Sask. commissioner finds doctors snooped in Humboldt Broncos patient records

Click to play video: 'Jaskirat Singh Sidhu admits responsibility for Humboldt Broncos bus crash' Jaskirat Singh Sidhu admits responsibility for Humboldt Broncos bus crash
WATCH ABOVE: Jaskirat Singh Sidhu did not talk to reporters after lawyers argued his sentence, but we did learn more about the 30-year-old man in court. Sarah Komadina with the details – Jan 31, 2019

Saskatchewan’s privacy commissioner has found several people inappropriately gained access to the electronic health records of the Humboldt Broncos team members involved in a deadly bus crash last April.

Sixteen people were killed and 13 were injured in the crash between the junior hockey team’s bus and a semi trailer at a rural Saskatchewan intersection on April 6, 2018.

READ MORE: Humboldt Broncos 1st year memorial service planning underway

“This has been a major tragedy in our province and I’m disappointed that people got tempted,” information and privacy commissioner Ronald Kruzeniski said in an interview with The Canadian Press on Monday. “Now that it’s happened … it’s my job to work with others through education and legislative change (to) make the system work.”

Story continues below advertisement

In four reports posted on his website, Kruzeniski noted that eHealth Saskatchewan began monitoring the profiles of the patients – which included lab results, medication information and chronic diseases – three days after the crash.

From April 9, 2018, to May 15, 2018, the health agency detected at least seven users, mostly doctors, accessed the system to view the profiles of up to 10 patients.

The reports said that eHealth reported the breaches to the privacy commissioner.

Kruzeniski detailed the privacy breaches in those reports.

In one case, an employee of a medical clinic examined the health information of three people involved in the collision.

The assistant admitted she consulted the records because “her family members had heard one of the individuals had died and she wanted to verify the information; she thought another individual was a patient … (and) she wanted to verify a detail that was reported by the media about one of the individuals.”

The report said the employee’s access to eHealth was suspended and she was given further training, but she has since resigned.

READ MORE: Sidhu apologizes to families as Crown asks for 10-year sentence in Humboldt Broncos bus crash

Another case involved a doctor at a Humboldt clinic who viewed the records of two people who were patients prior to the crash.

Story continues below advertisement

“Dr. D wanted to know what injuries the individual sustained, if the individual received care or if it was an instant fatality,” said the report. “For the other individual, Humboldt clinic explained to eHealth that Dr. D was concerned.

“Based on these explanations, Dr. D did not have a need-to-know.”

Other breaches included three doctors who provided emergency care at the Nipawin Hospital and who reviewed patient records of those they treated.

“They believed they were in the individuals’ ‘circle of care,”‘ said the report.

The privacy commissioner said the province’s Health Information Protection Act does not address circles of care so the doctors were no longer authorized to access the records.

“You are entitled to access when you have a need to know, not an anticipated need, not, ‘Gee, I might like to know,” he explained.

WATCH BELOW: Digital world concerns Saskatchewan privacy commissioner

Click to play video: '‘Culture of caution:’ Digital world concerns Saskatchewan privacy commissioner' ‘Culture of caution:’ Digital world concerns Saskatchewan privacy commissioner
‘Culture of caution:’ Digital world concerns Saskatchewan privacy commissioner – Jun 21, 2017

During the monitoring period, two medical residents also looked at the records of one crash patient when the residents were reviewing the records of dozens of other patients with a particular illness.

Story continues below advertisement

Kruzeniski made a number of recommendations to eHealth –including that it conduct regular monthly audits for the next three years of the physicians involved.

The privacy commissioner also recommended that the organization comply with a need-to-know principle rather than a circle-of-care concept and that users of eHealth be made to regularly review their training.

A statement from eHealth said it took a number of measures to address the breaches, including notifying the privacy commissioner and the families affected.

It terminated the account of the medical office assistant, suspended the accounts of the medical residents until they had further training and sent letters to the doctors. It’s reviewing the recommendations from the privacy commissioner.

The Saskatchewan Health Authority said it is also following up on the breaches and apologized to the patients and their families.

“We are deeply sorry that the situations described in the privacy commissioner’s reports may add to their stress,” the authority said in a statement.

“We believe the physicians cited in the cases … specifically those who provided care to the patients affected, acted in good faith and out of sincere concern for the patients and families touched by this terrible tragedy.”

The health authority said it will work with the Ministry of Health on possible amendments to privacy regulations.


Sponsored content