Do you have a privacy breach awareness program in place in your healthcare practice?
Spotting a privacy breach is the first step to stopping a privacy breach.
You Can Use This Privacy Breach Example to Review and Improve Your Practices.
This Is What Happened
The clinic recognized that one of their employees viewed the health records of close acquaintances, friends, and others in the community. She did not have a need to know this information to do her job.
In one case, the employee disclosed an individual’s health information to a friend.
In June 2018, a medical clinic in Alberta reported a privacy breach to the Alberta Office of the Information and Privacy Commissioner.
The OIPC opened an investigation and subsequently referred its findings to the Specialized Prosecutions Branch of Alberta Justice. Charges of an offence under the Health Information Act (HIA) were laid.
Unauthorized Access By Employees
On September 2, 2020 the clinic former employee plead guilty in court to breaching the HIA. It is an offence under HIA to knowingly gain or attempt to gain access to health information in contravention of the Act (section 107(2)(b)).
The judge sentenced the employee to
- $6,000 fine
- three years probation, and
- 180 hours of community service
This breach was entirely preventable.
Keep this story in mind when you are trying to determine the return on investment to deliver privacy awareness training and EMR user monitoring tools to prevent and identify early snooping privacy incidents.
You can invest a little now with privacy awareness training . . . or you can pay over and over again for an investigation and bad publicity that never ends!
Privacy Breaches – What You Need to Know
1. Provide privacy awareness training for each employee and healthcare provider at orientation and regularly throughout the employment.
2. Collect the employee’s oath of confidentiality, including an acknowledgement that the employee understands the principles of using only access health information necessary to perform their job.
3. Monitor your users’ access to health information to quickly identify when a suspicious privacy incident occurs. The sooner you identify a privacy breach, the sooner you can limit the risk.
4. Implement your sanction policy when needed. Your sanctions policy clearly identifies the sanctions when an employee or healthcare provider is liable of an offence under the HIA.
5. Report a privacy breach to your custodians and healthcare providers, the Office of the Information and Privacy Commissioner, and the Minister of Alberta Health and the individuals affected by the breach.
When we know better, we can do better…
I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.
PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.
Jean L. Eaton, Your Practical Privacy Coach
Did you enjoy this article? If you’d like to look at similar posts, visit these links:
Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?
Do you do routine audits? Here’s how.
Are Your Employees Privacy Aware? Start now!
Edmonton Journal. Former Camrose medical clinic worker hit with fine, probation for snooping health records. Nicole Bergot, Sep 10, 2020. https://edmontonjournal.com/news/local-news/former-camrose-medical-clinic-worker-hit-with-fine-probation-for-snooping-health-records
Alberta OIPC. Multiple Penalties Issued to Individual Convicted of Health Information Breaches. https://www.oipc.ab.ca/news-and-events/news-releases/2020/multiple-penalties-issued-to-individual-convicted-of-health-information-breaches.aspx