Sign up for the paNOW newsletter

Employee fired from health region for ‘snooping’ in patient records

Sep 12, 2017 | 5:00 PM

An employee from the Prince Albert Parkland Health Region (PAPHR) has been terminated for what a report from the Information and Privacy Commissioner called “snooping” in patient records.

The report states the employee intentionally breached the records of 14 individuals, 13 of which she had personal relationships with. The breach was caught by the health region through a routine audit on June 14. The employee was not named in the report.

In a letter sent to the office of Saskatchewan Information and Privacy Commissioner Ronald J. Kruzeniski on June 29, Parkland said the employee looked up records “out of curiosity.” 

Kruzeniski wrote that the “HIPA (Health Information Privacy Act) does not authorize using personal health information to satisfy one’s curiosity.”

This was also not the first time the employee had been disciplined for this deed. In May 2017, the employee was suspended for five days after she was found to have snooped on two patients in the Pharmaceutical Information Program. 

Kruzeniski wrote the health region had taken the appropriate steps to contain the breach and has sufficient means in place to prevent similar incidents from unfolding in the future. 

Both parties agreed the root cause of the incident was an intentional breach of privacy.

PAPHR, soon after learning of the breach, informed those affected with a written letter. It contained a description of what happened, how they found the breach, what information was involved, an apology and the contact information of the health region’s Privacy and Information Officer, alongside their provincial counterpart.

While the Privacy Commissioner said the letter sent out contained “appropriate elements,” Kruzeniski wished it had contained the name of the employee. The letter simply described the employee as someone “not involved in the patient’s medical care.”

“The identity of the employee is important information for the affected individual to determine the harm or consequences that may come to them of the privacy breach,” Kruzeniski wrote. “For example, if the snooper was someone with whom the affected individual had an acrimonious relationship, the affected individual may need to take additional steps to protect him or herself.”

He recommends the head of the health region disclose the name of the employee to those whose information was breached and relay the fact the employee had been terminated.

In a written response to paNOW, PAPHR said it takes its role under HIPA seriously, including conducting audits of the electronic patient’s records.

“The Health Region has policies and procedures to guide and educate all of our employees, physicians and volunteers regarding their role in protecting the privacy of everyone in our care.” 

“This includes annually signing confidentiality agreements, and continuing education. Incidents such as this are an important example for employees, physicians and volunteers to ensure that they are only accessing information when required to do their work.”

 

tyler.marr@jpbg.ca

On Twitter: @JournoMarr