Some of the Saskatchewan Health Authority’s (SHA) privacy breach prevention strategies are not sufficient or standardized, the province’s privacy commissioner concluded in a recent report.
The finding by Ronald Kruzeniski stems from an investigation his office undertook after four continuing care aide (CCA) home visit schedules containing patient information were either lost or stolen in Saskatoon and Regina.
The files with 59 patient’s information and went missing between Sept. 19, 2018, and June 10, 2019.
The documents had the individuals’ names, addresses, phone numbers, health details and care they require.
Only one page was recovered, and it contained information on how to access the patient’s residence. It is unknown if the other schedules contained this information, too, Kruzeniski’s report said.
Three of the incidents involved vehicles being broken into and the schedules stolen while the care worker was either at home or at a patient’s home. The fourth incident saw one page of a schedule being found in a parking lot.
Get weekly health news
Kruzeniski’s assessment involved two separate privacy breaches his office investigated in 2017, where continuing care aides lost home visit schedules that contained similar information for 21 patients.
These incidents, the report said, occurred before the amalgamation of the regional health authorities into the SHA in December 2017.
“I find that the SHA’s prevention strategies have not been sufficient to address the loss of CCA’s schedules and that there is no apparent standardization across the province,” he wrote in the Dec. 6 report.
During his investigation, he found that the SHA had implemented various methods to protect personal health information.
However, the SHA provided Kruzeniski’s office with copies of work standards and policy procedures about the management of continuing care aide’s schedules that were not consistent between Regina and Saskatoon.
The SHA, the report said, did not provide information on what safeguards are in place in other areas of the province.
“I am advised that the SHA’s policy and procedure is to print each day’s schedule and then shred it after each shift. One of the incidents involved 20 shifts while another involved one month of schedules,” he wrote.
In larger centres with a home care office, personal health information is to be printed for each shift and kept on their person at all times then shredded at the end of their shift, the report said.
In rural locations with no office, personal health information is to be kept with a person at all times and taken into the continuing care aide’s residence at the end of each shift. The information is to be kept securely until it can be shredded.
“However, in spite of this policy and procedure, a number of CCAs still left the schedules in their vehicles unattended and two of them had printed and were transporting 20 – 30 days of schedules,” Kruzeniski wrote.
The privacy commissioner recommended the SHA take four steps: determine appropriate safeguards to fulfill its duty to protect; implement consistent policies and procedures throughout the province; monitor the compliance of its continuing care aids with these policies and procedures across the province; and consistently follow best practices for writing breach investigation reports.
Comments