Regina General Hospital exterior. Photo by News Talk Radio's Adriana Christianson
After several privacy breaches Saskatchewan's Information and Privacy Commissioner is telling the Regina Qu'Appelle Regional Health Authority it needs to do something to stop its employees from snooping.
The recommendations stem from three incidents that happened in the RQHR over the past five years.
The first happened in January of 2008 at the Regina General Hospital. Some employees found out one of their co-workers was a patient in the health region, so they logged on to the health info program and looked at the co-workers information.
The employee directly implicated in the privacy breach was originally fired, but was reinstated after arbitration.
The second happened in June of 2009 in one of the health region's medical labs. A lab assistant tried to access her own files, and when she did, she discovered that someone had made several changes. Her name had been replaced with "vulgarities," the sex and infectious disease information had been changed, and the acronym R.I.P. was in her file.
An investigation found that an employee had used seven different user ID's to change the woman's information eight times in three months. The employee would wait until other workers failed to log off a computer, and use their user identification to make the changes.
The final incident happened in November of 2011. After a complaint an internal investigation was done, and the RQHR found that an employee had looked up the health information of several people. She looked up the father of her child, his wife, four of the wife's relatives, and another unrelated person. In a letter to the privacy commissioner the RQHR said breaches "appear to be intentional, malicious, and for personal gain."
When the woman was interviewed about the breaches of privacy she said she was bored and curious, and that "everybody does it."
All personal health information is protected under Saskatchewan's Health Information Privacy Act (HIPA).
In his report, the privacy commissioner stated that after the first two incidents the RQHR made recommendations of changes it could make to stop breaches of the HIPA from happening again, but they never seemed to be implemented. The privacy commissioner said that's why a formal investigation was opened.
The report found that the administrative and technical safeguards the RQHR has aren't enough to keep information safe.
So in the report several recommendations were made. It was advised that the RQHR revise its safeguards within 120 days, and review its recommended actions for employees in the even of privacy breaches.
The report also suggested the RQHR institute a "need-to-know" policy, and well as some kind of policy regarding employees looking up their own health information as soon as possible.
It was also recommended that the health region look at its health information program to address any weaknesses in the system.