Privacy breach at QEH spurs surveillance of an employee's access to health charts

P.E.I.'s privacy watchdogwants Health PEI to keep closer tabs on one of its employee's use of patient health records, following a privacy breach last year at Queen Elizabeth Hospital.

That's according to anew report by Information and Privacy Commissioner Karen Rose, postedMay 30.

According to the report, in March 2018, a patient received a copy of their electronic patient chart fromHealth PEI. That chart included a log showing who had accessed the patient's health information, and when.

The patient alerted Health PEI to concerns over one employee at QEH, who was personally known to the patient, who, according to the log, had accessed the patient's medical records several times.

According to the report, when asked about the allegation, the employee toldHealth PEI that all of their access to the patient's health information was for "professional reasons."

Also, according to the report, the employee indicated "a long history of a volatile relationship" between the employee and patient. The report goes on to say the employee was concerned the privacy complaintwas made by the patient "with malicious intent."

Unauthorized access

Health PEI investigated and found that the employee's job duties required access topatients'medical records, including the patient in question.

However the agency'sinvestigation concluded the employee had accessed, without authorization,the patient's records on some occasions. Health PEI found the employee was unable to offer a reasonable explanation for why the records had been accessed on those occasions.

Victims of unauthorized access to personal health information requirereasonable assurance. Privacy Commissioner Karen Rose

The employee was disciplined, but not fired.

The health agency followed correct procedures, according to the report, inalertingthe patient as well as the privacycommissioner, and in containing and investigating the breach.

For remediation Health PEI said it would provide privacy refresher training and would introduce random auditing of staff access to patient electronic charts in the employee's area.

Employee's access to be audited

But the privacy commissioner recommendedHealth PEI go further withits monitoring of the employee in question.

"Victims of unauthorized access to personal health information requirereasonable assurance that their personal health information will not be put at continued or further risk of unauthorized access," wrote Rose.

The commissioner recommendedHealth PEI introduce regularauditing of the employee's access to patient records, with particularattention to the personal health information of the patient whose privacy was breached.

Health PEI confirms it will take this action.

The patient affected in this privacy breach wanted to know more about the discipline action imposed on the employee.Health PEI refused to disclosethat information, according to the report.

The privacy commissioner accepted Health PEI's position that further disclosureof disciplinary measures was not appropriate in this incident.

More P.E.I. news