Privacy breach at QEH spurs surveillance of an employee's access to health charts
Hospital employee accessed a patient's health records without authorization
P.E.I.'s privacy watchdog wants Health PEI to keep closer tabs on one of its employee's use of patient health records, following a privacy breach last year at Queen Elizabeth Hospital.
That's according to a new report by Information and Privacy Commissioner Karen Rose, posted May 30.
According to the report, in March 2018, a patient received a copy of their electronic patient chart from Health PEI. That chart included a log showing who had accessed the patient's health information, and when.
The patient alerted Health PEI to concerns over one employee at QEH, who was personally known to the patient, who, according to the log, had accessed the patient's medical records several times.
According to the report, when asked about the allegation, the employee told Health PEI that all of their access to the patient's health information was for "professional reasons."
Also, according to the report, the employee indicated "a long history of a volatile relationship" between the employee and patient. The report goes on to say the employee was concerned the privacy complaint was made by the patient "with malicious intent."
Health PEI investigated and found that the employee's job duties required access to patients' medical records, including the patient in question.
However the agency's investigation concluded the employee had accessed, without authorization, the patient's records on some occasions. Health PEI found the employee was unable to offer a reasonable explanation for why the records had been accessed on those occasions.
Victims of unauthorized access to personal health information require reasonable assurance.— Privacy Commissioner Karen Rose
The employee was disciplined, but not fired.
The health agency followed correct procedures, according to the report, in alerting the patient as well as the privacy commissioner, and in containing and investigating the breach.
For remediation Health PEI said it would provide privacy refresher training and would introduce random auditing of staff access to patient electronic charts — in the employee's area.
Employee's access to be audited
But the privacy commissioner recommended Health PEI go further with its monitoring of the employee in question.
"Victims of unauthorized access to personal health information require reasonable assurance that their personal health information will not be put at continued or further risk of unauthorized access," wrote Rose.
The commissioner recommended Health PEI introduce regular auditing of the employee's access to patient records, with particular attention to the personal health information of the patient whose privacy was breached.
Health PEI confirms it will take this action.
The patient affected in this privacy breach wanted to know more about the discipline action imposed on the employee. Health PEI refused to disclose that information, according to the report.
The privacy commissioner accepted Health PEI's position that further disclosure of disciplinary measures was not appropriate in this incident.