A Regina resident turned to Saskatchewans privacy watchdog after discovering the manager of a clinic they had never been to had snooped on their eHealth record over 30 times. Information and Privacy Commissioner Ronald J. Kruzeniski outlined the incident and subsequent investigation in a report published late last month. In 2022, the complainant requested an audit report from eHealth to see who had accessed their personal health information. The resulting audit revealed that an office manager at Prairie Internal Medicine Specialists in Regina had accessed the complainant’s records 37 times on three occasions (Apr. 21 and Apr. 22, 2021 as well as Aug. 10, 2022). An investigation was conducted by eHealth at the victim’s request. eHealth concluded that all of the incidents could be classified as inappropriate access to personal health information. Both parties confirmed that the complainant had never received treatment at Prairie Internal Medicine Specialists, Kruzeniski outlined. According to a lawyer representing the clinic, its owner only became aware of the incident when contacted by eHealth “in or around the summer of 2022.” The office manager responsible for the privacy breaches had their eHealth viewer access revoked for six months. After access had been reinstated, the manager was subject to random audits. These were returned without issue according to the clinic’s legal representation. As for why the records were accessed, the office manager had initially explained their actions by saying they occasionally received referrals or medical information intended for doctors who do not practice at the clinic. They went on to say that the access in Aug. 2022 was in order to identify a doctor so that the office manager could forward correspondence they had received in error. At that time, the managers superior instructed them to return incorrectly addressed referrals or medical information to the original sender and not to access eHealth in those cases. The explanation did not cover the breaches on Apr. 21-22 of 2021. Clinic management discovered that the complainant had a connection to a friend of the office manager’s family member. At the time of the breach, the complainant was giving birth to a child. The clinic determined that the manager accessed the complainant’s personal health information in order to see if the child had been born. Kruzeniski’s office was provided a copy of the clinic’s privacy and security policy manual over the course of the investigation. It was discovered that the office manager in question had written upwards of 25 of the policies included in the manual. Since the office manager was the author of the policies in the Policy Manual, then they ought to have been aware that snooping upon the complainant’s personal health information was inappropriate, Kruzeniski wrote in the report. The clinic told the commissioner that patient safety or care would unlikely be affected by the breach, a point Kruzeniski adamantly disagreed with, while pointing to several instances his office has investigated. I caution anyone who believes that snooping does not adversely affect patient safety or care. It does, he said. Kruzeniski also noted that the clinic should have taken steps to figure out if the manager had disseminated the victim’s personal health information. In his recommendations, the commissioner advocated for the clinic and eHealth to forward their investigation files to the Ministry of Justice to allow prosecutors to further consider whether an offence had been made. Additionally, he recommended that random audits of all employees be done on an ongoing basis. Lastly, Kruzeniski recommended that eHealth continue to audit the office manager indefinitely – at any place that requires them to have access to the eHealth viewer.
|