Watch Law Society video-Cyber Breaches through Third Parties

Australia’s privacy commissioner publishes its Digital ID regulatory strategy

5 takeaways from the Lifelabs case

Put Privacy First – Privacy Commissioner of Canada speaks about privacy risk mitigation.

Learn more about The Power of PETs: Privacy Enhancing Technologies during a panel discussion hosted by The Information and Privacy Commissioner of Ontario.

BC Commissioner issues report on how municipalities make records available. For more information check out the full news release, fact sheet, guidance document and video.

Thank you to our 800 registrants who registered for the Top of Mind webinar hosted on Jan 31. For those of you who missed the session, you can access both an English and French version of the recording here under “Top of Mind” Data Privacy Webinar 2025. Enjoy!

Blog

Unauthorized Access

July 20, 2016 - Sharon Young, Analyst

This blog is focused on the unauthorized access to electronic health records for purposes such as curiosity, concern, personal gain, spite, or boredom, and the harm that results from such unauthorized access.

I note that the majority of trustee employees or individuals in service of a trustee (including physicians) access electronic health records for purposes that are authorized by The Health Information Protection Act (HIPA). This blog is not meant to deter these employees or individuals from accessing electronic health records they require to do their jobs.

UNAUTHORIZED ACCESS

The following are some examples of unauthorized access:

1. Looking up a family member’s personal health information out of concern.

There should be very limited circumstances in which employees or individuals look up their own or a family member’s personal health information. For physicians and surgeons, the College of Physicians and Surgeons’ Code of Ethics provides that the treatment of themselves or immediately family members be limited:

Limit treatment of yourself or members of your immediate family to minor or emergency services and only when another physician is not readily available; there should be no fee for such treatment. (https://www.cps.sk.ca/imis/Documents/Legislation/Legislation/RegulatoryBylaws.pdf)

Therefore, physicians and surgeons should not be looking up a family member’s personal health information unless it’s in the limited circumstances as described in the Code of Ethics.

2. Looking up your own or a co-worker’s personal health information out of concern, curiosity, or spite.

Investigation Report H-2013-001 reported on snooping cases that resulted in employees accessing and modifying not only their own personal health information but that of their coworker’s personal health information. It doesn’t take a lot of imagination to understand the consequences of such actions, including future health care decisions for these individuals could have been based on false information. (https://oipc.sk.ca/assets/hipa-investigation-h-2013-001.pdf)

3. Looking up patient records to alleviate boredom.

Electronic health records are support health care providers in providing care to patients. It is not meant to alleviate boredom as discussed in Investigation Report 100-2015. (https://oipc.sk.ca/assets/hipa-investigation-100-2015.pdf)

4. Looking up patient records without a need-to-know.

Investigation Report 142-2015 reported a case where an employee accessed the personal health information of 901 individuals. This employee was fired and the Commissioner recommended that the case be forwarded to the Ministry of Justice, Public Prosecution Division, so that it can determine if charges should be laid under HIPA. (https://oipc.sk.ca/assets/hipa-investigation-142-2015.pdf)

HARM OF UNAUTHORIZED ACCESS

Patients lose trust and confidence in the health system. They may be cautious in seeking treatment if they learn that a family member, friend, co-worker, colleague may have unauthorized access to their personal health information.

Trustees also suffer reputational damage when employees or individuals who are in service to the trustee (such as physicians) access electronic health records without a need-to-know.

FINES AND IMPRISONMENT

Recent amendments to HIPA provide individual offences for unauthorized access to personal health information. Therefore, employees or individuals in service of a trustee (such as a physician) may be fined up to $50,000 and/or face imprisonment of up to one year if they are found to have accessed personal health information for purposes that are not authorized by HIPA.

WHAT TO DO?

Trustees and trustee organizations should establish policies, procedures, and training so employees and individuals clearly know how to manage personal health information in accordance with HIPA. Audits should also be conducted regularly to ensure policies and procedures are being followed.

Employees and individuals in service of trustees should only access personal health information, including electronic health records they require to complete job duties. If they have any questions, they should contact their supervisor, manager, and/or the privacy officer of the trustee organization.

Categories: BlogTags: , , , , , , ,

Back to Blog

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.