Yukon gov't overstepped in collecting patient information, says privacy commissioner

Yukon's top privacy watchdog issued two recommendations after discovering government health services were collecting more patient information than necessary, and failing to meet information security requirements.

Commissioner says health department also failed to meet security requirements

The investigation was triggered by a 2016 complaint from a patient who alleged the Yukon government's Insured Health and Hearing Services department was not following health privacy laws. (CBC)

Yukon's top privacy watchdog says the territory's Department of Health and Social Services (HSS) overstepped in how much patient information it collected, and then failed to meet the security requirements to keep that information safe.

In a news release last Thursday, Information and Privacy Commissioner Diane McLeod-McKay released her final report from an investigation into a complaint filed by a patient of a Yukon doctor in 2016. The patient alleged the Insured Health and Hearing Services department within HSS was collecting more information from his physician than is allowed by law, and the department didn't have adequate security systems in place to protect that information.

The information was collected and used to verify billing claims.

McLeod-McKay also admonished the department for "significant difficulties" she experienced while trying to get records. She was first told the information didn't exist. To complete her work, she resorted to questioning witnesses under oath, which she states took a "significant amount" of time and public funds to complete. During that questioning, a witness admitted the records did indeed exist, but some had been destroyed.

Diane McLeod-McKay, the territory's information and privacy commissioner, also cited the government for 'significant difficulties' she experienced while trying to obtain evidence during her investigation. (Dave White/CBC)

Through her investigation, McLeod-McKay concluded HSS had the authority to collect the bare minimum needed to process claims, but in at least one case sought an unredacted copy of a clinic record from the physician. In this specific case, McLeod-McKay determined the record would have contained physician notes including patient history, mental status, and treatment recommendations, and this was more information than necessary to process the bill.

McLeod-McKay also learned that while the Insured Health department now has a number of written policies in place to protect information it receives from doctors, during the actual time of the complaint in 2016, employees hadn't signed confidentiality pledges and there were no auditing controls.

McLeod-McKay says the experience highlights the importance of departments identifying and protecting all relevant evidence during an investigation.

Privacy watchdog issues two recommendations

McLeod-McKay made two recommendations as a result of her investigation. One asks the department to make sure it is only collecting the minimum amount of patient information as is necessary. The other is to make sure legally-required information security standards are being met.

The department has accepted both recommendations. McLeod-McKay published two letters from the deputy minister of Health and Social Services indicating progress is being made on the first recommendation, with a report promised by the beginning of January. The department didn't provide a specific timeframe for the security recommendation, but a letter from July states that it intends to come up with a plan in a "reasonable" timeframe.