close
close

Le-verdict

News with a Local Lens

Saskatchewan: Director at Sask. clinic searched resident’s e-health record more than 30 times
minsta

Saskatchewan: Director at Sask. clinic searched resident’s e-health record more than 30 times

A Regina resident turned to Saskatchewan’s privacy watchdog after discovering the director of a clinic he had never been to had searched his e-health records more than 30 times.

Information and Privacy Commissioner Ronald J. Kruzeniski described the incident and the subsequent investigation in a report published at the end of last month.

In 2022, the plaintiff requested an audit report from eHealth to find out who had accessed his personal health information.

The resulting audit revealed that an office manager at Prairie Internal Medicine Specialists in Regina accessed the complainant’s records 37 times on three occasions (April 21 and 22, 2021 as well as August 10, 2022).

An investigation was conducted by eHealth at the request of the victim.

eHealth concluded that all incidents could be classified as “inappropriate access” to personal health information.

Both parties confirmed that the complainant had never received treatment from internal medicine specialists on the Prairies, Kruzeniski noted.

According to an attorney representing the clinic, its owner only became aware of the incident when contacted by eHealth “around summer 2022.”

The office manager responsible for the privacy violations had his access to eHealth viewer removed for six months. After access was restored, the manager was subject to random audits.

These were returned “without problem”, according to the clinic’s legal representation.

As for the reasons why the files were consulted, the manager of the practice initially explained his actions by claiming that he occasionally received referrals or medical information intended for doctors who did not practice at the clinic.

They added that the access carried out in August 2022 was intended to identify a doctor so that the head of the office could forward the correspondence they had received in error.

At that time, they were instructed by their supervisor to return misdirected referrals or medical information to the original sender and not access eHealth in those cases.

The explanation did not cover the violations of April 21 and 22, 2021.

Clinic management discovered that the complainant was related to a friend of the office manager’s family member. At the time of the breach, the plaintiff was in the process of giving birth to a child. The clinic determined that the manager had accessed the complainant’s personal health information to see if the child had been born.

Kruzeniski’s office received a copy of the clinic’s privacy and security policy manual during the investigation. The office manager in question was found to have written more than 25 of the policies included in the manual.

“Since the office director was the author of the policies in the Policy Manual, he should have been aware that it was inappropriate to snoop on complainant’s personal health information,” Kruzeniski wrote in the report.

The clinic told the commissioner that patient safety or care would likely not be affected by the violation, a point Kruzeniski categorically disagreed with, while emphasizing several cases his office investigated.

“I caution anyone who believes that spying does not harm patient safety or care. It does,” he said.

Kruzeniski also pointed out that the clinic should have taken steps to determine whether the manager released the victim’s personal health information.

In his recommendations, the commissioner argued for the clinic and eHealth to forward their investigative files to the Department of Justice to allow prosecutors to further examine whether an offense had been committed.

Additionally, it recommended that random checks of all employees be conducted on an ongoing basis.

Finally, Kruzeniski recommended that eHealth continue to audit the office manager indefinitely – at any location that requires him to have access to the eHealth viewer.

LEAVE A RESPONSE

Your email address will not be published. Required fields are marked *