Privacy commissioner finds doctors snooped in Humboldt Broncos patient records
Flowers lie at centre ice as people gather for a vigil at the Elgar Petersen Arena, home of the Humboldt Broncos, to honour the victims of a fatal bus accident in Humboldt, Sask. on Sunday, April 8, 2018. The GoFundMe page dedicated to the Broncos, believed to be the largest of its kind in Canadian history, will remain open for two more days before being transferred to a newly created memorial fund, the team's officials announced Monday. THE CANADIAN PRESS/Jonathan Hayward
The Canadian Press
Published Tuesday, February 12, 2019 3:28PM CST
Saskatchewan's privacy commissioner has found several people inappropriately gained access to the electronic health records of the Humboldt Broncos team members involved in a deadly bus crash last April.
Sixteen people were killed and 13 were injured in the crash between the junior hockey team's bus and a semi trailer at a rural Saskatchewan intersection on April 6, 2018.
"This has been a major tragedy in our province and I'm disappointed that people got tempted," information and privacy commissioner Ronald Kruzeniski said in an interview with The Canadian Press on Monday. "Now that it's happened ... it's my job to work with others through education and legislative change (to) make the system work."
In four reports posted on his website, Kruzeniski noted that eHealth Saskatchewan began monitoring the profiles of the patients -- which included lab results, medication information and chronic diseases -- three days after the crash.
From April 9, 2018, to May 15, 2018, the health agency detected at least seven users, mostly doctors, accessed the system to view the profiles of up to 10 patients.
The reports said that eHealth reported the breaches to the privacy commissioner.
Kruzeniski detailed the privacy breaches in those reports.
In one case, an employee of a medical clinic examined the health information of three people involved in the collision.
The assistant admitted she consulted the records because "her family members had heard one of the individuals had died and she wanted to verify the information; she thought another individual was a patient ... (and) she wanted to verify a detail that was reported by the media about one of the individuals."
The report said the employee's access to eHealth was suspended and she was given further training, but she has since resigned.
Another case involved a doctor at a Humboldt clinic who viewed the records of two people who were patients prior to the crash.
"Dr. D wanted to know what injuries the individual sustained, if the individual received care or if it was an instant fatality," said the report. "For the other individual, Humboldt clinic explained to eHealth that Dr. D was concerned.
"Based on these explanations, Dr. D did not have a need-to-know."
Other breaches included three doctors who provided emergency care at the Nipawin Hospital and who reviewed patient records of those they treated.
"They believed they were in the individuals' 'circle of care,"' said the report.
The privacy commissioner said the province's Health Information Protection Act does not address circles of care so the doctors were no longer authorized to access the records.
"You are entitled to access when you have a need to know, not an anticipated need, not, 'Gee, I might like to know," he explained.
During the monitoring period, two medical residents also looked at the records of one crash patient when the residents were reviewing the records of dozens of other patients with a particular illness.
Kruzeniski made a number of recommendations to eHealth --including that it conduct regular monthly audits for the next three years of the physicians involved.
The privacy commissioner also recommended that the organization comply with a need-to-know principle rather than a circle-of-care concept and that users of eHealth be made to regularly review their training.
A statement from eHealth said it took a number of measures to address the breaches, including notifying the privacy commissioner and the families affected.
It terminated the account of the medical office assistant, suspended the accounts of the medical residents until they had further training and sent letters to the doctors. It's reviewing the recommendations from the privacy commissioner.
The Saskatchewan Health Authority said it is also following up on the breaches and apologized to the patients and their families.
"We are deeply sorry that the situations described in the privacy commissioner's reports may add to their stress," the authority said in a statement.
"We believe the physicians cited in the cases ... specifically those who provided care to the patients affected, acted in good faith and out of sincere concern for the patients and families touched by this terrible tragedy."
The health authority said it will work with the Ministry of Health on possible amendments to privacy regulations.