Informationmanagers.ca Logo
Media Story Reveals Employee Snooping

Media Story Reveals Employee Snooping

Media Story Reveals Employee Snooping

Ontario’s Information and Privacy Commissioner (IPC) opened an investigation into a hospital’s management of employee snooping after three similar privacy breach reports were received from the hospital in 2020 and 2021. The IPC elected to review the privacy breach to ensure that the custodian had adequate safeguards to prevent similar instances.

The investigation found that the hospital had managed the breaches well and no recommendations were required, and findings were published in PHIPA Decision 204.

In this Privacy Breach Nugget series, I will take a look at each of these three incidents as guidance to better respond to a privacy breach in your healthcare practice.

What Happened

A news media story was published containing the names of patients at an Ontario hospital. The hospital Privacy Office initiated an audit which found that a Patient Accounts Clerk had accessed 28 health records without authorized purpose. This snooping is in contravention of the Personal Health Information Protection Act (PHIPA).

Managing the Breach

The Ontario Hospital’s management of the privacy breach can be examined using the 4 Step Response Plan.

4-Step Response Plan

 

 

 

 

 

 

 

 

 

Step 1 – Spot and Stop

The privacy breach was detected by the hospital when the media story aired. The hospital ran a preliminary audit on the health records of those patients named in the story that found suspicious access by an accounts clerk. Once identified, the hospital disabled the clerk’s access to the electronic health record (EHR) system and put them on administrative leave.

Step 2 – Investigate

After identifying the clerk, the hospital initiated second and third audits on their EHR accesses and found 28 patients whose records were accessed without authorized purpose. This is also known as employee snooping. The investigation established that those patients had been deliberately searched for in the EHR system, confirmed with the clerk’s manager that no authorized purpose was given to do so, and that the clerk had previously signed a Statement of Confidentiality and completed privacy and security awareness training.

Step 3 – Notify

The hospital notified those patients affected by the breach by telephone or mail. Under PHIPA s. 12(2), it is mandatory for custodians providing services in Ontario to notify patients whose personal health information has been used or disclosed without consent or authorized purpose.

Notification in this case was delayed for compassionate reasons as some of the health information accessed was from a deceased patient. One patient was not able to be contacted, and a note on their file was made for the registration department to notify the hospital’s Privacy Office the next time the patient registered at the hospital. The patient will be informed of the privacy breach on their return visit to the hospital.

The hospital also notified the IPC of the incident. It is mandatory for a custodian providing services in Ontario to report a privacy breach of personal health information to the IPC (PHIPA regulation s. 6.3 pursuant to PHIPA s. 12.3.)

Step 4 –Prevent the Breach from Happening Again

The hospital considered disciplinary action with the clerk; however, the clerk retired before any actions were taken. Policies and procedures at the hospital were reviewed, and changes made to immediately notify deceased patients’ families of a privacy breach going forward. The hospital’s Privacy Officer will now work closely with the Human Resources department to ensure more consistent investigations.

Commissioner’s Investigation

In the IPC report, the investigation also noted some positive measures taken by the hospital in managing privacy risks:

  • All new staff receive privacy awareness training and sign Statements of Confidentiality. Annual refresher training with new Statements of Confidentiality is mandatory.
  • The hospital’s Privacy Office communicates with staff on privacy issues during a yearly email campaign called Privacy Awareness Week.
  • The hospital’s Privacy Officer holds training sessions when requested or new information is available.
  • The hospital’s EHR system displays a privacy advisory reminder that staff must agree to before accessing information.
  • Policies and procedures are reviewed and amended every three years and when needed.
  • Policies and procedures, and investigation findings are properly documented.
  • As a result of this incident, the hospital outlined a plan to respond to the breaches and the investigation, and to future breaches involving patients who are deceased. These include updating privacy awareness training with examples of snooping similar to those investigated and sending quarterly emails to staff about access without authorized purpose and how to prevent privacy breaches.

Take-Aways

The hospital had pre-existing privacy awareness training and privacy breach management procedures. A review in response to the incident led the hospital to amend their notification procedures for privacy breaches involving deceased patients. Notification to the family will be made immediately in future when breaches involve a deceased patient.

You might need to consider modifying your policies and procedures, too, to include a similar scenario.

Watch for the next article where we share example #2 in IPC Decision 204.

Article submitted by: Aaron Myer

Reference

Ontario Regulation 329/04. Government of Ontario, 2006, https://www.ontario.ca/laws/regulation/040329#BK6. Accessed 9 June 2023.

Personal Health Information Protection Act, 2004. Government of Ontario, 2004, https://www.ontario.ca/laws/statute/04p03. Accessed 9 June 2023.

PHIPA Decision 204. Information and Privacy Commissioner of Ontario, 4 Apr. 2023, https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/521298/1/document.do. Accessed 9 June 2023.

