Alberta Information and Privacy Commissioner notes the need for changes to the law
EDMONTON – The Edmonton Court of Justice has fined a former employee of Alberta Health Services (AHS) $2000.00 after she pled guilty to unauthorized disclosure of health information of one person in 2020, contrary to the Health Information Act (HIA) of Alberta.
Kayla Satre was working as an Administrative IV Medical Secretary at the University of Alberta Hospital in Edmonton. In her position, she had access to Connect Care, a centralized patient information system, and Netcare, the provincial electronic health information system, in order to perform her duties working from home or on shift at the hospital.
Satre had been charged under HIA with unauthorized access to the health information of 17 individuals, some of whom she had known relationships with, and unauthorized disclosure of health information of two individuals.
An AHS 13-month audit found the unauthorized accesses to health information. The information disclosed included infectious disease information. The disclosure of this information resulted in an individual receiving harassing text messages.
When the case came before a judge last week, it was resolved with Satre’s plea of guilty to unauthorized disclosure of health information of one person. As part of the plea bargaining, the accused agreed to plead guilty to the one charge, and the Crown agreed to not prosecute the other charge.
“The outcome of this case demonstrates an ongoing concern that I discussed in my most recent annual report,” said Information and Privacy Commissioner of Alberta Diane McLeod. “In my report, I noted the alarming trend of snooping by custodians’ employees in health information systems and the use of health information for unauthorized purposes. In this case, the type of information disclosed was very sensitive information, the kind that I have recommended be masked to make it unavailable except to a very limited number of authorized persons accessing the health information systems. Despite the disclosure of such sensitive information and the substantial resources expended both by my office and the Crown Prosecutor’s Office to bring this case to trial, the outcome shows that the law is not structured in such a way to effectively deter snooping.”
On page 10 of her 2023-24 Annual Report, Commissioner McLeod called for her office to be empowered to issue administrative monetary penalties for serious and significant violation of all access and privacy laws in Alberta, arguing that such penalties would serve as stronger deterrence than is the case with the current offence provisions, which are largely failing on that front.
Through the OIPC, the Commissioner performs the responsibilities set out in Alberta’s three access to information and privacy laws, the Freedom of Information and Protection of Privacy Act (FOIP Act), the Health Information Act (HIA) and the Personal Information Protection Act (PIPA). The Commissioner operates independently of government.
For more information:
Elaine Schiman
communications@oipc.ab.ca
Communications Manager
Office of the Information and Privacy Commissioner of Alberta
Mobile: (587) 983-8766
Follow us on LinkedIn and on X.