This blog is focused on the unauthorized access to electronic health records for purposes such as curiosity, concern, personal gain, spite, or boredom, and the harm that results from such unauthorized access.

I note that the majority of trustee employees or individuals in service of a trustee (including physicians) access electronic health records for purposes that are authorized by The Health Information Protection Act (HIPA). This blog is not meant to deter these employees or individuals from accessing electronic health records they require to do their jobs.

UNAUTHORIZED ACCESS

The following are some examples of unauthorized access:

1. Looking up a family member’s personal health information out of concern.

There should be very limited circumstances in which employees or individuals look up their own or a family member’s personal health information. For physicians and surgeons, the College of Physicians and Surgeons’ Code of Ethics provides that the treatment of themselves or immediately family members be limited:

Limit treatment of yourself or members of your immediate family to minor or emergency services and only when another physician is not readily available; there should be no fee for such treatment. (https://www.cps.sk.ca/imis/Documents/Legislation/Legislation/RegulatoryBylaws.pdf)

Therefore, physicians and surgeons should not be looking up a family member’s personal health information unless it’s in the limited circumstances as described in the Code of Ethics.

2. Looking up your own or a co-worker’s personal health information out of concern, curiosity, or spite.

Investigation Report H-2013-001 reported on snooping cases that resulted in employees accessing and modifying not only their own personal health information but that of their coworker’s personal health information. It doesn’t take a lot of imagination to understand the consequences of such actions, including future health care decisions for these individuals could have been based on false information. (https://oipc.sk.ca/assets/hipa-investigation-h-2013-001.pdf)

3. Looking up patient records to alleviate boredom.

Electronic health records are support health care providers in providing care to patients. It is not meant to alleviate boredom as discussed in Investigation Report 100-2015. (https://oipc.sk.ca/assets/hipa-investigation-100-2015.pdf)

4. Looking up patient records without a need-to-know.

Investigation Report 142-2015 reported a case where an employee accessed the personal health information of 901 individuals. This employee was fired and the Commissioner recommended that the case be forwarded to the Ministry of Justice, Public Prosecution Division, so that it can determine if charges should be laid under HIPA. (https://oipc.sk.ca/assets/hipa-investigation-142-2015.pdf)

HARM OF UNAUTHORIZED ACCESS

Patients lose trust and confidence in the health system. They may be cautious in seeking treatment if they learn that a family member, friend, co-worker, colleague may have unauthorized access to their personal health information.

Trustees also suffer reputational damage when employees or individuals who are in service to the trustee (such as physicians) access electronic health records without a need-to-know.

FINES AND IMPRISONMENT

Recent amendments to HIPA provide individual offences for unauthorized access to personal health information. Therefore, employees or individuals in service of a trustee (such as a physician) may be fined up to $50,000 and/or face imprisonment of up to one year if they are found to have accessed personal health information for purposes that are not authorized by HIPA.

WHAT TO DO?

Trustees and trustee organizations should establish policies, procedures, and training so employees and individuals clearly know how to manage personal health information in accordance with HIPA. Audits should also be conducted regularly to ensure policies and procedures are being followed.

Employees and individuals in service of trustees should only access personal health information, including electronic health records they require to complete job duties. If they have any questions, they should contact their supervisor, manager, and/or the privacy officer of the trustee organization.