Manitoba X-Ray Clinic undertakes security audit following Ombudsman's office recommendationsReturn to listing
Apr 21, 1999
The Manitoba Ombudsman's Office has completed an investigation into reports that patient health files were left in a dumpster behind one of the premises of the Manitoba X-Ray Clinic for disposal. Barry Tuckett, the Manitoba Ombudsman found that the Clinic failed to comply with section 17(3) of The Personal Health Information Act which requires a personal health information trustee "…ensure that personal health information is destroyed in a manner that protects the privacy of the individual the information is about."
The investigation was launched on the Ombudsman's own initiative when the media reported on March 5, 1999 that exposed patient files were found following a call from a member of the public. It was confirmed that the files were being disposed of by the Manitoba X-Ray Clinic.
Six recommendations were made by the Ombudsman in his report to the Clinic dated March 12, 1999:
- That the Manitoba X-Ray Clinic (the "Clinic") immediately cease any and all destruction of personal health information contrary to The Personal Health Information Act.
- That the Clinic consider measures to ensure that personal information sent in recent months to any landfill site is not susceptible to unauthorized access and disclosure, and that these measures be reported to the Ombudsman's Office as part of the Clinic's response to the Ombudsman's recommendations.
- That the Clinic undertake forthwith an audit of its compliance with sections 17, 18, and 19 of The Personal Health Information Act and with the Regulation.
- That the Clinic identify measures to correct the deficiencies identified through this audit on a priorized and urgent basis.
- That the Clinic provide a copy to the Office of the Ombudsman of this audit and the proposed timelines for correcting the specific deficiencies identified in relation to sections 17, 18, and 19 of The Personal Health Information Act and to the Regulation.
- That the Clinic take steps to inform its directors and employees about the intent and implications of The Personal Health Information Act.
Under The Personal Health information Act, the Clinic was given 14 days to respond to the Ombudsman's recommendations.
"The Clinic met the timeline," said Mr. Tuckett, "and gives every indication of coming into compliance with the Act as soon as possible. I was pleased with the seriousness and sincerity that was displayed during our investigation, and that the Clinic met each of our recommendations in a satisfactory manner."
The Clinic advised that its audit dealt with seven areas and corrective actions include:
- A written policy and procedures manual is being developed and it to be completed by April 30, 1999.
- The Clinic is negotiating the purchase of shredders and a contract for shredding services. No destruction of personal health information is being done until these services are available. It is anticipated that these purchases will be completed by April 30, 1999.
- The written policies and procedures manual will deal with the record of destruction, security policy and procedures, access restrictions and other precautions, and will form the basis for employee orientation and training.
- A pledge of confidentiality has been developed and will be introduced together with the manual.
The Ombudsman said that there is a positive aspect to the incident in that the publicity generated will help alert other personal health information trustees and information managers about the requirements of The Personal Health Information Act. "I do have a lingering concern that there may be other trustees who have not yet complied with the Act," he said.
The Ombudsman's Office will follow up with the Clinic on the implementation of the recommendations and the compliance measures identified by the Clinic's security audit in relation to the requirements of the Act.