Report slams medical privacy

Last updated 05:00 10/08/2014

Relevant offers


New Pita Pit menu could be start of diabetes-friendly fast food Movement therapist wants New Plymouth to align itself with wellness Top awards for beef and lamb dishes Tony Sharpe and George McNeur to run 135km in one day to support mental health Taranaki's GP to patient ratio lowest in country Auckland mum creates natural sunscreen after challenges with fertility Nelson doctor promotes move to get specialist health services in the community What place does meat have in a child's first 1000 days? Promoting meat for young diets Brad Luiten attempts second Guinness World Record in memory of Stephen Gove Jack recounts scalding horror and helps launch new Safekids campaign

A damning Privacy Commission review shows snooping doctors, nurses and even admin workers can access patients' most personal medical records.

The Office of the Privacy Commissioner identified significant flaws in the security and regulation of three shared care record (SCR) portals used by a number of district health boards. A draft review leaked to the Sunday Star-Times has major concerns about all three portals, noting they need to be "more demanding" of patient security with none of the reviewed SCRs able to provide a compelling picture of how access was audited.

There was also a concern health information was being electronically recorded and monitored without patient knowledge.

SCRs were first used in 2010 as part of a plan to have all patient records electronically accessible by the end of this year. The portals enable shared access to patient information typically for GPs, after-hours clinicians at emergency departments, and pharmacists - with the review noting public trust in pharmacists was low. A range of information, including medication and prescription details, diagnoses, records of doctors visits and lab results, was available. Mental and sexual health histories were also potentially available.

The portals reviewed by the commissioner were Care Insight servicing Northland, Gisborne, Nelson and Hawke's Bay DHBs; Compass Health (Wairarapa, MidCentral and Capital and Coast); and eSCR developed by the Canterbury DHB for its own use.

The review found despite high-profile cases where health staff had illegitimately accessed patient records, including when Jesse Ryder's medical information was inappropriately accessed by four health professionals and when health workers checked out x-rays of a man with an eel up his backside, no steps have been taken to secure systems against unauthorised access and malicious attack.

While SCR portals require credentials to gain access, the report highlights concerns with the ease with which staff can bypass permission requests and how often illegitimate access is being monitored.

"[Electronic records] are potentially available to anyone in the world with the appropriate credentials, can be downloaded almost instantly," the report said. "This allows widespread and damaging accidental or malicious disclosures."

Canterbury DHB admitted that up until June this year 538 "red flags" had been recorded on its portal indicating possible unauthorised accesses. Chief medical officer Nigel Millar said all flags had been investigated and confirmed as genuine access.

Ad Feedback

He welcomed the Privacy Commissioner's review, saying patients could feel comfortable that records could not be accessed externally. Patients can protect elements of their information by telling their GPs what they wanted hidden.

Care Insight chief executive officer Tom Bowden defended its SCR, saying no more than 10 people per region were given login credentials and access was revoked as soon as someone left the district health board.

- Sunday Star Times

Special offers
Opinion poll

Should fluoride in water be the responsibility of central government?



Vote Result

Featured Promotions

Sponsored Content