Island Health reported recently that two nurses had been fired after they delved into the electronic files of 112 patients, including those of family, friends, co-workers and acquaintances. Island Health said along with that case, there were six other cases of privacy breaches this fiscal year, resulting in one termination. The other breaches substantiated by the privacy office are all “materially different in scope and magnitude” than the one involving 112 patient files, said spokeswoman Suzanne Germain.
Island Health won’t elaborate on the breaches or the action taken, other than to say they resulted in everything from suspensions to terminations, retraining and re-signing of confidentiality agreements. “In all seven instances, the organization addressed the breach on a case-by-case basis, commensurate with the nature and severity of the incident and in alignment with Island Health’s confidentiality and human-resource policies.”
Health-care workers — ranging from doctors to nurses and occupational therapists, among others — are authorized to access patient records within a care setting as required. As part of signing into the system, they must declare the care relationship. That individual access is subject to signed confidentiality agreements and guidelines.
A patient’s electronic file is similar to a paper file and contains a name, services received and care providers’ names. Deeper within the file are records of diagnosis and treatments, lab and X-ray results and admission histories.
Dr. Mary Lyn Fyfe, chief medical information officer for Island Health, called the breaches “egregious and disappointing and unethical.”
Island Health says it was the enormity of the breach that compelled the health authority to issue a statement. “It’s rare to have one of this magnitude,” Germain said. After receiving a tip and launching an investigation on Oct. 3, the health authority found 112 breaches by two nurses over the period from January 2012 to October 2014.
Any patient file that is opened will have a history of the user names used to access it and what pages were reviewed.
The electronic health-record system can only be accessed from within a care facility, Germain said.
Island Health’s electronic health-records system is protected by a series of technical safeguards, including firewalls and intrusion-prevention systems, that shield it from outside access by individuals who do not have access privileges, said Germain.
Audits are usually complaint-driven, but random audits can also be done, and files that could be prone to abuse — those concerning high-profile issues and people, for example — can be flagged for active audits.
Island Health apologized to all the patients whose files were compromised. The health authority called by phone, held in-person interviews where requested, and sent letters if patients couldn’t be reached.
B.C. Nurses’ Union president Gayle Duteil said that any breach of privacy “is a very serious issue” but would not comment on the nurses’ case, citing “ongoing due process involved in labour relations.”