Nova Scotia Buzz
On April 18-19, 2020 Nova Scotia Health proactively monitored its employees’ access to the electronic health records of individuals involved in or related to the mass casualty event in Portapique, Nova Scotia.
Nova Scotia Health found eight employees had used their access to electronic health information systems to snoop, for their own personal gain, on these individuals’ electronic health records. The employees did not have an authorized work-related reason. Snooping is a privacy breach under Nova Scotia’s Personal Health Information Act.
Nova Scotia Health further investigated these employees and conducted additional audits of their access to electronic health records which revealed even more breaches going back for years.
These breaches were reported to the Office of the Information and Privacy Commissioner in June, 2020. The Commissioner launched their own investigation and found the eight employees snooped on 270 individuals more than 1,200 times.
“We apologize to each impacted patient. This breach added further unnecessary harm to the families of those who lost loved ones in April 2020.” said a statement from Nova Scotia Health today. “We deeply regret that this breach took place. It is essential that Nova Scotians trust us to protect their personal health information. It is shared with us at a time when you’re at your most vulnerable and should never be subject to the curiosity of others.”
“The actions of those employees do not reflect our corporate culture, or the behaviour of most of our staff and physicians.” said Nova Scotia Health in their statement. “Nova Scotia Health is committed to protecting the confidentiality of patient information and to following the Personal Health Information Act (PHIA).”   Â
Nova Scotia Health says they will accept most of the Commissioners twelve recommendations.
“The urge to snoop into individuals’ electronic health records is hard for some employees to
resist.” said the reports key take aways. “That is why it is so important for organizations to have policies that quickly catch snooping, denounce it, and enforce penalties for staff that snoop.”
Key Findings
The Commissioner made 12 findings. A summary of the key findings is provided below:
- There is room for improvement of the content of NSH’s institution-wide privacy training
and its practices for ensuring training takes place annually. - NSH’s role-based access practices are not strong enough. Too many employees have
access to information they don’t need to see. - NSH did not consistently follow its own policies and procedures when responding to
these privacy breaches. - NSH has not dedicated enough resources to proactively audit and monitor potential
snooping by employees. - There is room for improvement in NSH’s privacy management program and in fostering
an internal culture of privacy.
Key Recommendations
The Commissioner makes 12 recommendations. A summary of the key recommendations is
provided below:
- NSH should strengthen its institution-wide privacy training and its practices for making
sure privacy training takes place annually. - NSH should take steps to limit employee access to detailed personal health information.
- NSH should train staff who are responsible for responding to privacy breaches to follow
existing policies and procedures. - NSH should provide sufficient resources to update and implement its auditing plans for
monitoring potential snooping actions by employees. - NSH should implement stronger leadership and governance (particularly in terms of its
privacy management program) to create a culture of privacy.
