Watchdog slams SHA over privacy breaches
Saskatchewan’s privacy czar is blasting the new Saskatchewan Health Authority for not having “adequate safeguards” in place to prevent employees from accessing confidential health information.
Information and Privacy Commissioner Ron Kruzeniski drew that conclusion after investigating two separate incidents where SHA employees intentionally viewed the records of their former partners’ new companions.
In one case, the employee had not received any privacy training and had never heard of the Health Information Protection Act (HIPA) while in the other case, the SHA was unable to point to any privacy training, according to his reports.
“It is shocking that, almost 15 years after HIPA came into force, there are employees (who) have access to an enormous amount of personal health information that have never received privacy training,” Kruzeniski wrote in both reports.
“It is imperative that all SHA employees that have access to personal health information receive privacy training. Annual privacy training is best practice,” he wrote in both decisions, which were handed down late last month.
In the first case, the former partner of an employee in the SHA’s finance department contacted the authority’s privacy officer after growing concerned their ex-companion was inappropriately accessing their new partner’s information.
After receiving the report in March, SHA launched an investigation which concluded the employee had not received privacy training and breached a confidentiality agreement, Kruzeniski said in his report.
“The employee was engaged in a bitter divorce with (the complainant) and was upset about a situation. This was the reason the employee gave for snooping,” the privacy watchdog wrote in the report.
The second case dates back to November 2017, when an individual reported that their former partner — who works in the emergency department of an unnamed Saskatoon hospital — may have been looking at their new companion’s records.
When confronted, the employee denied accessing the records or even knowing the complainant. The employee then “offered the theory that someone may have used (their) computer,” Kruzeniski wrote in his report.
The SHA’s investigation concluded that the employee intentionally accessed the records despite having signed a confidentiality agreement promising to only look at private records when there is a “need to know.”
Kruzeniski stopped short of drawing the same conclusion, but said in his report that the employee should have known it was inappropriate to access the records because they did not have a “need to know.”
That employee was suspended for 20 days, according to the report.
In addition to recommending the SHA provide annual privacy training to all employees with access to confidential records, Kruzeniski said the health authority should make them sign annual confidentiality agreements.
Kruzeniski’s office has the power to make recommendations, but those suggestions are not legally binding under Saskatchewan law.