Ex-em­ployee snooped on health records of 1,418 pa­tients: re­port

Pri­vacy com­mis­sioner out­lines breach of Al­berta Health Ser­vices data

Calgary Herald - - CITY+REGION - JANET FRENCH [email protected]­media.com

ED­MON­TON Al­berta may need new ways of pre­vent­ing in­for­ma­tion in elec­tronic health records from fall­ing into the wrong hands, the prov­ince’s pri­vacy com­mis­sioner says in a new re­port.

On Wed­nes­day, the Of­fice of the In­for­ma­tion and Pri­vacy Com­mis­sioner re­leased a re­port con­clud­ing Al­berta Health Ser­vices (AHS) failed to en­sure pri­vacy train­ing and proper over­sight of a for­mer typ­ist and med­i­cal sec­re­tary at a psy­chi­atric hos­pi­tal who im­prop­erly looked at the med­i­cal records of 1,418 pa­tients over 12 years.

“The find­ings from this in­ves­ti­ga­tion sug­gest it is well past time to con­sider whether the cur­rent ap­proach to safe­guard­ing health in­for­ma­tion made avail­able through Net­care, as im­ple­mented by AHS in co-op­er­a­tion with Al­berta Health, is ad­e­quate,” in­for­ma­tion and pri­vacy com­mis­sioner Jill Clay­ton wrote in a pre­am­ble to the re­port.

Clay­ton is now con­sid­er­ing whether she should in­sti­gate a wider re­view of Al­berta Net­care, an elec­tronic med­i­cal record sys­tem that gives 48,946 health-care work­ers ac­cess to di­ag­noses, treat­ment, and med­i­cal im­ages for pa­tients’ phys­i­cal and men­tal health.

Re­port au­thor Chris Stin­ner, a man­ager of spe­cial projects and investigations with the pri­vacy of­fice, also con­cluded too much time had passed to pur­sue charges un­der the Health In­for­ma­tion Act against the for­mer AHS em­ployee.

The two-year limit on lay­ing charges has frus­trated other vic­tims of health record snoop­ing.

In Au­gust 2015, AHS ter­mi­nated the Al­berta Hos­pi­tal em­ployee who broke the pri­vacy rules. How­ever, Stin­ner’s re­port said her co-work­ers re­ported her sus­pected mis­use of the Net­care sys­tem four times to AHS man­agers in the 17 months be­fore she lost her job.

The first three times, man­agers ne­glected to check Net­care data logs to see how the worker was us­ing the sys­tem, Stin­ner said.

In its sub­se­quent in­ves­ti­ga­tion, AHS found the em­ployee looked at the health records of 1,418 pa­tients un­re­lated to her work du­ties, and also viewed lists of 12,861 pa­tients’ data, which in­cluded in­for­ma­tion such as their birth date, gen­der and city where they lived.

Stin­ner’s in­ves­ti­ga­tion found the em­ployee had a sec­ond job con­tract­ing with a pri­vate busi­ness that pro­vided med­i­cal billing ser­vices for doc­tor’s of­fices. There is ev­i­dence the em­ployee did her con­tract work “more than once” while she was sup­posed to be do­ing her AHS job, the re­port said.

After AHS com­pleted its in­ves­ti­ga­tion, it no­ti­fied 12,848 peo­ple their health or other in­for­ma­tion had been im­prop­erly ac­cessed.

The pri­vacy of­fice re­ceived com­plaints from 30 peo­ple af­fected by the breaches.

In a writ­ten state­ment, AHS said it ap­pre­ci­ated the pri­vacy of­fice’s re­port, and has since made “sig­nif­i­cant progress” im­prov­ing the or­ga­ni­za­tion’s pri­vacy cul­ture.

As of this month, 88.5 per cent of AHS em­ploy­ees have com­pleted manda­tory pri­vacy and Health In­for­ma­tion Act train­ing, it said.

The pri­vacy of­fice’s re­port also said AHS added ex­tra Net­care data ac­cess au­dits at Al­berta Hos­pi­tal.

Comments

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.