AHS Responsible for Unauthorized Accesses by 49 Employees

November 29, 2017

An investigation by the Office of the Information and Privacy Commissioner (OIPC) has found Alberta Health Services (AHS) contravened the Health Information Act (HIA)when 49 of its employees accessed and used the health information of a patient and her daughter for unauthorized purposes. The unauthorized activities took place in 2015 at the South Health Campus emergency department in Calgary.

After an emergency department manager notified the AHS Privacy Office of a possible unauthorized disclosure of the patient’s health information, AHS conducted an audit of all accesses to the health information of the patient, and the patient’s daughter. The patient had been flagged in electronic medical record systems as a “confidential patient” due to the circumstances of the patient’s admission to the emergency department.

The AHS audit identified 160 employees who accessed the health information of the patient, or both the patient and her daughter. Most of the accesses were authorized under the HIA; however, 49 employees, including AHS managers, nurses, and non-nursing or clerical staff, were found to have accessed health information outside their role of providing a health service. The AHS Privacy Office reported the matter to the OIPC, and the Commissioner initiated an investigation on her own motion.

As part of its investigation, the OIPC reviewed the purposes cited most frequently by the employees to explain their accesses, which included providing or preparing to provide a health service, managing patient flow, health provider education and “curiosity”. A significant number of employees could not recall why they accessed the information.

Although the HIA authorizes accessing and using health information to provide a health service, manage patient flow and educate health providers, the OIPC’s investigation found these purposes did not apply to accesses by the 49 employees for a number of reasons, including the employees’ actual roles and responsibilities, or the timing of the accesses. Accesses that could not be explained, or that were due to curiosity, were also contraventions of the HIA.

Despite having reasonable administrative and technical safeguards in place, the OIPC investigation also found that AHS did not take reasonable steps to implement technical safeguards, noting that many of the 49 employees reportedly left their smart cards in the electronic medical system for their entire shift. Smart cards are a way to uniquely identify system users, and the practice of leaving cards in the system defeats the protection this technology offers and is a contravention of AHS policy and the HIA.

AHS also failed to ensure that its employees were aware of and adhering to administrative, technical and physical safeguards to protect health information. Notably, there was no evidence of privacy training for a number of the 49 employees involved.

AHS had established sanctions for breaching or attempting to breach safeguards, as required by the Health Information Regulation, and followed its process for imposing sanctions against the 49 employees. The employees subsequently filed grievances of the discipline imposed by AHS, as per their collective bargaining agreements. As a result, 38 employees had their discipline rescinded and 11 employees had their discipline reduced.

AHS explained that despite the accesses by these employees being a breach of the HIA, the employees themselves believed their accesses were appropriate within a team-based approach to providing health care, and they were following established practices known and supported by management.  As a result, AHS found it was appropriate to reduce or rescind the discipline considering gaps in ensuring implementation or enforcement of related policies by management.

“This incident highlights the significant gap that existed between the requirements of the law and AHS policies, and the actual practices implemented in the South Health Campus emergency department,” said Information and Privacy Commissioner Jill Clayton. “The HIA requires custodians to have safeguards, training and policies in place to protect patient privacy, but even the best efforts can be completely undermined without a commitment to implementation and monitoring, and communication to staff.”

The OIPC made six recommendations to AHS, many of which were addressed by AHS during the investigation. The OIPC will continue to follow-up with AHS to confirm progress on all recommendations.

The investigation report is available at www.oipc.ab.ca.

The Information and Privacy Commissioner of Alberta works independently of government to uphold the access and privacy rights of all Albertans.