Acting Information and Privacy Commissioner Paul Fraser has released the findings of an extensive investigation into the adequacy of privacy protection in Vancouver Coastal Health Authority’s community-based electronic health record system known as the Primary Access Regional Information System (PARIS). The Commissioner’s investigation found that privacy was a missing ingredient in the early development stages of the PARIS system.
“In the course of our three-year investigation we discovered major deficiencies in the implementation of PARIS from a privacy perspective. However, the Vancouver Coastal Health Authority has made significant strides in addressing the identified deficiencies,” stated the Commissioner.
PARIS is an integrated electronic health record, used and accessed by a host of health-care providers working in community programs, including home and community care, mental health, addictions, public health and communicable diseases.
Significant findings include:
- Too many users have access to too much personal information.
- Several data flows of personal information outside of the health authority are not authorized.
- Records are stored indefinitely
PARIS was the subject of a recent audit by the Office of the Auditor General that was initiated at the request of the Information and Privacy Commissioner. The Auditor General’s report evaluated the adequacy of security in the PARIS and found serious weaknesses in the security of PARIS. The Commissioner’s investigation confirmed these findings.
The Commissioner added, “The lessons we have learned from the PARIS investigation carry over into all other electronic health databases. Health authorities must learn from the mistakes identified in this investigation by ensuring that privacy is not added on at the end, but baked into the entire functional design.”
The Commissioner’s report includes 20 recommendations. Read the 60-page report on the website of the Office of the Information and Privacy Commissioner for British Columbia.