Snooping occurs on a regular basis but few organizations are willing to deal with it. Whenever an individual, such as a doctor, a nurse, or a clinic staff member accesses a patient’s record without a work-related need, this is considered snooping. Unless an employee is within the patient’s circle of care (i.e. delivering direct patient care) the individual has no business accessing the personal health information of that individual and is contravening the use for which that information was gathered.
Many, if not most, of these instances go unnoticed, but with the shift to electronic record storage and file management systems, access to records can be tracked by clinic owners/health information custodians. If properly set up, the electrofnic file management system can help identify individuals who are snooping and allow the organization to reprimand those individuals. Even if the organization has not transitioned to electronic file management systems, that does not excuse an ignorance of this problem.
What Happened
In a recent case, a Complainant requested and obtained an electronic log of access to their personal health information stored in the Health PEI’s Clinical Information System, the agency responsible for delivering publicly funded health services in the province. After reviewing the logs, he noticed that an employee, that the complainant knew, accessed their personal health information multiple times. The log showed that some of the dates when the file was accessed the Complainant was not admitted to a hospital.
The Complainant reported their findings to Health PEI and an investigation ensued. The institution determined that some, but not all of the accesses to the Complainant’s charts were consistent with the performance of the employee’s duties. When consulted about the access, the employee advised that all access to the Complainant’s information was for professional reasons but noted that there was a “long history of a volatile relationship” between the employee and the Complainant. It was suggested that the privacy complaint was made with malicious intent arising from this tenuous relationship.
Ultimately, Health PEI concluded that the employee had accessed the personal health information without authorization. At a minimum, some of the accesses to the Complainant’s records were not authorized based on the determination that in several instances there was no evidence that access to the information was required for the performance of the employee’s duties. Importantly, the employee could not substantiate the claim that all access was for professional reasons.
Aftermath and the Commissioner’s Investigation
As a result of the investigation, Health PEI established a performance management plan for the employee, which included disciplinary measures. The institution was also implementing improvements for privacy awareness and compliance with policies through training and random auditing of access.
During a meeting with the Complainant, Health PEI shared the findings of the investigation and the steps that will be taken. Subsequently, a letter was sent to the Complainant outlining the findings and apologizing for the unauthorized access. In response, the Complainant sought specifics of the disciplinary measures taken, which Health PEI refused to provide.
Health PEI also reported the breach in a timely fashion to the Privacy Commissioner, who conducted its own investigation pursuant to the Health Information Act. The Commissioner concluded that the organization had properly responded to the breach. While the Complainant wanted to know what disciplinary measures were taken, the Commissioner agreed with the refusal but noted that the organization ought to provide assurances that personal health information would be protected in the future. The Commissioner also recommended that Health PEI implement regular auditing of their employee’s access to electronic records.
The Commissioner found that the institution notified the Complainant and the Commissioner at the first reasonable opportunity following the discovery of the breach and that Health PEI established reasonable information practices to protect personal health information from unauthorized access by others. Further, the Commissioner found that Health PEI took reasonable steps to contain the breach and investigate it. While the Commissioner found that implementing staff training and disciplining the employee were reasonable steps to remediate the incident, further assurances needed to be made to the Complainant. Specifically, the Complainant ought to be reassured that their health information was secure. To address this, the Commissioner recommended that Health PEI introduce regular auditing of employee access to the computer system with particular attention to the Complainant’s records.
Takeaway
Although we may not notice it immediately, unauthorized access to personal records, or snooping, are a frequent occurrence. Organizations must implement policies to minimize the frequency of snooping and reprimand the employees that engage in such behaviour. More importantly, these instances are considered breaches of security safeguards and the organization may be required to report the breach to the Privacy Commissioner and notify the affected individual.
As demonstrated in this case, organizations must have a plan in place to respond to such breaches in a timely fashion. If investigated, an organization’s quick response to a breach and proper follow up (i.e. notification and reporting) will be looked at favourably. Organizations can rest assured that their internal sanctioning policies (i.e. reprimanding of their employees) can largely remain confidential. In other words, organizations do not need to report to an affected customer the sanctions that were made against a staff member. This eases the pressure over the organization and allows it to make more sensible and appropriate decisions.
More importantly, an organization must train their staff to appropriately handle and use their customers’/patients’ data. This includes the legal requirements concerning the collection, use, and disclosure of health information. Policies must be put in place and enforced on a regular basis to ensure all employees are on the same non-snooping page.
See Health PEI (Re), 2019 CanLII 71194 (PE IPC)