Member Statement & Questions: Health Information Act Implementation

Link: Health Information Act

Thank you, Mr. Speaker. Mr. Speaker, I usually take this opportunity to talk about issues specific to Hay River, but, believe it or not, there are important issues beyond Hay River’s borders as well. Today, I am using my Member’s statement to inform the public about an issue that affects everyone in the territory.

In 2015, the NWT’s new Health Information Act came into force. The act establishes the rules for the collection, use, disclosure, and security of every resident’s personal health information. It is intended to balance one’s privacy with the need to provide healthcare services. The Department of Health and Social Services, regional health authorities, pharmacies, and healthcare providers in the private sector are all governed by the act.

Individuals are given important rights under the act, including the right to set limits on the collection, use, and sharing of your personal health information; the right to withdraw your consent for the collection, use, or sharing of your personal information; and the right to access and be informed about the use and sharing of your personal information.

These rights are based on the concept of implied consent, meaning that, if you access healthcare services, you are agreeing for your information to be shared. If you wish to limit the use of your information, you can do so, but the conditions must be put in writing. However, the mechanisms to enforce these wishes don’t seem to exist.

In her most recent annual report, the NWT’s Information and Privacy Commissioner raised some serious concerns with how this legislation is being implemented and stated there is still much work to be done to ensure compliance with the new obligations that the act places on those who can access your information and to ensure public awareness of the rights the act provides.

The Commissioner also noted that the act requires the Department of Health to undertake a privacy impact assessment whenever there is a proposed change to an information system relating to the collection, use, or disclosure of personal health information.

The Information and Privacy Commissioner stated that the Department of Health and Social Services contravened the act by not doing this in advance of the amalgamation of the health boards, which the Minister referred to today as the “system transformation.” The department’s decision was made despite the recommendations of the 17th Assembly’s Standing Committee on Social Programs that it do so.

I agree with the Commissioner’s assessment, and I believe that the department’s interpretation of the legal requirement to conduct a privacy impact assessment is flawed.

The government has stated that the department takes the privacy concerns of patients and clients very seriously, yet they are refusing to undertake a privacy impact assessment, even though our Information and Privacy Commissioner is telling them that the law requires them to do so. Later today I will have questions for the Minister on the implementation of the Health Information Act. Thank you, Mr. Speaker.

Questions 674-18(2)

MR. SIMPSON: Thank you, Mr. Speaker. I have some questions for the Minister of Health and Social Services. Earlier I spoke about the Health Information Act, and the purpose of the Health Information Act is to govern the collection, use, disclosure, and protection of personal health information while balancing the right to personal privacy with a need to deliver healthcare services.

I will not debate the Minister about whether or not the section of the act that applies to privacy impact assessments. I will not debate whether that applies to the health authority amalgamation. I have done that, but the department clearly disagrees with me and the Privacy Commissioner and the Standing Committee on Social Programs.
So I will just ask the Minister: will the department provide assurance to the public and to Members of this House that all of our rights are being properly protected by undertaking a privacy impact assessment as required by law under the Health Information Act? Thank you, Mr. Speaker.

MR. SPEAKER: Masi. Minister for Health and Social Services.

HON. GLEN ABERNETHY: Thank you, Mr. Speaker. Mr. Speaker, under the Health Information Act, the Department of Health and Social Services and its authorities are required to complete privacy impact assessments before implementing a change to or implementing new information systems or communications technology that involved collection, use or disclosure of personal health information.
To be clear, Mr. Speaker, there have been no changes to the Department of Health and Social Services Authorities Health Information Systems as a result of system transformation. These systems were in place and utilized by the authorities prior to amalgamation. So under the legislation we are not required to do a privacy impact assessment on the transformation.

Having said that, Mr. Speaker, we do take privacy very seriously in the Department of Health and Social Services and our authorities. We are currently working towards the implementation of one shared Risk Assessment Management Reporting Information System as well as one shared Clinical Information System, and as per the legislation and our due diligence we are doing PIAs on both of those systems that we are implementing. Thank you, Mr. Speaker.

