AHS held responsible for privacy breach
Health agency lacked oversight, failed to carry out policies: watchdog
Alberta Health Services must be held responsible for the actions of its staff who participated in a highprofile privacy breach at Calgary’s South Health Campus, the province’s privacy watchdog has found.
And while the provincial health authority has taken action to address the problems at the Calgary facility, AHS needs to be continually wary of employees “snooping” in patient health records, says assistant privacy commissioner LeRoy Brower.
On Wednesday, the Office of the Information and Privacy Commissioner released its report on a 2015 case that saw 49 AHS employees improperly access the records of a patient and the patient’s daughter at Calgary’s South Health Campus.
In his report, Brower said that while AHS had administrative and technical safeguards for patient privacy in place, the health agency did not take reasonable steps to ensure the technical protections were actually in use.
Furthermore, AHS did not ensure its staff were aware of and adhering to the policy, with no evidence of privacy training for a number of the 49 employees involved.
In an interview Wednesday, Brower said the situation “was due to AHS failing to ensure staff were aware of their responsibilities and . . . the failure really to implement related safeguards.”
“AHS is accountable for the actions of its staff. That being said, staff can only be found responsible to the extent that AHS makes them aware of the policies and their obligations to protect privacy. AHS in this case failed to implement privacy policies and safeguards,” he said.
The privacy breach revolved around a Calgary woman with terminal cancer who gave a fatal dose of drugs to her 19-year-old daughter with Down syndrome. The mother died in November 2015.
More than 160 employees accessed the records but 49 were found to have done so outside of their duties, with many citing “curiosity” as their reason.
AHS was made aware of the situation by an emergency room manager and conducted its investigation in 2015. The 49 employees faced disciplinary action, with at least one being fired.
However, the disciplinary action was either withdrawn or softened, including the firing, following grievances filed by the United Nurses of Alberta and the Alberta Union of Provincial Employees.
Brower said that was appropriate given that the lack of oversight by AHS meant many of the employees thought they were properly following policy.
David Harrigan, director of labour relations for the nurses’ union, said he was glad the case has been resolved but took issue with the idea that the nurses involved were unaware of the privacy safeguards.
He said that the 24 UNA members who had been disciplined had in fact acted properly and had valid medical reasons for accessing the records, which is why the punishment had been dropped.
Brower found in his report that many of the 49 employees left their smart cards — used to access records and identify system users — in the electronic medical system for their entire shift.
That defeats the protection offered by the technology and is a contravention of AHS policy and the Health Information Act, he said.
Brower said AHS handled its investigation properly and thoroughly.
The health organization also moved to address the issues at the South Health Campus, with beefed-up training and education measures, even while the privacy commissioner’s office was conducting its investigation.
Todd Gilchrist, the AHS vicepresident who handles legal and privacy matters, said the health authority accepted the commissioner’s findings.
He noted that the AHS policy requiring mandatory completion of privacy and security training for all staff every three years was relatively new when the South Health Campus situation occurred.
Now, more than 90 per cent of health-care workers have completed the training.
“Since that time, we have put an incredible focus on matters of policy, staff training, structural change and supports within our privacy function,” said Gilchrist.
Despite the progress, however, Brower said there is still an ongoing concern about health workers improperly “snooping” in patient records.
“Similar to this case, we see other cases … where individuals that we’ve trusted to provide us with health services and given them access to this system to do that, snoop in records and use information for purposes completely unrelated to the health care they are provided,” he said.
AHS is accountable for the actions of its staff. ... AHS in this case failed to implement privacy policies and safeguards.