There were at least 855 privacy breaches of medical records in the province between April 1, 2019 and March 31, according to the Nova Scotia privacy commissioner’s annual report released Wednesday.
Last year’s report also documented at least 800 medical record breaches over the same period.
But the Nova Scotia Health Authority and Nova Scotia government are not required to report all breaches to privacy commissioner Tricia Ralph.
The Personal Health Information Act only requires a health custodian to report breaches to the privacy commissioner where “there is no potential for harm or embarrassment." Whereas, in cases where there is potential for harm or embarrassment, health custodians must only notify the people affected by the privacy breach - and not the privacy commissioner.
The privacy commissioner continues to urge the province to modernize the legislation, including mandating privacy breach reporting to the privacy commissioner’s office.
“Work is required to implement modern legislation that can better protect the access and privacy rights of Nova Scotians,” said Ralph.
The report also zeroed on Nova Scotia’s "patchwork of privacy laws." The commissioner said in the past few years the office has investigated several serious medical record breaches where charges might have been appropriate but the laws didn’t allow that option.
One case involved a pharmacist who used the provincial Drug Information System to look up their own doctor, co-workers, former classmates, child’s girlfriend and her parents, as well as teachers in their child’s school, among others.
The commissioner's office and opposition parties have long lobbied for the commissioner to be given legitimate authority over the government. The commissioner can only make recommendations but has no order-making power that, for example, could make the province report all privacy breaches to the office of the commissioner.
That’s the root of the challenges plaguing the commissioner's office, said NDP Leader Gary Burrill.
“We need an information and privacy commissioner who is empowered to see that their rulings have the force of law and to make them stick," said Burrill.
Last fall his party introduced legislation that would accomplish this but it was not supported by the Liberal government.
The report also shows that the commissioner’s office is dealing with a roughly four-year backlog of privacy and access to information cases. The office received 596 new files last year, up from 562 in the previous year. As of March 31, 293 access to information review files and six privacy complaint files were waiting to be assigned to an investigator. In many review cases, the commissioner recommends information being requested should be made public but the government ignores the advice. The person is then forced to take their request to the courts.
“I don’t know from what angle this meets the standard of openness and transparency," said Burrill. “It’s a government behind a closed door.”
Karla MacFarlane, Tory health-care critic, agreed. Her party has also pushed for the province to grant the privacy commissioner order-making power.
MacFarlane said she’s particularly concerned about the ongoing serious medical record breaches. She said the province is simply not taking the issue seriously.
"What taxpayers want to know is how do we go forward in 2020 to upgrade. modernize and digitize our health records … when there’s no evidence that this government has in place basic privacy protocols," she said.
Municipalities are not subject to oversight from the privacy commissioner’s office and the commissioner has no authority to review privacy complaints about municipalities. Both issues need to be addressed, said Ralph.
The commissioner said her priorities for this year are to meet with stakeholders, address the backlog of cases and provide guidance on updating Nova Scotia’s access and privacy laws.
