Health Care Personal Information Snooping: When Will People Learn?
Those who wish to snoop into health care databases to get personal health information with respect to their friends, family, acquaintances or even strangers, should realize that they are violating the privacy legislation in Saskatchewan and the consequences will likely be significant. We will review the basics of a unique snooping case in Saskatchewan where an employee snooped with what she thought was impunity. In fact, an audit tracked her snooping, she was questioned by her employer on the breadth of her violation of The Health Information and Privacy Act (HIPA)[1] and ultimately, she chose to walk away from her employment. We have named her in our public investigation report and we explain why it was not ultimately in the public interest to recommend a prosecution with the Minister of Justice. But as we say, the consequences of snooping can be highly significant to one’s career.
Ms. Fahmida Shipa was employed and held multiple roles within the Saskatchewan Health Authority (SHA) in the City of North Battleford from August 2023 to May of 2025. During that time, three separate SHA audits revealed that she had snooped on an estimated 323 patient records for her own interest during the course of her employment. She was suspended in April of 2025 when the audits revealed the snooping and she voluntarily resigned from her position on May 1, 2025. The breach was investigated by this office and Ms. Shipa was provided with a notice that recognized her right to counsel and her right to silence. She chose to respond to this office and give many reasons for why she snooped. But none of her reasons fell within the only two viable reasons for accessing the personal health information of a resident of Saskatchewan: (1) either the subject of the snoop has provided consent as per section 26(1) of HIPA; and/or (2) on a need to know basis as per section 23 of HIPA.[2]
One of the mystifying aspects of this investigation involved the extent to which this snooper had been educated and schooled on the privacy laws with respect to personal health information in this province by her employer. The trustee in this matter provided excellent training for this employee which covered the following crucial areas:
- The training described the access to information and privacy legislation in Saskatchewan, specifically The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP)[3] and HIPA.
- The training emphasized the “need-to-know” principle, including a direct emphasis on the rejection by SHA of the “Circle of Care” model and inclusion of its “Need to Know versus Circle of Care” directive.[4]
- The training specifically commented on snooping, gossiping, and the public discussion of personal health information, stating that the names of snoopers may be released to affected individuals.
- The training imparted warnings about audits and the digital traces evident in SHA electronic systems.
- The training discussed privacy breaches in the form of unauthorized collections and uses, notably drawing upon a wide array of examples of privacy breaches relevant to a health-care environment.
- The training addressed how to respond to privacy breaches, with a focus on containment, notification, and prevention.
- The training highlighted high-profile cases wherein snoopers working in health care environments have been named and prosecuted.
There was no excuse or reason that could justify the invasion of privacy into 323 records on the part of Ms. Shipa, especially when the SHA referenced her signed Pledge of Confidentiality from 2023 and 2024. Even though section 64 of HIPA provides for the consent of the Attorney General of Saskatchewan for a prosecution for a snooping violation under HIPA, this office chose to not to pursue this final step with respect to this snooper. Our office received no formal complaints as the result of this snooper’s activities, the trustee acted efficiently and expertly in its investigation of the breach and in its notification of affected individuals. Ultimately, this would have been a costly prosecution and it was deemed that it would not be in the public interest, especially since the snooper had voluntarily resigned and put herself in a difficult position for future employment in the health industry in Saskatchewan in the future. Here is some recommended further reading, including our Investigation Report on this incident:
SHA and Fahmida Shipa, Investigation Report 103-2025, 104, 2025
Ten Tips for Addressing Employee Snooping (Office of the Privacy Commissioner of Canada)
Detecting and Deterring Unauthorized Access to Personal Health Information (Information and Privacy Commissioner of Ontario)
[1] The Health Information Protection Act, SS 1990-91, c. H-0.021, as amended.
[2] Second, section 26(2) of HIPA lays out other reasons for accessing the personal health information of residents of Saskatchewan, such as for the purposes of de-identifying the data, but we have only listed the relevant sections in this blog that pertain to this snooper within the context of her employment.
[3] The Local Authority Freedom of Information and Protection of Privacy Act, S.S. 1990-91, c. L-27.1, as amended.
[4] See SHA resource Privacy Guidance Document: Need-to-Know vs Circle of Care.