Dr. Marlene Smadu is the Vice President of Quality and Transformation with RQHR and privacy falls under her jurisdiction. Responding to the report after it was made public, she was quick to point out that the region reported all of these privacy breaches and has taken several actions to make changes since they started.
Smadu says the punishment handed out for each case depends on the circumstances, but insists the health region takes all of them very seriously.
“We’ve pursued and were successful in suspension, we’ve also pursued a fine when we believe the motive behind the utilization was malicious,” she explained.
The first reported privacy breach happened in January of 2008 at the Regina General Hospital. Some employees found out one of their co-workers was a patient so they logged on to the health info program and looked at that person’s information.
Smadu explained that the health region took action by firing the person who made the breach but the arbitrator decided that punishment was too harsh.
“The arbitrator felt that losing one’s job over that violation was too severe and that’s why the person was required to be reinstated,” she said.
The second issue was discovered in June of 2009 in one of the health region's medical labs. A lab assistant tried to access her own files, and when she did, she discovered that someone had made several changes. Her name had been replaced with "vulgarities," the sex and infectious disease information had been changed, and the acronym R.I.P. was in her file.
Smadu said in that case the employee who was responsible for that action was fired.
“That employee was terminated and it was for that particular breach that we pursued a fine through the Ministry of Justice – the person was not fined but that was something that we pursued,” she explained.
In the third case, an employee looked up the health information of the father of her child, his wife, four of the wife's relatives, and another unrelated person. When the woman was interviewed about the breaches of privacy she said she was bored and curious, and that "everybody does it."
In that case the woman was given a 20-day unpaid suspension from work.
Since the first major privacy breach was discovered, the health region has incorporated 19 security and training upgrades to try to prevent it from happening again. A full-time privacy manager has been hired to help them make progress.
The region also updated it’s IT security with a tracking system that shows which user IDs access each health file and at what time. That way Smadu says they are alerted to anything that looks suspicious and can follow through. The region also tightened the wording around their privacy policies to make it clear access to health files is on a ‘need to know’ basis.
Smadu says the region has come up with a full action plan in response to the privacy commissioner’s report. One of the future steps may include sophisticated software that would link to an employee’s ID badge and automatically log off when they leave the computer.
Despite the passing of the Health Information Privacy Act almost a decade ago, no one has ever been charged for breaching it.