For the second time in a month, British Columbia's largest health authority has been criticized over its handling of computerized patient health records.

According to Privacy Commissioner Paul Fraser Friday, the personal health information database set up by the Vancouver Coastal Health Authority lacks privacy, as it accessible to about 4,000 users.

The Primary Access Regional Information System, also known by its acronym PARIS, is compiled of information about patients' finances, social insurance numbers, diagnoses, care and doctors' and counsellors' notes.

From the privacy perspective, Fraser informs of major deficiencies found over the course of the three year investigation, in the implementation of PARIS.

It is of major concern to see far too many people having access to too much of this information compiled over the last nine years, Fraser said of the database.

Various health care providers working in community programmes, mental health, addictions, public health and communicable diseases access the system.

Not only does the system lack adequate security, records are stored for too long without being archived or destroyed, even when no longer required.

One of the eight databases in BC containing patient information, lessons learnt from the PARIS investigation will carry over into all other electronic health databases, Fraser said.

He believes learning from the mistakes identified in this information, health authorities must ensure privacy is part of the entire functional design and not added on at the end.

Health information is collected electronically for easy access of health care providers so that they can impart better treatment. Even so, Fraser also said the health authority has been making major strides in fixing the problem.

Similar findings were reported last month by John Doyle, Auditor General, who said far too many people had access to sensitive information, which he described as being vulnerable to hackers.

Fraser's 20 recommendations for the health authority include collecting only minimal personal information, with records archived annually and with limited access to them.

As well, staff should complete privacy training every year, including signing confidentiality agreements on an annual basis, he recommends.