Office of the Privacy Commissioner | Case Note 246939 [2015] NZ PrivCmr 7 : Patient's shared medical records wrongly disclosed
An Auckland woman agreed that her insurer could access her medical records held by a local district health board (DHB).
However, the insurer sent a request for copies of her medical file to the wrong DHB. The DHB did not notice that it had received the request in error.
The DHB provided the woman’s entire medical file to the insurer, including sensitive mental health information that was not relevant to her claim.
The insurer did not retain the irrelevant information, but we were concerned that the DHB had accessed all of the woman’s information and had released it to a third party. We also wanted to know what information was able to be accessed by the DHBs and what security safeguards were around that information.
We found that all three DHBs in the Auckland region can electronically access information about patients that have been treated at any one of those DHBs. In this case, the woman attended a DHB five years previously and so the responding DHB was able to access her records.
There were restrictions around the mental health information in the database. For instance, access to the database was time limited and information could only be accessed about patients who had a current referral, so there must be a proven relationship with the patient care team. Plus, the mental health records in the database had a ‘break glass’ function to enable access for specific purposes. This function gave one-time- only access to patient information. Some senior medical officers who provided on-call cover were given full access.
Users recorded their reason for accessing the mental health records and automatic alerts were sent to system administrators when this function was invoked. All ‘break glass’ instances were audited.
In this case, the person responding to the request accessed the woman’s mental health file when they should not have.
Once the glass had been broken, and a user navigated further into the database, it was no longer possible to see which patient files belonged to which DHB so all information was accessed.
We were satisfied that the IT system that allows access by all DHBs was secure. There was a regional policy around sharing health information, including specific training and audited access. DHBs can identify who has accessed a user’s clinical record, why they accessed it and what they accessed within the record. All access was randomly audited on a regular basis.
In this case the insurer's request was made to the wrong DHB and it should therefore have been declined.
Further, only information relevant to the insurance claim should have been provided. This was not easy to determine, as after breaking the glass, users could not see which files related to which DHB. This was improved by creating clear labels showing where the information had been generated.
The DHB apologised to the woman and agreed to place an alert on her mental health file which comes up when her file is accessed. The alert indicates that caution is required when releasing information to third parties.
The DHB also agreed to pay compensation to the woman for the stress caused by disclosing sensitive mental health information incorrectly. DHB staff received further training on accessing records.
August 2015
District Health Board – IT system – security – disclosure – Health Information Privacy Code 1994