An individual complained to the Commissioner that an employee at the Bigelow Fowler Clinic in Lethbridge had disclosed his health information to his employer. The complainant’s employer claimed to have called the Clinic to inquire about a day-off he had taken for illness. In a letter to the complainant, the employer said a Bigelow Fowler staff member had checked an electronic database during this call to verify his appointment times.
No one at the clinic admitted to making the disclosure. However, most electronic medical record (EMR) systems in Alberta can log who has looked at a particular patient’s record at any given time. A review of these system logs should have been able to confirm or deny that someone had looked at the complainant’s records before making the disclosure.
Unfortunately, the Clinic’s EMR system log had not been activated, which meant there was no record of whether anyone accessed the complainant’s electronic file. The logging feature had been turned off by the Clinic’s EMR vendor to improve computer performance. As a result, the investigator could not determine whether anyone accessed the complainant’s health information while speaking to his employer.
Maintaining and reviewing audit logs in EMRs is an important privacy control as it allows custodians to verify whether employees are accessing health information appropriately. The investigator found that the Clinic contravened section 60 of the Health Information Act (HIA) for failing to turn on its EMR logging system.
The Bigelow Fowler Clinic agreed to carry out the investigator’s three recommendations:
- Turn on system logging in the Clinic EMR.
- Develop and carry out a plan to review EMR use by clinic staff every six months.
- Formalize regular privacy awareness training for all Clinic staff with a yearly review.
The investigator concluded with two reminders to all custodians that have EMRs:
- Ensure your EMR system logs are operational and that you know how to review and interpret them.
- Review your EMR system logs periodically to ensure your employees are accessing health information appropriately.