I am often asked if it is ‘OK’ to look up patients information on Netcare when the patient hasn’t been seen for some time and the care provider wants to know how they are doing.
Let me be clear: If you are not currently providing a health service to the patient in a current episode of care, you must not look up that patient’s information on Netcare or any other EMR or paper system.
The patient has a right to privacy – which means don’t look unless you have a need to know.
Curiosity is not a legitimate need to know. That is snooping!
You Can Use This Privacy Breach Example to Review and Improve Your Practices
Pro-active Auditing Reveals Snooping in Sask eHealth
On April 6, 2018, a highway collision occurred involving the hockey team Humboldt Broncos which left 16 dead and 13 injured.
The trustee of the Saskatchewan Electronic Health Record Viewer, eHealth, pro-actively audited their electronic health record system to identify potential unauthorized use of the system by authorized users.
eHealth detected that two physicians and an administrator at the Humboldt Clinic Limited inappropriately accessed the personal health information of two individuals involved in a collision involving the Humboldt Broncos.
The auditing revealed that there were many instances where access was made between April 7 and April 10 to the records of two patients. The records belonged to two individuals who died in the crash on April 6.
The physicians had provided care to the individuals in January of 2018 but were not involved in providing care to them on or about April 6. The physicians’ access was prompted because of their ‘concern’ for the individuals.Curiosity is NOT need-to-know! Click To Tweet
Clearly, these users of the Viewer were not currently providing care and treatment to the patients.
The access of the Viewer in this example not a legitimate need-to-know under Saskatchewan’s The Health Information Protection Act (HIPA).
eHealth reported these privacy breaches to the Information and Privacy Commissioner (IPC) of Saskatchewan.
4 Step Response Plan
The trustee, eHealth, undertook the first step to respond to a privacy breach by spotting and stopping the breach. The audit identified the breach. Then eHealth contained the breach by suspending or terminating access to the Viewer.
Secondly, eHealth appropriately notified the individuals’ next of kin of the privacy breach.
The third step is to investigate the breach. eHealth notified the IPC of the breach. The clinic, however, did not investigate the cause of the privacy beach.
Preventing a similar breach is the fourth step. The clinic has privacy policies and a privacy training strategy. The eHealth Viewer also has online training for its users.
Subsequent to its investigation, the Saskatchewan IPC observed that the training had not prevented this breach.
The IPA recommended that the clinic provide further training to its employees and contractors on the need-to-know principle. Additionally, the clinic is recommended to document the privacy breaches and the lessons learned to prevent a similar privacy breach.
Reference: Saskatchewan IPC Investigation Report 177-2018, January 29, 2019
Privacy Breach Nuggets You Need to Know
There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.
Privacy education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.
If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Pain.
“When we know better, we can do better”
I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.
Jean L. Eaton, Your Practical Privacy Coach