The Office of the Information & Privacy Commissioner of British Columbia has released its review of the electronic health information system set up by the Vancouver Coastal Health Authority known as the Primary Access Regional Information System (PARIS).
From the Executive Summary:
The electronic health record system at Vancouver Coastal Health Authority (“VCH”) known as the Primary Access Regional Information System (“PARIS”) was introduced in 2001 for its community-based programs. It is accessed by staff and contractors involved in the delivery of a wide range of health services outside of acute care hospitals. These health services include such things as a newborn hotline, home support for seniors, detox services, and communicable disease control. The personal information contained in PARIS is highly sensitive. It includes diagnoses as well as the case notes of physicians, nurses and counsellors about the treatment they provide to their clients.
As a result of our review of the compliance of the system with the standards required by the Freedom of Information and Protection of Privacy Act (“FIPPA”), we found that the privacy protection of personal information in PARIS is inadequate. Major deficiencies in implementation of the PARIS software from a privacy perspective are the following:
- an access model that is team-based rather than role-based resulting in too many users having access to too much personal information,
- several data flows of personal information outside of the health authority that are not authorized under FIPPA,
- the security protection for the system when we investigated it was not reasonable given the sensitivity of the personal information and did not meet the FIPPA standard1, and
- records are stored indefinitely – neither archived nor destroyed when they are no longer needed to provide care.
These deficiencies are serious and are a matter of significant concern. It must be noted, however, that these deficiencies are not a result of the software product itself. Rather, they are due to the lack of a proper privacy lens being applied when it was operationalized in community programs at VCH.
VCH has recently put a good privacy management framework in place and is nurturing a corporate culture of privacy. However, this increased capacity and awareness with respect to privacy issues has not yet resulted in an adequate degree of privacy protection for the personal information contained in PARIS. The Information Privacy Office at VCH needs to have greater influence over the system administration of PARIS.
PARIS is a good example of an electronic database that should be designated as a health information bank under the E-Health (Personal Health Information Access and Protection of Privacy) Act. Designation would remedy the lack of authority under FIPPA for certain data flows into and out of PARIS. Designation by means of a legal instrument would also inform the public as to how personal information is being collected, used, and disclosed within the health care system, thereby improving transparency and accountability regarding its privacy protection.
Because of the current privacy management framework at VCH, it is anticipated that VCH will be able to respond to our recommendations in a timely fashion. To date, new privacy and security policies have been triggered by this review and role-based access model pilots have been initiated.
We intend to review implementation of all the recommendations contained in this report after one year.
Read the full report here.