Privacy breach at South Health Campus violated Alberta laws: commissioner

Alberta's privacy commissioner has ruled Alberta Health Services violated the Health Information Act when 49 employees improperly accessed a patient's file in 2015. Erika Tucker / Global News

The province’s privacy commissioner has found Alberta Health Services (AHS) violated the Health Information Act when 49 employees at Calgary’s South Health Campus accessed a patient’s file for “unauthorized purposes” in 2015.

An investigation by the Office of the Information and Privacy Commissioner (OIPC) found a number of employees couldn’t remember why they had accessed the health information of a patient and her daughter.

OIPC said there was no evidence of privacy training for any of the 49 employees involved in the breach.

READ MORE: AHS drops disciplinary action against nurses after alleged privacy breach

“This incident highlights the significant gap that existed between the requirements of the law and AHS policies and the actual practices implemented in the South Health Campus emergency department,” Information and Privacy Commissioner Jill Clayton said.

Story continues below advertisement

OIPC said the woman was flagged in electronic medical record systems as a confidential patient “due to the circumstances around her admission to the emergency department.”

An internal audit by the AHS Privacy Office found the 49 employees, including managers, nurses and non-nursing or clerical staff accessed her file “outside their role of providing a health service.”

The privacy commissioner said AHS hadn’t taken reasonable steps to “implement technical safeguards” and reported that a portion of the 49 employees who had unauthorized access to the patient’s file left their smart cards in the electronic medical system for their entire shift.

READ MORE: Thousands of Alberta patient files inappropriately accessed by former AHS employee

“The practice of leaving the cards in the system defeats the protection this technology offers,” a media statement read.

“The Health Information Act requires custodians to have safeguards, training and policies in place to protect patient privacy, but even the best efforts can be completely undermined without a commitment to implementation and monitoring, and communication to staff,” Clayton said.

OIPC said in a media release Wednesday that AHS had already addressed many of its six recommendations.