Digital Health Information Standards

Amy S Van Wey Lovatt (Account suspended) made this Official Information request to Ministry of Health

Response to this request is long overdue. By law Ministry of Health should have responded by now (details and exceptions). The requester can complain to the Ombudsman.

From: Amy S Van Wey Lovatt (Account suspended)

Dear Ministry of Health,

RE: Protection against interception of digital health information

According to the Ministry of Health website, the MoH is responsible for Digital health sector architecture, standards and governance, which includes the Health information standards. My requests pertain to the privacy of patient information, and how that information is kept secure, specifically in regards to the Operation Policy Framework 2019/2020 (OPF), which requires health organisations compliance with the international standard HISO 10029:2015 Health Information Security Framework (HISF).

Request 1:
According to the Beehive weebsite Minister Clark's email address is d.clark[@]ministers.govt.nz, is “uniquely identifiable” to Minister Clark, and as you may be aware, may act as an electronic signature for Minister Clark. Please confirm whether “uniquely identifiable” email accounts are considered “applications that require authentication” and thus require “a secure logon mechanism” to “ensure individual responsibility” under section 10.2 of the HISF (pgs 36-37).

To give my following requests context, please consider the following scenario.

Patient X sent personal health information and questions to Dr Zigler’s email address, Jane.Zigler[@]LocalDHB.govt.nz, with the intent that Dr Zigler would receive the questions and have answers prepared for an upcoming visit. However, at the appointment both Dr Zigler and Patient X find out that Dr Zigler never received the email. Investigation revealed that this was because a system administrator in the IT department had used their “administrator rights” to reroute all of Patient X’s incoming emails to Richard.Hed[@]LocalDHB.govt.nz, a non-clinical staff member’s individual email account. Mr Richard Hed had made the request stating he had his (non-clinical) manager’s approval to do so, but no-one in the IT verified that the patient or medical staff had agreed to the “rerouting” and “interception” of emails. Again, the rerouting of the email was done without the knowledge of either Dr Zigler or Patient X. Further, Patient X had never give Mr Richard Hed permission to access Patient X’s personal health information.

Request 2:
Under section 8.2 of the HISF (p 28) health organizations are required to protect personal health information exchanged over a network from interception or incorrect routing, within or between agencies (p 29). Please confirm that under this provision, this includes “interception” of emails which are uniquely identifiable or “rerouting” of emails intended for one uniquely identifiable account to another and (b) that the scenario provided is an example of a breach of the HISF standard on protection against “interception or incorrect routing”.

Request 3:
Section 10.2 (p 36) the HISF requires that systems administrators, who have “privileged user accounts (administrator rights)” may not use their administrative rights to “over-ride access”. Please confirm that this means that system administrators may not use their administrator rights to “re-rout” emails from one “uniquely identifiable account” to another, without the expressed permission of the individual to whom that email account is “uniquely identifiable” and (b) that the given scenario is an example of a breach of the HISF standard on protection against misuse of “administrator rights” by a systems administrator.

Request 4:
I respectfully request a list, with specified page or section, of relevant legal, professional and ethical standards which would be considered by the Digital Health Team to have been breached by the “rerouting” and “interception” of the private email communications between Patient X and Dr Zigler, as portrayed in the given scenario.

Request 5:
Please consider including similar such scenarios in the next version of the standards to help physicians, health organizations, and patients understand what is considered a breach of standards. Please also consider the inclusion of the legal implications of such breaches to the security and inappropriate access of private health information, including the interception or rerouting of private email communications.

Thank you for your help and assistance in this matter. I look forward to your response.

Kindest regards,

Amy S Van Wey Lovatt

Link to this

Ministry of Health


Attachment attachment.gif
7K Download


Dear Amy

I am writing further to your emails or information

As set out in section 12, If you wish to pursue obtaining information not
in the public domain, you may be asked to provide evidence that you meet
the requirements of the Official Information Act, set out below.

