Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

A young woman's hands hold and older person's handsWhat happened

A representative for a resident living in an Ultimate Care Group facility complained to us because information was being withheld (by Ultimate Care) after a request under the Health Act. Section 22F of the Act says that people holding health information must usually provide it to the person the information relates to, or to that person’s representative or service provider where necessary.

The representative had previously made a complaint to Ultimate Care and the then-Capital and Coast District Health Board about the care provided to the resident while at the facility.

The Health Board commissioned a special audit of Ultimate Care in relation to this matter, which was carried out in August 2021. During the site visit on 17 August 2021 Ultimate Care identified that documents relating to the affected person’s care were missing.

The audit report noted several key records were not available for the audit team to review. This included part of the resident’s paper-based clinical record. The audit team concluded, “that the inability to locate part of [the resident’s] paper-based clinical records was … a potential breach of privacy legislation if confidential information was not stored securely.” Accordingly, the audit report recommended that the Health Board consider requiring Ultimate Care to, “locate [the resident’s] missing clinical record or report this as a breach of privacy”. The Health Board advised Ultimate Care of this and other required actions in December 2021.

There was a follow-up audit in 2022 to assess Ultimate Care’s progress towards the recommendations. Ultimate Care didn’t notify the Commissioner at this time.

The representative also made a complaint to the Health and Disability Commissioner (HDC) who relied on the findings of the Health Board’s audit . In its October 2023 findings, the HDC recommended that Ultimate Care, “report the matter relating to the loss of part of [the resident’s clinical records to the Privacy Commissioner. Confirmation of this is to be provided to HDC within three weeks of the date of this report”.

Ultimate Care formally notified the Privacy Commissioner of the privacy breach in October 2023, with the reported breach being the loss of the resident’s clinical file.

A graphic timeline of the dates and actions mentioned in the web content.

Relevant privacy concerns

The two-year delay in notifying the Privacy Commissioner about the lost file raised several privacy issues:

  1. Section 114 of the Privacy Act requires that, ‘an agency must notify the Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred.’
  2. Evidence of poor document management systems at the facility, leading to the loss of the individual’s clinical file.
  3. Evidence of poor privacy capability and related breach management process, leading to Ultimate Care not identifying the breach as being notifiable, and additionally, not notifying the breach to OPC when recommended to by the Health Board audit.

We note that Ultimate Care cannot confirm the exact date the file was lost but that on the information it has, the loss was likely to have happened in late 2020 or during 2021.

In reviewing these concerns, OPC was informed by the Health Board audit report and the recommendations of HDC. We also sought, and received, information from Ultimate Care Group, and received information from the residents’ representative.

Privacy Commissioner’s findings

Ultimate Care has taken steps to strengthen privacy policies and protocols since our engagements with them. This includes providing staff training and introducing and refining a privacy breach management plan. Of note, Ultimate Care have adopted an electronic document management system, which also has internal access controls to minimise unauthorised access (employee browsing). Ultimate Care have also changed their management structure to better identify when there are failures in following existing policies.

While these changes are good and will see an uplift in privacy capability in Ultimate Care, the Commissioner considered the impact of the loss of the clinical file on the resident and the wider systemic issues of poor information management practices at Ultimate Care at that time.

Harm to the individual
Where health information is held by a health agency, the individual's representative has the right to request access to that health information, and to have their request dealt with in accordance with the law. The relevant authority is Rule 11(5) of the Health Information Privacy Code 2020 and section 22F of the Health Act 1956.

This right was not able to be met in this instance. Additionally, the audit noted that the missing elements of the clinical file impeded investigation of the care provided to the resident and prevented the audit from reaching conclusions on some points of its investigation. The Commissioner could not be assured that other files about other residents haven’t been misplaced and that other harm has not been caused to individuals because of those poor practices.

Repeated failure to notify a privacy breach
Ultimate Care had several instances where they should have made an earlier notification to OPC:

  1. When it was identified that parts of the clinical file were missing in August 2021. At this point Ultimate Care should have assessed the matter to determine if it met the assessment criteria in section 113, thereby requiring prompt notification to OPC. There is no evidence this assessment was completed at that time, despite Ultimate Care staff escalating concerns about the missing documents being a privacy breach that should be reported.
  2. When prompted by the Health Board following the audit report.
  3. When reviewing progress against the audit report recommendations in June 2022.

Ultimate Care is a large provider serving a vulnerable group in our population and holds a significant volume of sensitive information about the individuals in its care. A key element of providing care to these individuals is looking after their personal information, and health information in particular. It is disappointing that Ultimate Care did not identify the breach to be notifiable as required under the Act and that, despite prompts by the Health Board, it continued to fail to notify the breach to OPC, until recommended by HDC.

Our compliance response

When considering compliance options for responding to a confirmed breach, our decision is informed by our Compliance and Regulatory Action Framework and our Naming Policy.

In this case, our compliance response considers the productive engagement between Ultimate Care and OPC and the actions it has taken to uplift privacy awareness and improve document management practices. That said, the two-year delay by Ultimate Care to notify as required by law until recommended by HDC is seriously concerning. The capability to identify a breach as being notifiable and to understand the obligations that accompany that are core to meeting the minimum compliance standards.
The decision to name Ultimate Care Group in this note is done with the intention of highlighting the importance of compliance with the Act for the benefit of the agency and the individuals they serve.

Resources available