The follow-up on a case of improper records protection/disposal originally uncovered in March, from the Office of the Information and Privacy Commissioner of Saskatchewan:
Saskatchewan’s Information and Privacy Commissioner, Gary Dickson, has issued his Investigation Report H-2011-001 dealing with 180,169 pieces of patient personal health information (PHI) found in a recycling bin in Regina on March 23, 2011. This included 2,682 patient files as well as descriptions of diagnosis, treatment and care of other patients at the Albert Park Family Medical Centre. The trustee responsible for the records is Dr. Teik Im Ooi.
Dickson concluded that Dr. Ooi violated The Health Information Protection Act in multiple ways including:
- She failed to have appropriate written policies and procedures to protect the patient information entrusted to her;
- She failed to safeguard patient information when it was moved to off-site storage locations;
- She failed to have appropriate contracts with service providers; and • She failed to monitor the security of off-site storage facilities.
Dickson stated: “This is without question the largest breach of patient privacy that our office has encountered in eight years since The Health Information Protection Act was enacted.”
Dickson found that as a result of the multiple privacy breaches by Dr. Ooi the patient health information was not protected from viewing by a long list of individuals who would have had no legitimate need to know this patient information. This included her children and their friends, staff and labourers working for the pharmacist next door to Dr. Ooi’s clinic, a construction crew, staff and contractors of a Regina shopping centre and more than 3,600 persons who walked through the basement of the shopping centre to view a haunted house exhibit in October 2010.
The Commissioner made eleven recommendations that included a recommendation to the Minister of Justice that he consider prosecution under The Health Information Protection Act.
The commissioner’s full report can be found here (pdf), and it’s a blistering indictment. The report states, in part
It was determined that the patient records were thrown into the recycling bin by two employees of a contracted maintenance company for Golden Mile Shopping Centre (a building adjacent to Gold Square). We determined that the patient records had been moved from APFMC for storage on the second floor of Gold Square beginning in 2005. By 2007, approximately 150 boxes of patient records had accumulated there. This was the first of five different moves of the patient records that involved two different buildings and four different storage rooms or areas over a period of almost six years. For all intents and purposes, APFMC appeared to have lost track of the records when they were moved from their original location at APFMC in 2005. At that point, there was no record or catalogue of the contents of the boxes. In addition, the boxes were not marked in any sequential fashion to be able to trace their subsequent moves. There was little to no involvement by APFMC in four of the five moves and no supervision by APFMC of the moves nor any inspection of the off-site storage spaces. There was no written agreement between Dr. Ooi and third parties who acted as information management service providers (IMSP). It was determined that from 2007 until March 23, 2011 the large volume of patient phi was unprotected from many persons who would have had no legitimate ‘need-to-know’ that patient information. This included workmen, labourers, staff of Golden Mile Shopping Centre, and a large crowd of more than 3,600 persons who toured the basement where the patient files were stored in an unlocked space during the last three weeks of October 2010.
Although, as noted above, approximately 150 boxes of patient records were moved from APFMC for storage purposes between 2005 and 2007, the discovery of files in the recycling bin leaves unaccounted approximately 125 of those boxes of patient records. More than three weeks into our investigation APFMC advanced a theory that the missing 125 boxes had been moved back to APFMC at some point in 2007. Despite our further investigation, there is no reliable evidence that confirms this theory nor particulars of how such a move happened or who undertook the move. In any event, without an inventory of the box contents before they left APFMC and identification tags or numbers to allow tracing of the files, there is still the problem of a much larger number of patient files that left APFMC and did not end up in the recycling bin on March 23, 2011.
And there’s much more in this very detailed investigative report. Read it all here.
Previous coverage on this blog here.