Series of Unfortunate Errors Leads to Breach of Health Information Act

July 3, 2008

An investigation by the Information and Privacy Commissioner’s Office into the erroneous disclosure of health information has resulted in a number of recommendations for information management companies and HIA custodians.

Earlier this year, a complaint was filed to the Office by a resident of Grande Prairie who had requested his health information from an information management company in charge of his files. The files had been transferred to the information management company by the individual’s physician, who had closed his practice. The individual received his health information but was also given health information belonging to other individuals.

The physician, Dr. Deji Raphael Akintola, had contracted Records Storage and Retrieval Services (RSRS) to store and disclose his files to former patients on demand. While in practice, the physician had used the services of Optimed Software Corporation for his electronic medical records.

The physician asked Optimed to convert his files to PDF format to be managed by RSRS. During that conversion an error was introduced into the records, resulting in health information being disclosed to the wrong patients.

The investigator in the case noted the physician had taken measures to ensure his data were accurate, but that Optimed introduced an error and RSRS failed to check records before sending them out. These errors may have been avoided if the parties involved had given more attention to the provisions in the Health Information Act (HIA) for information managers.

The investigator issued recommendations for all information managers and custodians, including:

  • Custodians may rely on information managers to store, transform and disclose heath information, but remain responsible for the work done on their behalf.
  • Information managers in Alberta should ensure their business models and standard contracts reflect the Health Information Act.
  • Since they are ultimately responsible, custodians must review contracts carefully to ensure their information managers offer services in compliance with the HIA.