Privacy & security

NB takes steps to ensure security of records

FREDERICTON – Lessons have been learned and corrective actions taken since the loss of computer cartridges containing Medicare patient billing information last year, said New Brunswick Health Minister Michael Murphy.

Murphy was responding to the release of a report by ombudsman Bernard Richard, whose office investigated the loss of the computer tapes.

The tapes contained Medicare billing information on 485 New Brunswick residents who received insured healthcare services in British Columbia, as well as information on 149 British Columbia residents who received health services in New Brunswick. They were lost last October while being shipped by courier from New Brunswick to B.C. and have not been found. Senior officials in the Department of Health only learned of the missing tapes in mid-December.

“First and foremost, I wish to thank the ombudsman and his office for their thorough investigation and corresponding recommendations,” Murphy said. “My department co-operated fully in this investigation, and has already responded to the ombudsman on his recommendations. We will continue to strengthen procedures and systems so as to safeguard the privacy of personal health information.”

Actions taken since the loss of the tapes include:

• The use of encrypted and password-protected CDs to share Medicare billing data with B.C. until a new system using secure file transfer protocol technology (SFTP) is in place. The technology, which exchanges files server to server, is already in place in New Brunswick, and will be tested with B.C. beginning later this month. The secure transfer of data with other jurisdictions using SFTP will follow as each jurisdiction adopts the new process.

• Adoption of a Privacy Breach Policy so that any breach is reported immediately to the deputy minister.

• Hiring of a full-time corporate privacy officer to focus on creating a privacy culture within the department, including the development of a corporate privacy policy and providing education sessions for staff on corporate privacy policies.

• Assigning a corporate privacy officer to oversee a full review of all departmental policies, procedures and protocols, including the development of policies relating to client access requests, secure exchange of information, and document retention.

In addition, a department-wide review will be launched of policies, practices and procedures as they relate to information management and privacy of personal information.

Murphy said that this review, which will also look at the security of the department’s existing information management systems, will be undertaken with the assistance of external support, as recommended by the ombudsman. A request for proposals for external assistance will soon be issued.

“These steps and others have all been undertaken in the last five months,” Murphy said. “Yet, we know there is more to do to ensure the security and confidentiality of personal health information, especially as we develop an electronic health record to improve healthcare for New Brunswickers.”

Murphy announced that introduction of the province’s new personal health information legislation will be delayed until the fall. Instead, draft legislation will be presented in the legislature this spring as a green paper to allow interested New Brunswickers to comment and provide input before the final legislation is tabled this fall for approval.

“This will further enhance the involvement of stakeholders who have told us they want to be fully involved in the development of this legislation,” Murphy said.

“To date we have had a two-day workshop with stakeholders that has been very instrumental in developing the green paper that will go out for public comment.” Murphy said that his department is also requesting that the Office of the Ombudsman work with the department on the development of information systems related to the creation of the e-health record.

“We want to ensure that the Office of the Ombudsman has input into and is kept abreast of policies, procedures and technical safeguards as they relate to the privacy and security of personal health information that will be contained in the e-health record,” Murphy said. “We are asking that the office review at what stage electronic health information architecture can be introduced.”

Murphy said that privacy and security issues have been and will continue to be fully addressed in conjunction with the design and development of all new information management systems.