Section 12
(1) Any person, being—
(a) a New Zealand citizen; or
(b) a permanent resident of New Zealand; or
(c) a person who is in New Zealand; or
(d) a body corporate which is incorporated in New Zealand; or
(e) a body corporate which is incorporated outside New Zealand but which
has a place of business in New Zealand,—

In this instance, the Ministry requests that you provide evidence to show
that you meet the requirements as set out in section 12.

The Ministry will proceed to processing your request upon receiving
confirmation.

For further information please refer to the OIA legislation website:
[1]http://www.legislation.govt.nz/act/publi...

I trust this has been of assistance.

Please feel free to get in touch if you have any queries.

Yours sincerely,

OIA Services
Government Services
Office of the Director-General
Ministry of Health
E: [email address]

show quoted sections

References

Visible links
1. http://www.legislation.govt.nz/act/publi...

Link to this

From: Amy S Van Wey Lovatt (Account suspended)

Dear Ministry of Health,

I became a NZ Citizen on 14 August 2019, which may be confirmed with the Department of Internal Affairs.

Yours faithfully,

Amy S Van Wey Lovatt

Link to this

Ministry of Health


Attachment attachment.gif
7K Download

Attachment H202000329 ASVWL Response.pdf
179K Download View as HTML


Kia ora Amy

Please find attached a letter regarding your request for information.

Ngā mihi
Jan

OIA Services
Government Services
Office of the Director-General
Ministry of Health
E: [email address]

show quoted sections

Link to this

From: Amy S Van Wey Lovatt (Account suspended)

Dear Ministry of Health,

I am quit confused by the response I received from Mr Allan that the information does not exist. I respectfully request, pursuant to s 14 of the OIA, that my request be forwarded to Digital Health Department [[email address]] and the Digital Advisory Board for response.

Kind regards,

Amy S Van Wey Lovatt

Link to this

Ministry of Health


Attachment attachment.gif
7K Download


Kia ora Amy

The Digital Health Department is under the Ministry and therefore the
decision to refuse your request under 18(g) still stands. The Digital
Advisory Board is not subject to the Act therefore it would be
inappropriate to transfer this to them under section 14. This request is
now deemed closed.

Ngā mihi

OIA Services
Government Services
Office of the Director-General
Ministry of Health
E: [email address]

From:        "Amy S Van Wey Lovatt"
<[FOI #12084 email]>
To:        "OIA/LGOIMA requests at Ministry of Health"
<[Ministry of Health request email]>,
Date:        25/02/2020 04:49 p.m.
Subject:        Re: Response to request for official information,
Ref:H202000329

--------------------------------------------------------------------------

Dear Ministry of Health,

I am quit confused by the response I received from Mr Allan that the
information does not exist. I respectfully request, pursuant to s 14 of
the OIA, that my request be forwarded to Digital Health Department
[[email address]] and the Digital Advisory Board for
response.

Kind regards,

Amy S Van Wey Lovatt

show quoted sections

Link to this

From: Amy S Van Wey Lovatt (Account suspended)

Dear Ministry of Health,

Thank you very much for your response, however, I am still confused as to how 18(g) applies to my request. I am asking for clarification from the individuals at the MoH who have developed the Digital Health Information Standards.

Request 1:
I respectfully request that you please clarify the response. According to the MoH website "The Ministry develops, maintains and implements enterprise architecture and standards that enable data within the health and disability sector to be recorded and used efficiently, consistently and securely. "

Are you saying that the individuals within the Ministry who who are responsible for the development, maintenance and implementation of enterprise architecture and standards that enable data within the health and disability sector to be recorded and used efficiently, consistently and securely are not able to provide clarifying comments about those standards because:
(1) the individuals no longer exist; or
(2) the team within the MoH who are responsible for these activities no longer exists and no other agency is currently responsible for the development, maintenance and implementation of standards regarding digital health information, privacy and security.

Request 2:
For each of the requests in my original OIA submission, please explain to me exactly how section 18(g) is applicable to the request.

Thank you for your time and careful consideration of my questions.

Yours faithfully,

Amy S Van Wey Lovatt

Link to this

Things to do with this request

Anyone:
Ministry of Health only: