Privacy commissioner calls for full disclosure after medical breach

The officer of the Saskatchewan Information and Privacy Commissioner challenges the Saskatoon Health Region to disclose the name and the punishment received by an employee who they caught snooping medical records.

This year the Saskatoon Health Region (SHR) found an employee snooping her own medical records and the records of five others without reason. The health region said the employee claimed she was bored and curious when the breach occurred.

Health region CEO Dan Florizone said on Tuesday that the employee was disciplined, but the person’s name and the degree of the punishment wouldn’t be released, despite calls from the privacy commissioner.

“From what I understand, the privacy commissioner wants us to name the individual and to indicate what the severity of the sanction was, and all I’m saying is, for us to do that we would need a legal review to be able to determine if it’s justified,” Florizone said.

The privacy commissioner also urged the health region to tighten its belt when it comes to disciplinary action against employees who snoop.

In an investigative report into the privacy breach, commissioner Ronald J. Kruzeniski made a number of recommendations to the SHR including recommending that they disclose the identity of the snooper and the details of the disciplinary action taken against the snooper to affected individuals and to employee of the health region.

“An employee who has snooped should have a diminished expectation of privacy,” Kruzeniski wrote. “I strongly recommend the (SHR) disclose disciplinary action taken against employees who snoop.”

Kruzeniski offered recommendations to the health region’s approach to dealing with snooping including: suspending employees who have snooped, monitor employees who have snooped for a period of years rather than months and terminate employees who have snooped intentionally or maliciously.

Florizone said there’s no case law to justify releasing personnel information and the degree of punishment applied.

However the recommendations made by the privacy commissioner will be reviewed and Florizone said there is a chance those recommendations could lead to further policy changes.

“You may think looking up your own file is a breach of confidentially but it is a breach of our policies. We ask our staff not to look at their own records because there is a practice about access to records,” Florizone said.

In 2014-2015 the health region report 88 breaches, 72 which were considered level one breach meaning they were unintentional. Level two breaches, where employees intentionally breach privacy but don’t act maliciously, the SHR reported 15 of those. Only one case was considered a level three breath, where the breach was intentional and for a malicious reason.

Florizone said those numbers isn’t anything to be proud of.

“When you look at 15 level two breaches that’s a significant number, one is too many and we’re thrilled the privacy commissioner is coming with a harder line. We’re hoping to use it to create rationale to more stringent policies,” he said. “This is rare but not rare enough for us.”

fbiber@rawlco.com

Follow on Twitter: @Notthebeebs