An Alberta privacy commissioner report has lessons for health information custodians (HICs) in Ontario, Lonny Rosen tells AdvocateDaily.
The report dealt with an Edmonton hospital employee who, over the course of a decade, violated the Alberta Health Information Act (AHIA) by improperly accessing the personal health information of more than 1,300 individuals, as well as the demographic information of 11,500 more via the province’s electronic health record system.
Rosen says the case is significant due to a shift in the investigation’s focus from the actions of a rogue employee to the steps taken by the employer, in large part because the breaches continued for so long as well as the number of red flags missed by the HIC about her behaviour.
“HICs should be working to instil a culture of privacy, which seemed to be lacking here,” Rosen says. “In that kind of culture, employees will call one another out for unsafe practices and work to ensure that the custodian adheres to privacy legislation and safeguards the personal health information of patients. Training is the only way to embed this type of culture in an institution.”