Privacy commissioner says ehealth safeguards inadequate
SASKATOON Saskatchewan’s privacy commissioner is “disappointed” by what he describes as ehealth’s “lack of rigor” in removing a Prince Albert doctor’s access to the patient file system while the doctor was under investigation.
The doctor, Josias Furstenberg, admitted to several professional misconduct charges in June. The College of Physicians and Surgeons unconditionally revoked his licence to practice medicine in Saskatchewan.
The misconduct charges related to inappropriate sexual relationships with patients, providing care to those patients, overprescribing opioids to one of them and breaching patient confidentiality.
Information and Privacy Commissioner Ron Kruzeniski, in his latest report issued Dec. 6, stated that ehealth was notified Furstenberg was under investigation on Nov. 3, 2017, but was not told the nature of the allegations. However, it did not remove his access to the system until Feb. 13, 2018 — one day after it learned of the professional misconduct charges.
“It is best practice to remove an individual’s access to personal health information while investigating allegations of inappropriate behaviour or when an individual is no longer working in the province,” Kruzeniski wrote.
Furstenberg allowed his licence to lapse on Dec. 1, 2017. Professional misconduct charges were laid in November 2017. Kruzeniski wrote that his office learned of the charges through media reports on Dec. 4, 2017.
Shaylene Salazar, ehealth’s vice-president of strategy, quality and risk, said the college contacted ehealth last November about individual patient profile views as the college was investigating Furstenberg for unprofessional conduct. She said ehealth removed his access a little over two months after it learned about the investigation.
“The commissioner’s report is good in that it has highlighted we do need to figure out with the College how we communicate with each other in that regard. Obviously, patient safety and security of their information is very important to us, so we just need to figure out what that process is,” Salazar said.
Since ehealth received the recommendations last week, it needs more time to review them and intends to consult with authorized provider organizations whose access to the medical records system is granted by ehealth, she said.
Kruzeniski also flagged confirmed incidents of Furstenberg gaining unauthorized access to records using credentials granted by organizations at times when he was not associated with them.
Furstenberg’s access to the ehealth database at South Hill Medical Clinic was not removed for six months after he stopped working there in July 2015. During his time there, he never logged into the viewer, but he later viewed a patient’s record at the clinic on Jan. 11, 2016. The clinic revoked his access 16 days later.
Furstenberg used credentials granted through the former Prince Albert Parkland Regional Health Authority five times to access information in 2017, but he hadn’t provided services for the health authority since 2008. The health authority approved his access in July 2016 even though he had only limited privileges.
The Saskatchewan Health Authority told Kruzeniski’s office the former health authority should not have approved his access and said it would review all doctors who were approved for access under the previous health authority.
The health authority’s policy requirement to check once a year to determine whether all of its approved users of the ehealth viewer should still have access is “insufficient,” Kruzeniski wrote. He recommended that health organizations inform ehealth within one week if an approved user should no longer have access.
Salazar said Furstenberg was accessing records remotely through the internet.