SHA vows to redress holes in staff training on privacy of information
The Saskatchewan Health Authority acknowledges that the former health regions “missed” training some longer-term employees who were on the job when privacy legislation protecting patient information came into effect.
The health authority’s executive director of privacy and information management, Pat Stuart, said the SHA will develop a plan to roll out privacy training to get all 44,000 health authority employees brought up to speed on the privacy policy. The mandatory training is expected to start online at the end of June. Stuart said the training will be reviewed annually.
When the Health Information Protection Act came into effect in 2003, “we probably didn’t have the same processes we do have now for new employees. So, you may have an employee who worked in the health region for 20 years; HIPA was not in force when they started, so they didn’t have privacy training and they haven’t had it since,” Stuart said.
“Our focus, really, has mostly been on new employees. There is a lot of other training that goes on. But we do know that we have missed some of those longer-term employees.”
HIPA includes a section on the trustee’s duty to protect patient information. A trustee in this instance refers to an individual or body entrusted with control over or power of administration over information and has a legal obligation to only use that information for its specified purpose.
“We’re in the process of developing a privacy and security training program and we will ensure that those long term employees who maybe have fallen through the cracks will actually get training and will actually be able to document that training was done,” Stuart said.
However, the SHA’s ability to identify who lacks privacy protection training is dependent on the record-keeping of each individual former health region. Stuart said each region kept track of training differently. Some kept better track of the training, but others did not, she said. The training will cover physicians, health authority staff and volunteers.
Saskatchewan’s Information and Privacy Commissioner, Ron Kruzeniski, issued a report on April 27 about a case in which an employee looked at the personal information of an ex-partner and their new partner, without authorization. The employee was found to not have received privacy training and worked for the Saskatoon Regional Health Authority prior to HIPA coming into force.
In recommending the SHA adopt annual privacy training and that employees sign annual confidentiality agreements, Kruzeniski wrote:
“It is shocking that, almost 15 years after HIPA came into force, there are employees of the SHA which have access to an enormous amount of personal health information that have never received privacy training.”
Kruzeniski’s most recent investigation report, dated April 30, looked at a breach involving 880 patient records. An employee of Sun Country Regional Health Authority,
Our focus, really, has mostly been on new employees . ... But we do know that we have missed some of those longerterm employees
over the course of several years, had used the home care database to look up the files. While Kruzeniski recommended the SHA terminate the employee, he also found that the employee had more access to files than required for their job.
When it comes to role-based access — granting employees the minimum amount of access to information to perform their jobs — Stuart noted the SHA does practice this and would review the access of an employee who has a job role change.
The SHA also does “regular” audits of its databases, according to Stuart. If an audit flags suspicious activity, such as someone looking up the records of people with similar last names repeatedly, it may indicate that the person is looking up family members, which would trigger an investigation by one of the SHA’s privacy officers, she said.
She called the breaches that were discovered “disappointing.”
“Any breach of patients’ or clients’ information, we take it really seriously,” Stuart said. “As an organization, we’re a trustee of a vast amount of health information for the citizens of Saskatchewan and we know the public trusts us to keep their personal health information confidential and we need to ensure that we do that.”