Snooping Case Highlights Importance of Educating Employees

The recent case of a health care worker who accessed close to 200 individuals’ medical records underscores how important it is for employers to have clear privacy policies and training in place to prevent internal security breaches.

On February 10, 2022, the Office of the Information and Privacy Commissioner of Alberta announced it had fined a former Alberta Health Services employee a total of $6,000 after she pleaded guilty to accessing the health information of 189 individuals a total of 985 times, an offence under Alberta’s Health Information Act. She was also given 18 months’ probation.

Employers Must Educate Staff on Unauthorized Access

Generally speaking, health care workers should only access patient records on a need-to-know basis. The woman who was fined in this case was driven by “curiosity,” according to a news report. This highlights the need for health care employers to educate staff on unauthorized access to patient records.

While this particular instance of “snooping” took place in Alberta, the risk of unauthorized access to health records exists in every jurisdiction. In Saskatchewan, for example, The Health Information Protection Act outlines the duty of health care workers to protect patient records.

The Office of the Saskatchewan Information and Privacy Commissioner published a blog about unauthorized access to health records, noting that medical records should never be accessed out of curiosity, concern, personal gain, spite or boredom. This includes looking up a family member’s health records out of concern.

How to Mitigate Internal Security Threats

Health care employers should have robust confidentiality and privacy policies and procedures in place to safeguard sensitive information. To help prevent unauthorized access to health records, they should consider using:

  1. security screening and confidentiality agreements;
  2. organizational policies and procedures;
  3. employee training and awareness;
  4. access controls and data segregation; and
  5. oversight and monitoring.

Privacy policies should clearly identify prohibited conduct and the consequences for engaging in prohibited conduct. Employers should also offer adequate privacy training to employees and keep records of training sessions. When employees are being trained, they should be required to demonstrate that they understand the policies and procedures, and should provide written confirmation of their understanding.

It’s also important for employers to make sure their access controls don’t allow personal information to be easily moved from secure domains to more accessible domains. Employers should consider using active monitoring systems to safeguard personal information, and have appropriate retention and destruction policies in place for health records.

Does Your Organization Need Help with Privacy Training?

Employers in the health care sector are vulnerable to potential internal security threats, but so is any industry or organization that has access to sensitive personal information. Education is key to preventing breaches. The MLT Aikins Labour & Employment team has extensive experience advising employers on their legal obligations, and our Privacy, Data Protection & Cybersecurity group offers fixed-fee privacy training for employees.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.