Saskatchewan: Administrator at Sask. Clinic listened to residents’ eHealth recordings more than 30 times

A Regina resident appealed to Saskatchewan’s privacy watchdog after discovering that the manager of a clinic she had never been to had wiretapped her eHealth records more than 30 times.

Information and Privacy Commissioner Ronald J. Kruzeniski described the incident and the subsequent investigation as follows: a report It was released late last month.

The complainant requested an audit report from eHealth to see who had access to personal health information in 2022.

The resulting audit found that an office manager at the Prairie Internal Medicine Specialists office in Regina accessed the complainant’s records 37 times on three occasions (April 21 and April 22, 2021, and August 10, 2022).

An investigation was conducted by eHealth at the victim’s request.

eHealth concluded that all incidents could be classified as “improper access” to personal health information.

Kruzeniski stated that both parties confirmed that the complainant never received treatment at Prairie Internal Medicine Specialists.

The clinic’s owner only became aware of the incident when he contacted eHealth “in or around the summer of 2022,” according to an attorney representing the clinic.

The office manager responsible for the privacy violations had his eHealth viewer access revoked for six months. Once access was restored, the administrator was subjected to random audits.

These were returned “without problems,” according to the clinic’s legal declaration.

As for why the records were accessed, the office manager initially explained his actions by saying that they occasionally obtained referrals or medical information for doctors who did not work at the clinic.

They said the access in August 2022 was done to identify a doctor so the office manager could forward correspondence they had mistakenly received.

At the time, the manager’s supervisor instructed them to return misaddressed referrals or medical information to the original sender and not to access eHealth in those cases.

The statement did not include violations on April 21-22, 2021.

Clinic management discovered that the complainant had a connection with a friend of the office manager’s family member. The complainant was giving birth to a child when the violation occurred. The clinic determined that the manager had accessed the complainant’s personal health information to find out whether the child had been born.

During the investigation, Kruzeniski’s office was provided with a copy of the clinic’s privacy and security policy manual. It turned out that the office manager in question wrote more than 25 of the policies in the guide.

“Since the office manager was the author of the policies in the Policy Manual, they should have been aware that surveillance of the complainant’s personal health information was inappropriate,” Kruzeniski said in the report. he wrote.

The clinic told the commissioner that patient safety or care would not likely be affected by the breach; Kruzeniski strongly disagreed with this point. a few examples He searched the office.

“I would caution anyone who believes that surveillance does not negatively impact patient safety or care. It does,” he said.

Kruzeniski also said the clinic should have taken steps to determine whether the director had disseminated the victim’s personal health information.

In his recommendations, the commissioner advocated for the clinic and eHealth to forward the investigative files to the Ministry of Justice to allow prosecutors to further assess whether a crime has been committed.

He also suggested that random inspections of all employees be carried out on an ongoing basis.

Finally, Kruzeniski recommended that eHealth continue to supervise the office manager indefinitely in any location that requires access to the eHealth viewer.