Health watchdog probes 14 breaches per month
Incidents investigated in Saskatoon region have increased ‘year over year’
The privacy of 30 people was breached when a Saskatoon City Hospital employee — instead of shredding documents with patients’ personal health information — took them home and put them in a bag that ended up in someone else’s garbage can.
The incident, which happened in July 2016, was one of roughly 14 privacy breaches a month that are investigated by the Saskatoon Health Region’s privacy office.
For the 2015-16 fiscal year, the health region’s privacy office investigated 164 privacy breaches that were either reported or identified through an audit process. The number of breaches investigated has seen “a bit of an increase year over year,” largely because more people are becoming aware of their right to have their personal health information protected, said Lori Frank, the director of enterprise risk management at the Saskatoon Health Region.
Another factor in the uptick in investigations could be the increasing use of social media.
“In some cases we forget our boundaries sometimes with social media, especially if we think we’re in a closed group on a Facebook page or what have you so those are the kinds of things that we’ve seen a bit of,” Frank said. “We’re very sensitive to making sure that our education incorporates that social media piece and that we’re flagging that for staff and physicians — that it’s not an extension of the workplace, you have to be very careful about that.”
The health region categorizes privacy breaches into three different levels. Level-one privacy violations are unintentional and include people leaving personal health information unattended in public areas or not logging off of computers that hold personal health information. Level-two violations are intentional but non-malicious, while level-three violations are intentional and malicious. Both level-two and three breaches result in employee discipline — up to and including suspension for those guilty of leveltwo breaches and a suspension or termination for those accused of level-three breaches.
In 2015-16 there were 94 investigations into level-one breaches, 22 into level-two breaches, four into level-three breaches and 44 investigations into breaches that proved to be unsubstantiated. The Saskatoon StarPhoenix received copies of the most recent investigations into level two and three breaches dating back to January 2016 under access to information legislation.
“Any kind of breach, no matter what level of breach, we have serious concerns about it,” Frank said. “That’s why we have the resources that we do and the expertise we do within privacy and access.”
The garbage breach, which was classified as a level-two breach, was reported after a Saskatoon resident became frustrated that someone who didn’t live in her home was throwing bags of trash in her garbage can last summer. The resident eventually opened one of the bags in an attempt to figure out who the culprit was. Within, she discovered used needles, fecalstained pads, dirty gauze, empty prescription bottles and a white grocery bag that contained a bank statement torn into three pieces and five pages of hospital “tick sheets” that listed patients’ names, room numbers, diagnoses, mobility and other comments.
The bag was turned over to the health region’s privacy officer who, by looking at the name on the bank statement in the grocery bag, was able to determine where the documents had come from.
The employee linked to the documents told the privacy officer she inadvertently took the documents home instead of placing them into a shredding bin before she left work. The employee said she put the items in her recycling bin and that her sister threw them out with the garbage — a scenario that had happened on more than one occasion. The issue of the soiled pads and needles was not addressed by the privacy investigation.
Notifications were sent out to all affected patients or their next of kin to let them know about the privacy breach. The privacy officer recommended the employee be disciplined, though the discipline handed down was not detailed in the privacy report.
Privacy breaches are not limited to sensitive documents ending up in the garbage and incidents investigated by the health region cover “quite a wide swath” of scenarios, Frank said.
For example, since the beginning of 2016, the health region’s privacy office has investigated reports of health region employees posting inappropriate information on Facebook, a nurse clinician who used health region software to access the medical records of people who weren’t her clients, a physician who talked loudly about a patient while waiting in line at the St. Paul’s Hospital Tim Hortons, a home care employee who left documents at a client’s home and a patient who stole documents from a unit.
In one level-three breach reported in June 2015, a health region employee’s request to hire his common-law wife as a research assistant was denied, but he allowed her to collect clients’ personal health information anyways.
In most instances, investigations into privacy breaches result in the health region providing more education to employees about privacy and confidentiality legislation.
While many breach investigations result from complaints, some are triggered by regular audits. For example, Frank said the health region audits whose electronic health information employees access. If employees look up health information of people with the same last name as themselves, flags are raised and the privacy office will look to see if the access was legitimate or not.