The Saskatchewan Health Authority (SHA) has released details on a breach that occurred last year, which affects home care patients in the Estevan area and spanned nearly a decade.
According to an e-mail from the SHA sent to the Mercury last week, in May 2017, the former Sun Country Regional Health Authority (now part of the SHA) learned of a potential privacy breach by an employee with home care in Estevan that involved access to the electronic records of home care clients in Estevan and the surrounding area.
Pat Stuart, the executive director for privacy and health information management services with the SHA, said an internal investigation was conducted, and concluded an employee had accessed personal health information in an electronic medical record system that was not needed in the performance of the employee’s work.
The breach involved 880 clients in the period from June 2010 to May 2017.
An investigation was able to identify all of the home care clients that were affected by the privacy breach, and individuals affected were sent notification letters.
“While this breach did not affect the health care of the clients, the Saskatchewan Health Authority understands that this breach of privacy is a violation of the trust placed in us by our patients, long-term care residents and community clients,” said Stuart. “Strengthening patient confidentiality practices, including use of system audits, is a high priority for the Saskatchewan Health Authority.”
As a result of the investigation, the following measures have been taken by the SHA:
· Develop role-based permissions in the electronic medical record system to ensure users have the minimum access required to perform their job duties;
· Additional privacy education for all home care staff and resigning of the pledge of confidentiality annually;
· Develop an audit and monitoring program for the electronic medical record system on a monthly basis;
· The electronic medical record system automatic pop up display message was updated to reinforce the responsibility of users to protect client privacy and confidentiality, and only access clients’ personal health information based on a need to know. The pop up reminder is displayed every time a user logs on to the system. The user must accept the terms within the message box in order to continue into the system.
· Improvement of staff education and training for the electronic medical record system including specific training on privacy and the need to know.
· Continue to work on improving policy and procedures, including staff education and training for all staff in the area.
“The internal investigation has been completed,” said Stuart. “The Office of the Saskatchewan Information and Privacy Commissioner is currently reviewing the results of that investigation.”
It is not known how long the privacy commissioner’s review will last.
The employee is not currently at work and does not have access to any electronic health records. Any disciplinary action would follow policies and the terms of the appropriate collective bargaining agreement. No further information on the status of the employee was available.
Stuart stressed that the SHA is fully co-operating with the review.