Privacy breach prevention: All staff must be trained

The scenario: Unauthorized records access by staff

A clinic employee on leave at Dr. Smith’s clinic entered the clinic during office hours and accessed electronic medical records using another employee’s login credentials. Another staff member later informed Dr. Smith that the employee improperly accessed the medical records of family and friends, and potentially removed copies of files from the clinic.

The outcome: Clinician found responsible

An investigation by the Office of the Information and Privacy Commissioner of Alberta found the clinic had policies and procedures in place to prevent such inappropriate access, but none of the staff had been trained. No one in the clinic could locate the OIPC-accepted Privacy Impact Assessment that had been completed. 

Failing to train staff on clinic policies and procedures meant to safeguard patient privacy goes against the Health Information Act. The actions of untrained staff are the responsibility of the lead custodian.

The takeaway

It is not enough to create compliant policies and procedures. To remain compliant with the Health Information Act, all staff must be trained on accepted policies and procedures, and the training must be documented. 

Privacy breach prevention: Managing the information of minors

The scenario: Unauthorized disclosure to parents

A 16-year-old would like to start using birth control but does not want the information disclosed to her mother. Given the mother was very involved with the GP in managing a severe respiratory issue with her child the year before, when the mother asked to see records for her daughter’s latest visit, staff assumed it was okay to share the patient’s latest records.

The outcome

This is unauthorized disclosure – a breach. Alberta has established no set age for a mature minor; the physician has to make the determination, considering a variety of factors such as the seriousness of the proposed treatment. The courts generally recognize approximately 16 years as the threshold for maturity, and none have recognized any individual younger than 14 years. 

The takeaway 

Adequate training will ensure staff and physicians are properly prepared for highly charged and emotional demands from patients. If the clinic does not have access to a privacy expert, or the privacy officer is not fully briefed on grey matters such as this, action of staff tends to favor the ‘squeakiest wheel’ – in this case, the concerned mother – thus violating the rights of the patient.  

Note: While Alberta Health has indicated that Albertans age 14+ have access to their own information through the provincial and Alberta Health Services portals, this does not establish the age of maturity at 14 years.