The Scenario: Unauthorized records access by staff

A clinic employee on leave at Dr. Smith’s clinic entered the clinic during office hours and accessed electronic patient records using another employee’s login credentials. Another staff member later informed Dr. Smith that the employee improperly accessed the medical records of family and friends and potentially removed copies of files from the clinic.

The Outcome: Clinician found responsible

An investigation by the OIPC found the clinic had policies and procedures in place to prevent such inappropriate access but none of the staff had been trained. No one in the clinic could locate the OIPC accepted Privacy Impact Assessment that had been completed. 

Failing to train staff on clinic policies and procedures meant to safeguard patient privacy goes against the Health Information Act. The actions of untrained staff are the responsibility of the lead custodian.

The Takeaway:

It is not enough to create compliant policies and procedures. To remain compliant with the Health Information Act, all staff must be trained on accepted policies and procedures, and that training must be documented. 

The Scenario: Providing copy of ECG to patient by Custodian who did not requisition the ECG

Mrs. Smith was attending a routine hygiene appointment. During her visit, she mentioned to the hygienist at her dental clinic that she was anxious about receiving test results back from an ECG she’d had two days before. Wanting to be helpful, the hygienist looked up the results in Netcare and told Mrs. Smith what they said. 

The Outcome: Potential Risk of Harm

This is unauthorized disclosure. Given the hygienist has no reason to access the file from Netcare, it contravenes Sec. 107 of the HIA. There is no way to tell if Mrs. Smith’s physician has reviewed the document with the patient. 

The Takeaway: 

Generally speaking, a patient has a right of access to any record containing health information about themselves (section 7(1) of the HIA). However, while a patient has rights to their health information, it matters who they get it from. In a situation like this, get consent from the physician who ordered the original test to release the record, or the specialist providing the consultation.

Exceptions: there are provisions in the Health Information Act (HIA) (section 11) to allow certain information to be withheld, such as mental health, WCB information, or danger to health/welfare of patient or others. 

The scenario: An improper agreement. 

A custodian worked with an American vendor who wanted to use their Business Associate Agreement (BAA) under HIPAA (US Legislation). The BAA did not have the proper notifications and the BAA reflected that the vendor would use the information for internal purposes, such as research or trending improvements. 

The outcome: Vendors using information for internal purposes is not acceptable under the HIA. 

Vendors are responsible to conform to legislation in Alberta and to ensure that the Health Information that is collected, used and disclosed is consistent with Alberta legislation. 

In this case, the custodian could not prove adequate safeguards and needed to make a decision to change vendors or to take the risk that there was not proper safeguards. Knowing the vendor was using the health information for purposes other than it was collected, made the custodian responsible for the confidentiality of their patients’ information.  

The takeaway: 

Often BAA or Service Agreements are able to be amended to contain the correct information as required under s 7.2 of the Health Information Act - discussion with your vendor or with a privacy expert to ensure compliant safeguards are in place. 

The Scenario: Unauthorized third party access

After a break-in, one clinic discovered patient files were left on a counter rather than locked away, and that they had been “disturbed”. 

The Outcome: Potential risk of harm

This is unauthorized access. There is no way to prove with certainty that the information was not accessed inappropriately and that there is no risk of harm to the patients involved.

The Takeaway: Enforce appropriate safeguards

Patient information must be secured from unauthorized access - the locks on outer doors are not enough. There is no way to prove the thieves did not view and/or record the information, in which case risk of harm cannot be disproven.

The Scenario: Unauthorized disclosure to parents

A 16-year-old would like to start using birth control but does not want the information disclosed to her mother. Given the mother was very involved with the GP in managing a severe respiratory issue with her child the year before, when Mom asked to see records for her daughter’s latest visit staff assumed it was OK to share the patient’s latest records.

The Outcome: 

This is unauthorized disclosure - a breach. Alberta has established no set age for a mature minor (the physician has to make the determination, considering a variety of factors such as the seriousness of the proposed treatment). The courts generally recognize approximately 16 years as the threshold for maturity, and none have recognized any individual younger than 14 years. 

The Takeaway: 

Adequate training will ensure staff and physicians are properly prepared for highly charged and emotional demands from patients. If the clinic does not have access to a privacy expert, or the privacy officer is not fully briefed on ‘gray’ matters such as this, action of staff tends to favour the ‘squeakiest wheel’ - in this case, the concerned mother, thus violating the rights of the patient.