You May Also Be Interested In

4 Step Response Plan training for clinic managers and privacy officers.

Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches

 
Employee Snooping Reported by a Clerk’s Relative

Employee Snooping Reported by a Clerk’s Relative

Employee Snooping Reported by a Clerk’s Relative

Privacy awareness training including employee snooping awareness may prevent a privacy breach. Check out the second article in our Privacy Breach Nugget series for valuable insights and tips.

Ontario’s Information and Privacy Commissioner (IPC) opened an investigation into a hospital’s management of employee snooping after three similar privacy breach reports were received from the hospital in 2020 and 2021. The IPC elected to review the privacy breach to ensure that the custodian had adequate safeguards to prevent similar incidents.

The investigation found that the hospital had managed the breaches well and no recommendations were required. The findings were published in PHIPA Decision 204.

This is the second article in this Privacy Breach Nugget series with tips that you can use to better respond to a privacy breach in your healthcare practice.

Missed the first article? Check it out here.

What Happened

A complaint was made to an Ontario hospital by a relative of an admitting clerk that their health information was being accessed by the clerk without authorized purpose. The hospital’s Privacy Officer investigated and found that the clerk had accessed five individuals’ health records without authorized purpose. The investigation concluded with the termination of the clerk’s employment.

The incident was the second of three privacy breaches reported by the hospital to the Ontario Information and Privacy Commissioner in 2020 and 2021. This snooping is in contravention of the Personal Health Information Protection Act (PHIPA).

Managing the Breach

The Ontario Hospital’s management of the privacy breach can be examined using the 4 Step Response Plan.

 

 

 

 

 

 

 

 

Step 1 – Spot and Stop

The privacy breach was detected when the hospital’s Patient Experience Department received a complaint that an admitting clerk may have accessed a relatives health information without authorized purpose. The hospital’s Privacy Officer was notified. The clerk’s access to the EHR system was disabled and they were put on administrative leave once an audit confirmed suspicious accesses were made.

Step 2 – Investigate

The hospital conducted audits of user access of the electronic medical record (EMR) system. This revealed that the clerk accessed five individuals’ health records without a need to do this as part of her job. The investigation also established that the clerk had previously signed a statement of confidentiality and received privacy awareness training. A meeting was held with the clerk, who admitted that she used the EMR to find a mailing address of a friend.

Step 3 – Notify

The hospital notified those patients affected by telephone or mail, and the incident was reported to the Ontario IPC.

Under PHIPA s. 12(2), it is mandatory for custodians providing services in Ontario to notify patients whose personal health information has been used or disclosed without consent or authorized purpose.

Notification to the IPC is a requirement of a custodian (including hospitals and community physicians, pharmacists, dentists, and other healthcare providers.) (PHIPA regulation s. 6.3 pursuant to PHIPA s. 12.3.)

Step 4 –Prevent the Breach from Happening Again

The hospital’s disciplinary actions ended in the termination of the clerk’s employment. The hospital reviewed and committed to maintain its privacy policies and procedures.

Commissioner’s Investigation

The IPC investigation found that the hospital had managed the breaches well and no recommendations were required, and findings were published in PHIPA Decision 204.

The investigation also noted some positive measures taken by the hospital in managing privacy risks:

  • All staff receive privacy awareness training and sign Statements of Confidentiality, and annual refresher training with new Statements of Confidentiality is mandatory.
  • The hospital’s Privacy Office informs staff on privacy issues during a yearly email campaign called Privacy Awareness Week.
  • The hospital’s Privacy Officer holds training sessions when requested or new information is available.
  • The hospital’s EHR system displays a privacy advisory that staff must agree to before accessing information.
  • Policies and procedures are reviewed and amended every three years and when needed.
  • Policies and procedures, and investigation findings are properly documented.
  • The hospital outlined a plan to respond to the breaches and the investigation. These include updating privacy awareness training with examples of snooping similar to those investigated and sending quarterly emails to staff about snooping and how to prevent privacy breaches.

Take-Aways

The hospital had pre-existing privacy awareness training and privacy breach management procedures. A review in response to the incident led the hospital to develop specific employee training to better understand and prevent snooping incidents. This is a good reminder that training is not a ‘one and done’ event. Refreshing training regularly with specific examples that relates to work activities can be more meaningful.

Watch for the next article where we share example #3 in IPC Decision 204.

Article submitted by: Aaron Myer

Reference

Ontario Regulation 329/04. Government of Ontario, 2006, https://www.ontario.ca/laws/regulation/040329#BK6. Accessed 9 June 2023.

Personal Health Information Protection Act, 2004. Government of Ontario, 2004, https://www.ontario.ca/laws/statute/04p03. Accessed 9 June 2023.

PHIPA Decision 204. Information and Privacy Commissioner of Ontario, 4 Apr. 2023, https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/521298/1/document.do. Accessed 9 June 2023.

