BreachExchange mailing list archives
RQRHA did not adequately protect health information
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Fri, 8 Mar 2013 09:02:16 -0600
http://www.leaderpost.com/health/RQRHA+adequately+protect+health+information/8066232/story.html The Regina Qu'Appelle Regional Health Authority (RQRHA) failed to follow provisions of the Health Information Protection Act (HIPA) in a 2010 privacy breach, according to Saskatchewan's Information and Privacy Commissioner. Gary Dickson's office began an investigation into the Regina breach after 15 addressograph cards - blue cards attached to patients' charts when they go to a hospital for tests or admissions - were found on the ground near two facilities belonging to a document destruction company on May 20, 2010. The cards contained personal information of patients who had been treated at the Pasqua and Regina General hospitals. The privacy breach occurred when an employee of a document destruction company was transferring the cards in a container with a lid between two facilities. The container's lid was not secured and the cards flew out. They were discovered two days later by a member of the public. Although the company lost the cards, the RQRHA is responsible for the loss. Each card had information that included the patient's name, date of birth, hospital services number and address. According to the commissioner's report, the RQRHA did not adequately safeguard the personal health information. Dickson recommended the health region conduct regular audits to ensure that document destruction employees agree in writing to protect the confidentiality and security of personal information. The health region responded that it met with representatives and was assured that practice was in place. The RQRHA informed the privacy commissioner's office that it would not conduct audits on a regular and ongoing basis, but has since reversed its decision. However, Brent Kitchen, the region's director of risk management and privacy officer, said the company responsible for destroying the blue cards quit moving the cards between the two facilities after the privacy breach. Therefore the RQRHA didn't feel there was a need to monitor the new process. The commissioner recommended the RQRHA immediately develop procedures pertaining to the destruction of the blue cards. The region responded that it would draft a procedure ready for internal review by March 31. "That delay is unreasonable," Dickson wrote. Kitchen said the region has been conducting a comprehensive review of the destruction of all personal health information, not just the blue cards. "Soon after the event, we did send out internal instructions to all of our staff on how to handle addressograph cards to make sure they are destroyed appropriately," he said. "Technically, it wasn't called a procedure, but it was instructions to staff on how to destroy and handle this type of information." In a letter dated Aug. 10, 2011, the privacy commissioner requested a copy of the contract between the RQRHA and the document destruction company. The region provided a copy of the contract with its letter dated Nov. 3, 2011. "We would have liked to have received that sooner," said Diane Aldridge, director of compliance with the privacy commissioner's office. Kirchen said the Regina Qu'Appelle Health Region takes privacy issues seriously. He said the region immediately investigated the privacy breach when it became aware of it, voluntarily notified the commissioner's office and provided Dickson with its investigation results. In addition, it notified all clients of the breach. Kitchen believes sufficient safeguards are in place to protect patient information and work is underway to strengthen those procedures. "We're confident that we won't see a recurrence of that type of event," he said. "It is a learning opportunity so that's why we're looking at not just the addressograph cards to be fixed, but the destruction of personal documents in general." The RQHR has 30 days to respond to the report that was formally issued last week and released to the media on Thursday. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- RQRHA did not adequately protect health information Erica Absetz (Mar 08)