TORONTO – At least three Toronto-area hospitals do not proactively audit their patient records to detect privacy breaches, according to an article in the Toronto Star. A survey of 24 hospitals and healthcare centres found that more than half say they check their information systems for inappropriate access at least once a month.
In contrast, one hospital – Providence Healthcare – still uses paper-based record keeping and reported that it could not conduct audits until a future electronic system is implemented.
“There’s a spectrum out there,” acting Privacy Commissioner Brian Beamish (pictured) told the Star. “There are hospitals that have very robust systems put in place. And then there are ones where there may be something lacking and it takes an incident to bring that to light.”
In recent months, thousands of patients at hospitals across the region have had their confidential medical records accessed for no medical reason. Incidents ranged from hospital staffers providing baby photographers with new mothers’ contact information to nurses peeking at former Mayor Rob Ford’s files when he started treatment for cancer.
In December, Beamish released a report on Rouge Valley Centenary Hospital, which had a massive privacy breach involving more than 14,000 patients and still lacks the ability to track staff access to confidential files.
Shaida Bandali, a former Rouge Valley clerk, was charged with selling securities without a licence last month for allegedly providing medical records of new mothers from the hospital to financial companies peddling Registered Education Savings Plans.
“I hope that this kind of an order brings some publicity and raises some awareness out there for hospitals to go back and take a look at how they are auditing, and make sure that their audit is comprehensive enough,” Beamish told the Star.
Rouge Valley Centenary Hospital declined to comment for this story, citing ongoing litigation.
There are no specific audit requirements in the province’s Personal Health Information Protection Act, which sets out rules healthcare providers must follow when collecting and disclosing personal health information. It is left up to healthcare providers to determine how best to comply with privacy requirements, and what disciplinary measures should be taken if a breach has occurred.
Of the 24 healthcare institutions contacted by the Star, 22 maintained that they do conduct some form of an audit, but their frequency and scope varies widely among facilities.
Bridgepoint Health says it conducts audits on its system daily, and reviews the information weekly. Providence Healthcare, however, has no proactive auditing at all. Spokesperson Patti Enright said the centre has a paper-based system for “charting personal health information.” She referred to a privacy breach protocol, but it’s yet to be used for inappropriate access to patient records.
“We are working towards implementation of electronic charting, but we are still many years away from making this happen,” she said. “In the meantime, through our Privacy Committee, we are developing an overarching privacy audit (in preparation for an eChart) that will ensure all future systems that house patient information will be audited regularly.”
Of the 22 hospitals that have auditing procedures in place, the frequency of those audits varies widely: daily (1), weekly (2), monthly (10), every two to three months (1), quarterly (1), no set frequency (6), unclear frequency (1).
The hospitals surveyed said that typically, a staff member is found to have inappropriately accessed a patient’s record if they are not a member of that patient’s “circle of care,” meaning not directly responsible for their treatment. Disciplinary measures have ranged from letters in their human resources file to firing.
All said they have their employees sign a confidentiality form upon hiring and provide some kind of regular privacy training.
“I think it’s fair to say that there should be audits,” said Beamish. “I think we’ve been pretty clear that audits have to be a substantial part of any safeguards that a hospital is going to have in place.”
Nineteen of the hospitals conduct random proactive audits, while three only conduct audits if privacy concerns have been raised. Trillium Health Partners, comprising three Mississauga hospitals, manually conducts weekly audits on 10 random patients’ records, as well as upon request.
“In early 2015, we are moving to a new privacy auditing solution called Security Audit Manager, which will be able to provide real-time privacy auditing,” said spokesman Chris Carson. “In the future, the auditing tool will have the capacity to proactively flag questionable access to charts for additional follow-up by the Privacy Office.”
Lakeridge Health in Oshawa has a monthly auditing program, and also does targeted audits at the request of a patient. It was the monthly audit that revealed an inappropriate access this past June, which then prompted a manual review of access to records. As a result, the hospital determined that 14 staff members in the mental health program had inappropriately accessed 578 patients’ records going back to 2004.
“Our recent experience is why we’re looking at our monthly audit program to validate we are meeting an appropriate standard,” said spokesman Aaron Lazarus.
At the other end of the spectrum, Sunnybrook Health Sciences Centre conducts audits on a set number of records “when there is suspicion of a breach,” said spokesman Craig Duhamel. He said inappropriate access to records at Sunnybrook is “very rare – less than one a year.”
Toronto lawyer Elyse Sunshine, who advises health professionals on privacy issues, said “it is absolutely advisable” to do regularly scheduled proactive audits. “In fact, it helps instill a culture of privacy in the organization,” she said. Sunshine said it’s “risky behaviour” for hospitals to only conduct audits on a targeted basis.
Privacy Commissioner Beamish says it would be difficult to implement a uniform policy on frequency and scope of audits because each healthcare institution varies in size and resources.
In a statement to the Star earlier this month, Health Minister Eric Hoskins said he had asked his staff earlier this fall “to work with guardians of personal health information to ensure that staff are being appropriately trained and that audits are conducted to help prevent privacy breaches.”