information by a trustee. In the context of the legislation, use refers to what is done with the personal health information within the trustee organization. The term disclosure refers to revealing personal health information outside of the trustee organization to other trustees or individuals. Specifically, section 20 of The Personal Health Information Act sets out:

General duty of trustees re use and disclosure
20(1) A trustee shall not use or disclose personal health information except as authorized under this Division.

Limit on amount of information used or disclosed
20(2) Every use and disclosure by a trustee of personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.

Limit on the trustee's employees
20(3) A trustee shall limit the use and disclosure of personal health information it maintains to those of its employees and agents who need to know the information to carry out the purpose for which the information was collected or received or to carry out a purpose authorized under section 21.

The complainant's concern that altered versions of her computerized demographic information were mailed to twelve of her friends and relatives is an allegation of unauthorized disclosure of personal health information under The Personal Health Information Act.

We interviewed the employee in relation to this complaint. She denied mailing any records pertaining to the complaint to anyone. In the complainant's letter to our office, she stated that she had provided the HSC with as many contact names as she could at the time to verify her story. The HSC undertook an investigation into her complaint. We were advised that the HSC could not substantiate the complaint as she had provided the name of only one alleged recipient, and that individual could not be reached for comment.

Initially, the complainant provided our office with the names of four individuals who she said received a copy of the computerized demographic data. We spoke with these individuals. Each denied that he or she had received any copy of the complainant's personal health information.

Our Compliance Investigators asked the complainant to provide the names of the other eight individuals that she maintained received her personal health information. She advised the Investigators that she would first want to obtain the permission of the individuals to give us their names. She did not provide their names to our office, nor did she respond to our numerous attempts to speak with her further on this issue, except under subpoena.

At the interview that the complainant was compelled to attend, she provided the name of a fifth person. When we could not obtain that person's telephone number through normal means, she said she would obtain it and supply it to us. We received no further information from the complainant with respect to this person or the other individuals she said received her personal health information.

Based on the information obtained in our investigation, we found no support for the complainant's allegation that the HSC employee mailed copies of her computerized demographic data to any person.

3. Allegation that the HSC employee mailed a copy of a letter referring to surgery the complainant had at the HSC to two of the complainant's friends

The complainant alleged that two of her friends had received a copy of a letter on the letterhead of a health care facility, referring to a particular procedure performed on her at the HSC. As with the above issue, this is an allegation of unauthorized disclosure of personal health information under The Personal Health Information Act.

The employee advised our office that she did not mail any records pertaining to the complainant's complaint to anyone.

It was reported in The Winnipeg Sun of July 9, 1999, that the complainant had undergone a particular procedure at the HSC several years previously. The complainant had apparently provided this information to the newspaper.

Our Compliance Investigators reviewed photocopied documentation that the complainant alleged was mailed by the HSC employee to two individuals. We discussed the documentation with the HSC and were informed that the documentation in question did not exist at the facility. We were also informed by the HSC that the complainant had furnished the documentation in the course of the HSC's review of this matter. The documentation did not, as the complainant alleged to our office and the press, make reference to her surgery.

We understand from our investigation that the complainant did not provide the HSC with the names of the two individuals she alleged received records relating to this surgery. Nevertheless, she did provide our office with the names of the two individuals in question. We spoke with both individuals. Both denied receiving any documentation containing the complainant's personal health information. In contradiction of what the complainant told us, one of the individuals denied attending the complainant's residence to discuss this issue. The other individual indicated that during a visit with the complainant, the complainant had some papers in her hand, apparently relevant to her complaint, but that this person did not see the contents of the papers. Both of these individuals were also among the five people the complainant specifically identified to our office as having received her computerized demographic data.

Based on our review of this issue, there is no evidence to support the allegation that the HSC employee mailed any letter about the complainant, or that she disclosed the complainant's personal health information regarding her surgery.

4. Allegation that the HSC did not a) take the complainant's concerns seriously; b) report the findings of its investigation to her; and c) provide her with a copy of her corrected personal health information

Among the general powers and duties of the Ombudsman under The Personal Health Information Act, the Ombudsman may conduct investigations and audits and make recommendations to monitor and ensure compliance under the Act. In the course of our investigation, we noted the policies and procedures of the HSC relating to the legislation and are able to respond to these additional issues that the complainant raised in her written complaint to our office.

a) Allegation that the HSC did not take the complainant's concerns seriously

We understand that the complainant made her complaint, in person, to the HSC about three months before she contacted our office. We further understand that a senior employee of the HSC met with her immediately upon her attendance at the facility. From the date of her complaint, and for several weeks thereafter, we understand that interviews were undertaken by the HSC and relevant documentation was reviewed. This included several conversations with the complainant and the HSC.

HSC staff was reported in the newspaper as saying that the complainant's allegations concerning disclosure of her personal health information could not be investigated because she did not provide the facility with the names of the individuals who allegedly received her personal health information. We were advised by one HSC employee that the complainant provided the name of one alleged recipient, and we were informed that the individual could not be contacted.

The one allegation that the HSC verified, that the employee changed the complainant's computerized demographic data, resulted in follow-up action being taken against the employee, as reported in the newspaper.

In the course of our investigation, our office verified that the complainant's electronic demographic data, which had been modified, was restored to its original content.

The Ombudsman was of the opinion that the concerns the complainant raised with the HSC were clearly taken seriously by the facility.

b) Allegation that the HSC did not report the findings of its investigation to the complainant

The HSC confirmed that it did not report the findings of its investigation to the complainant. We were advised that it is not the facility's practice to report conclusions of an investigation to a complainant. The Ombudsman was of the opinion that, for reasons of accountability and transparency, it is advisable for a trustee to report investigation findings to a complainant to the fullest extent possible. This has been discussed with the facility, and consideration is being given to incorporating such reporting into the facility's practices.

c) Allegation that the HSC did not provide the restored personal health information to the complainant

As noted, our Compliance Investigators verified that the complainant's personal health information was restored to its original content. It is our understanding that the complainant did not ask the HSC to see the restored documentation. At the outset of our investigation, our Compliance Investigators provided the complainant with the name and address of the HSC Privacy Officer to obtain access to her personal health record. We understand that she did not pursue this.

OMBUDSMAN'S CONCLUSIONS

Our investigation into the complainant's allegations of breach of personal health information privacy against the HSC, a trustee under The Personal Health Information Act, was hampered by her lack of cooperation with our office. Specifically, she was not forthcoming with evidence to support allegations that she had made to The Winnipeg Sun, to the HSC, and to our office. The Ombudsman concluded that the complaint was not made in good faith and was vexatious.

In addition, it was concluded:

  1. While our investigation supported that an employee had changed the complainant's demographic information, the circumstances are in dispute. The employee's version is that the changes were made in the complainant's presence as a joke, with a copy being provided to her, following which the records were put back in their original wording. The complainant denied any involvement in the matter. On balance, the investigation supported the employee's version of the event.

  2. The investigation found no substance to the complaint that the HSC employee mailed copies of the complainant's electronic demographic data to twelve of the complainant's friends and relatives.

  3. The investigation found no substance to the complaint that the HSC employee mailed a copy of a letter referring to the complainant's surgery to two of the complainant's friends.

  4. The investigation found that the HSC took the matter seriously, conducted an investigation, and took appropriate action. While the HSC did not report the findings to the complainant, the HSC is giving consideration to incorporating such reporting into its facility practices. In addition, the complainant's personal health information records at the HSC were available for her to review upon request.

There were no grounds for the Ombudsman to make any recommendation on the complainant's behalf in this matter.