Privacy commissioner seeks changes to protect medical records
‘How many cases do you need before you take the necessary steps?’ Graham Steele asks Health Department
Nunavut’s information and privacy commissioner Graham Steele says he is worried about how many cases of snooping into medical records are occurring without any detection. (File photo)
Nunavut’s information and privacy commissioner again called on the Health Department to improve the way it protects people’s privacy.
In a report released July 2, Graham Steele recommended the department address a privacy breach in which an employee went through two patients’ medical records without authorization or disclosure between April 2023 and April this year.
The employee — who is not identified in the report — resigned the day after being informed by a manager of the allegations that they had viewed the charts without clinical reason, and has since left Nunavut.
The report said that according to a summary from Meditech, whose software system is where electronic medical records are stored in Nunavut, the employee accessed one patient’s medical chart on five different days and the other patient’s chart on 14 different days.
The employee was not involved in either patients’ care at any time.
“This is far from the first time this kind of case has presented itself,” Steele said in an interview.
“What I worry about is because it’s so hard to detect when somebody does it, there may be so many cases out there that we’re not even aware about.”
As in previous reports involving breaches of privacy, Steele again recommended the Health Department develop a comprehensive “anti-intrusion” plan for the Meditech system.
He also recommended the department develop a written policy procedure for filing professional disciplinary complaints in cases of intrusion. Currently, there is no established process for filing complaints, what evidence can be submitted to support a complaint, or who is responsible for monitoring a complaint after it is filed.
“Having an appropriate policy and procedure on what to do when snooping is suspected is very much part of what Health needs to do,” Steele said.
“I’ve recommended it before and they haven’t done it. So I’m recommending it again and saying, ‘How many cases do you need before you take the necessary steps?’”
The commissioner also recommended the Health Department place the former employee on a do-not-hire list, saying he recognizes the difficulty of disciplining an ex-employee who also no longer resides in Nunavut.
The report notes the Health Department did purchase software to monitor for data intrusion and that it intends to roll it out “soon.”
Steele recommended the roll-out be accompanied by a communications plan for staff reinforcing that intrusion of confidential records is wrong and carries consequences.
Susan Anderson, the department’s chief information officer, said in an email to Nunatsiaq News that the Health Department was “not surprised” by the report’s recommendations.
She said “we have been in active conversations with [Steele] about initiatives and actions to enhance both confidentiality and privacy of health information for Nunavummiut.”
Anderson declined to be interviewed until the department’s response is provided to Steele in the fall.
The Health Department is in the process of putting into use the new audit software, but did not specify a date for when it will be in place.
“ He also recommended the department develop a written policy procedure for filing professional disciplinary complaints in cases of intrusion.”
.
I believe everyone but lawyers and nurses are regulated by the GN directly, not self regulating like elsewhere. So they need a policy to report it to themselves in most cases?
This gentlemen takes his serious job very seriously. He’s a rare commodity in this part of the world. We need more like him.