MR. SIMPSON: I guess what it comes down to is the department believes that an information system is an electronic information system, a piece of software. I will post on my website my argument against that because clearly the legislation speaks differently to it. So I will take that as a no for now and I will keep fighting this, but I only heard about the Health Information Act because I am a member of the Standing Committee on Government Operations, and now that I know about it I can attest that it is difficult to comprehend.

Our Information and Privacy Commissioner says that it is one of the most complicated and confusing pieces of legislation she has ever seen and she is a lawyer.
Given this, I ask the Minister what has the department done to inform and advise the public of their new rights and obligations under this act.

HON. GLEN ABERNETHY: When the Member raised this before, I clearly take issues of privacy very seriously and I actually had our policy staff as well as legal do an in-depth review of the Health Information Act, and there appears to be a misunderstanding that the changes to the information systems occurred because of system transformation. The fact is there were no changes to the information systems. Whether they are digital systems or non-digital systems, there were not changes to the systems as a result of health transformation. There are changes to systems coming and we are doing the PIAs accordingly as per our terms and conditions.

Mr. Speaker, when the Health Information Act was going through the House, the Information Privacy Commissioner actually had a number of concerns and they focused around the need for policies and training to ensure compliance with the Health Information Act. The need for more public awareness efforts to ensure clients know their rights, the EMR system and its ability to address client consent conditions needs to be clear and understood,

Mr. Speaker, we have moved on all of those recommendations. Additional privacy policies are being developed to address privacy breaches, Privacy Impact Assessments, masking the types of things that need to be done in order to ensure our residents’ privacy is protected.

We have training modules that have been conducted throughout the Northwest Territories for staff and we are rolling our more modules all the time and more training to ensure our staff, new staff as well as existing staff, get the appropriate training.

Mr. Speaker, we have over 1,500 brochures that have been distributed and 1,000 notices that have been distributed throughout the Northwest Territories to residents who are accessing our systems. We are working on e-versions of those brochures to get that information out so the information is widely distributed so people know their rights, know when they can say they do not want their information shared.

We are still in the early days, Mr. Speaker, with the Health Information Act, and we can get better and better and better as we go on; and we will.

MR. SIMPSON: I just want to clarify something the Minister said. He said there was no information system changes as a result of the amalgamation, the system transformation as it were. Now, was he referring only to the electronic system because what a system is it is a way of organizing, collecting, and storing information? It is not necessarily electronic. It could be handwritten, and my understanding was this Health Transformation System, the health transformation was because there was eight authorities with eight different ways of doing things. So are the eight authorities which are now one, are they still doing things differently or did they change the way they are doing things under the System Transformation? So I just want to clear that up with the Minister.

HON. GLEN ABERNETHY: To be clear, once again, under the Health Information Act the Department of Health and Social Services are required to complete Privacy Impact Assessments before implementing a change to or implementing a new information system or communications technology that involves, and I think this is the key point, the collection, use, or disclosure of personal health information.

Mr. Speaker, we already had EMR in the Northwest Territories and we were rolling it out throughout the Northwest Territories. We did not change that; that was still the same. With the health amalgamation moving to a single authority we were able to put in place standard protocols for procedure and actions when people present. That is different than dealing with the personal health information. The Health Information Act is dealing with personal health information.

MR. SIMPSON: Thank you, Mr. Speaker. Moving on, I understand that the act obligates health information custodians, like the health authorities, to ensure that health information is protected. The electronic information system used to collect and store information doesn’t have the functionality to shield or protect information from being accessed when an individual requests that information not be made available to a certain custodian.

If you were to put in a request and say I don’t want this pharmacy or this pharmacist having access to this information, you have to write a letter to someone at the department and they are supposed to honour that request, yet the system doesn’t allow for that. What steps are being taken to ensure that these sort of requests can be honoured in the future? Thank you, Mr. Speaker.

HON. GLEN ABERNETHY: Thank you, Mr. Speaker. Mr. Speaker, the department has actually been working with TELUS to upgrade our ENR to be able to mask or hide client information to address consent conditions brought forward by clients, those individuals who don’t want their information seen. Limited masking is currently available in the ENR but there is an upgrade that is currently being installed and tested. It was put in place in September 2016. We are doing some testing on it now that will do exactly what the Member is asking. Thank you, Mr. Speaker.