NWT clinical report device beneath microscope after 2 instances of snuping
Recent reports of secrecy violations related to medical records-also include a case in which two health care workers saw a woman’s record, one of them was in a relationship with Northwest Territory Health and Social Services Authority describe the weaknesses in the electronic medical record system of the Authority.
The Northwest Territis’ Information and Privacy Commissioners release reports on cases in which an investigation gives evidence of deliberate and unauthorized access to personal health information, usually known as “snuping”.
This year, Commissioner Andrew Fox publicly reported two separate cases of snuping in electronic medical records. They both included employees of Northwest Territory Health and Social Services Authority (Nthssa).
An electronic medical record (EMR) is a digital version of a patient’s medical history. This may include things like exam results, X-rays and prescriptions.
These records are one of the most sensitive pieces of information that a government agency holds on citizens, and yet, according to at least one expert, the electronic medical record system of the region does not appear to meet the highest moral standards for patient privacy.
A case published this year included two Nthssa employees, who, on several occasions, snatched into the medical records of a patient, which was not in their care. Employees were brothers and sizes and the patient was earlier in a relationship with one of them.
This was not until the patient filed a “record of activity” in July 2023 – a report on which his EMR saw – which he learned about the violation.
“I was hate. I felt incredibly violated,” Mary’s Grevel said, the patient who had taken away his medical record.
This year, another case published online by the Privacy Commissioner included an example in 2021 of an administrative clerk with Nthssa, which deliberately opened a person’s EMR and relate some of his personal health information to another person. The clerk wrote Fox “without consent and without any valid rights”.
The clerk admitted to the wrongdoing during an Nthssa investigation, and was fired a few months later.
Fox called it “especially egoistic, deliberate privacy violation”. He said that the Health Authority’s response was appropriate, but the agency should have canceled the employee’s EMR access as soon as the breech was confirmed.
The Health Authority uses the “role-based access” for the EMR system, which means that the access of an employee is required for their role.
Fox said that on such occasions when the clerk was assigned to other roles, NTHSSA did not ban its EMR access according to the roles.
‘Intentional and serious violation of faith’
Gravelle told CBC that he feels that health records should have more security measures.
“Our financial institutions have software to identify that our accounts probably have a fraud,” he said. “How can a banking institute have those types of security measures, but if there is suspicious action in someone’s chart, on emergency medical records, there is no alert on hospital software on emergency medical records?”
In his report in Gravel’s case, the Privacy Commissioner said that the jobs of brother -in -law gave them “extensive access” to the EMR system. His inspiration to open the patient’s record “is” curiosity from a personal relationship. “
Fox called confidentiality “intentional and serious violations”, and said that this caused the patient to cause “significant crisis”.
Both brothers and sisters were admitted to misconduct, suspended without payment for 10 days and their EMR access for at least 18 months was canceled.
The Health Authority is required by the law that they “as soon as possible” about the violation of their medical records.
NTHSSA CEO Kim Riles said in a statement that the Health Authority should examine all reports of secrecy violations, and when a investigation is completed, inform the affected people.
“Many times, the investigation process may take significant time,” Riles wrote. He said that Nthssa is reviewing its practices and “it is committed to ensure that a privacy violation is soon confirmed as a notification, even if a complete investigation is over.”
He said that the agency acknowledged the recommendations of the privacy commissioner and continued to improve and update compulsory training.
Auditing emrs ‘a real challenge’
Livia is the Chief Health Privacy Officer of the Kurinska-Hardalikova region. He said that the EMR system does regular audit checks for suspicious activity, which if found, is identified to the Health Authority.
But Fox told CBC that auditing EMR for examples of unauthorized access is “a real challenge.”
“If you look at some random samples of employees looking at health records, then there is nothing really that you can guess from the fact that a laboratory assistant saw someone’s medical record,” he said. “You could not tell whether it was authorized or not.”
Any of the two snuping cases published this year was marked by a regular audit.
Kurinska-HRDLickova reported that an employee with a role-based access to the EMR system has gone through mandatory secrecy training, and took an oath of privacy. They require a patient’s first and last name and their date of birth or health care number to open their medical records.
The system also depends on confidence that employees with access will only use the EMR system when necessary for their work on a specific case.
“No system in Canada is correct,” said Kurinska-Herdlikova. “You never go to a zero risk, okay? Because it is impossible.”
EMR system is not ‘structured’ according to morality: expert
As Fox said, NTHSSA raised confidence to employees with EMR access, and employees broke the trust.
A university of Victoria Biomedical Ethics Professor, Aaik Clus, said that in the case of siblings, the EMR system should not have allowed them to open Grevel’s record in the first place.
He said, “There should be a challenge. Who are you and what do you have the right to reach that record.”
It is not clear that such challenges, if any, are now manufactured in the system. CBC requested more information from Nthssa, but no response was received before the deadline.
Kluege said that the system should not only mark inappropriate access, it should be stopped.
If the system is not blocking unfair access, “it’s not properly structured,” he said. “Certainly not according to morality.”
Kurinska-Hardalikova disagreed with the claim of clues and said that the EMR system of the region complies with the regional privacy law.
He also said that the EMR system of the region is to be replaced in the near future, and the new system would have even more strong privacy security.
NWT or Canada does not have easily available data on the spread of medical record snuping.
Any resident who is concerned about the confidentiality of their health information can file access to online health information request.
