An investigation by the Office of the Information and Privacy Commissioner has determined that a physician with Covenant Health contravened the Health Information Act (HIA) for misuse of Alberta Netcare, the provincial electronic health record system.
Three complainants alleged that a physician had viewed their health information without proper authority. One of the complainants is involved in divorce proceedings with the physician’s new partner. The other two complainants are the first complainant’s family members. The Commissioner originally pursued this investigation as a possible offence under section 107 of the HIA, but the suspected physician refused to provide a cautioned statement and there was not sufficient evidence to directly link the physician to the inappropriate accesses. The Commissioner opted to take an un-cautioned statement from the physician and pursue the matter as an investigation of Covenant Health. The un-cautioned statement is not admissible as evidence in an offence prosecution.
In the un-cautioned statement, the physician admitted to viewing the complainants’ health information without proper authority. The physician did not look at the complainants’ health information using the physician’s own account. Rather, the physician used 12 colleagues’ accounts to look up the complainants’ health information through Netcare on 15 separate occasions.
Covenant Health had a policy intended to prevent this kind of abuse. Unfortunately, Covenant Health did not train its physicians in information security and did not implement technical controls to enforce individual accountability for Netcare use. Covenant Health has reported the physician’s actions to the College of Physicians and Surgeons of Alberta (CPSA), who are now conducting an investigation. The Information and Privacy Commissioner has no jurisdiction to comment on the CPSA investigation.
Health Information Act Director Brian Hamilton found that the physician contravened section 28 of the HIA by using health information not in alignment with work responsibilities and that Covenant Health failed to implement reasonable security controls to prevent this breach, contravening section 60 of the HIA. The 12 physicians whose Netcare accounts were misused did not contravene the HIA because they were not trained in Covenant Health’s privacy policies and technical security controls were not implemented or enforced.
Covenant Health has agreed to set up a regular training program and develop a plan to implement technical controls to prevent this kind of misuse of its systems. Covenant Health will submit its plan to the Commissioner within 50 days of publication of the Investigation Report.
Information and Privacy Commissioner Frank Work says, “This was a challenging investigation. We weren’t able to establish beyond a reasonable doubt that the suspected physician was misusing Netcare because the abuse took place in a busy emergency department where computer accounts were commonly shared. When Covenant Health and other custodians implement our recommendations, it will be easier for us to demonstrate that a particular individual is responsible for misuse of health information systems and hold them personally accountable.”