You May Also Be Interested In

4 Step Response Plan training for clinic managers and privacy officers.

Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches

 
When Co-Workers Are Victims of Snooping

When Co-Workers Are Victims of Snooping

When Co-Workers Are Victims of Snooping

Victims of snooping can report their concerns to the privacy officer of the organization where the breach occurred. When the breach involves a co-worker, your human resources policies to report a privacy incident can guide you to manage the incident and any resulting discipline. Including employee snooping awareness in privacy awareness training may prevent a privacy breach. Check out the third article in our Privacy Breach Nugget series for valuable insights and tips.

Ontario’s Information and Privacy Commissioner (IPC) opened an investigation into a hospital’s management of employee snooping after three similar privacy breach reports were received from the hospital in 2020 and 2021. The IPC elected to review the privacy breach to ensure that the custodian had adequate safeguards to prevent similar incidents.

The investigation found that the hospital had managed the breaches well and no recommendations were required. The findings were published in PHIPA Decision 204.

This is the third article in this Privacy Breach Nugget series with tips that we can learn from this report as guidance to better respond to a privacy breach in your healthcare practice.

Missed the previous articles?

Check out the first article here,

and the second one here.

What Happened

An employee phoned the hospital’s Privacy Office to lodge a complaint against a co-worker for allegedly accessing the complainant’s health information without authorized purpose. The hospital’s Privacy Officer investigated and found that a radiology assistant had accessed eleven individuals’ health records without needing that information to do their job. The hospital’s investigation concluded with the assistant being reassigned to a position without access to personal health information.

victims of snooping

Managing the Breach

The Ontario hospital’s management of the privacy breach can be examined using the 4 Steps Response Plan:

Step 1 – Spot and Stop

The privacy breach was detected when the hospital’s Privacy Office received a complaint from an employee that a co-worker may have accessed their health information without authorized purpose. The hospital’s Privacy Officer performed an audit on the employee’s electronic health record (EHR) and confirmed there was a suspicious access made by a radiology assistant. The assistant’s access to the EHR system was disabled and they were put on administrative leave.

Step 2 – Investigate

The hospital’s Privacy Officer conducted a second audit on the assistant’s EHR accesses and found suspicious accesses were made on eleven individuals’ EHRs. The Privacy Officer determined that those individuals were searched for deliberately in the EHR system, and confirmed with the assistant’s manager that they had no reason to do so. The investigation also established that the assistant had previously signed a statement of confidentiality and received privacy awareness training. A meeting was held with the assistant who denied accessing those health records.

Step 3 – Notify

The hospital notified the victims of snooping by telephone or mail, and the incident was reported to Ontario’s Information and Privacy Commissioner.

Under PHIPA s. 12(2), it is mandatory for custodians providing services in Ontario to notify patients whose personal health information has been used or disclosed without consent or authorized purpose.

Notification to the IPC is a requirement of a custodian (including hospitals and community physicians, pharmacists, dentists, and other healthcare providers.) (PHIPA regulation s. 6.3 pursuant to PHIPA s. 12.3.)

Step 4 – Prevent the breach from happening again

The hospital took progressive disciplinary actions with the employee by reassigning them to a position without access to personal health information (PHI) after their administrative leave ended. The reassignment was following up a few months later with an audit to ensure PHI was not being accessed. The hospital also reviewed and committed to maintaining its privacy policies and procedures.

Commissioner’s Investigation

The IPC investigation found that the hospital had managed the breaches well and no recommendations were required, and findings were published in PHIPA Decision 204.

The investigation also noted some positive measures taken by the hospital in managing privacy risks:

  • All staff receive privacy awareness training and sign Statements of Confidentiality, and annual refresher training with new Statements of Confidentiality is mandatory.
  • The hospital’s Privacy Office informs staff on privacy issues during a yearly email campaign called Privacy Awareness Week.
  • The hospital’s Privacy Officer holds training sessions when requested or new information is available.
  • The hospital’s EHR system displays a privacy advisory that staff must agree to before accessing information.
  • Policies and procedures are reviewed and amended every three years and when needed.
  • Policies and procedures, and investigation findings are properly documented.
  • The hospital outlined a plan to respond to the breaches and the investigation. These include updating privacy awareness training with examples of snooping similar to those investigated and sending quarterly emails to staff about snooping and how to prevent privacy breaches.

Take-Aways

The hospital had pre-existing privacy awareness training and privacy breach management procedures. A review in response to the incident led the hospital to develop specific employee training to better understand and prevent snooping incidents. This is a good reminder that training is not a ‘one and done’ event. Refreshing training regularly with specific examples that relates to work activities can be more meaningful.

Check out the previous articles in this series for the 2 other snooping examples from IPC Decision 204.

Also see: Managing Employees When They Make Mistakes With Stacey Messner and check out Stacey’s tips on how to have difficult conversations with employees.

Article submitted by: Aaron Myer

References and Resources

PHIPA Decision 204Information and Privacy Commissioner of Ontario, April 4, 2023, https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/521298/1/document.do

You May Also Be Interested In

4 Step Response Plan training for clinic managers and privacy officers.

Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches