Well being authority didn’t correctly report privateness breach, N.W.T. privateness commissioner says
The N.W.T. data and privateness commissioner mentioned the territory’s well being authority didn’t correctly report a privateness breach involving private medical data that was mistakenly shared with the unsuitable affected person.
The commissioner discovered that the division violated the Well being Data Act by quietly fixing the error earlier than reporting the incident months later, following a affected person criticism.
On March 6, 2020, a affected person attended a psychiatric appointment to assessment an evaluation. In reviewing the report, the affected person mentioned “it turned manifestly apparent” that the knowledge was not about them, in line with the commissioner’s November 2022 report on the incident.
The evaluation report had the affected person’s title and birthday, however mistakenly included another person’s job title, prognosis and different private figuring out data.
The physician, a locum, advised the affected person they might observe up later that day about “the discrepancy” however by no means did. When the affected person referred to as the clinic three days later, the locum had left city and the clinic mentioned it could not present any extra data.
Just a few days after that the affected person submitted a criticism to the well being minister and requested a assessment by the territory’s data and privateness commissioner.
One week after the incident, the Northwest Territories Well being and Social Providers Authority (NTHSSA) referred to as the affected person to substantiate that there had been an error of their document however that each sufferers’ digital medical information had been corrected.
NTHSSA formally notified the commissioner in regards to the breach two months later.
Commissioner Andrew Fox reviewed the incident and mentioned that NTHSSA violated coverage and the Well being Data Act in its reporting of the incident.
Whereas the clinic workers corrected the error, 4 days after the incident, Fox mentioned the well being authority was late to report the error — doing so months later, solely after a number of requests from the commissioner’s workplace.
The Well being Data Act requires that affected events be notified “as quickly as fairly attainable.”
The second affected person, whose evaluation was mistakenly shared with the particular person attending the March 6 appointment, was solely notified in regards to the privateness breach in Might, over two months after it occurred.
The Act additionally requires formal written discover. That was by no means offered to the primary affected person who submitted the criticism.
Fox’s report mentioned that NTHSSA’s ultimate privateness breach report was tardy and lacked element.
The report was submitted 5 months later than promised and 7 months after the incident. Fox mentioned the well being authority additionally didn’t determine long-term measures to forestall a future breach and solely “recommends” improved coaching for locum docs.
The commissioner additionally recommends that notes ought to be reviewed earlier than going into the digital medical document system.
NTHSSA to replace coaching
In accordance with the NTHSSA, the privateness breach was a results of the locum physician’s workload. The division mentioned the physician was dashing to switch their notes into the digital system. The well being authority mentioned that is what result in the “mismatched” data.
“As is commonly the case, a second’s inattention led to a breach of affected person privateness,” Fox wrote in his report.
In his most up-to-date annual report, Fox mentioned his workplace investigated 234 violations of the territory’s Well being Data Act between April 1, 2021 and March 31, 2022, representing a major improve from the 87 information the workplace investigated within the earlier yr.
Fox mentioned the rise was probably a results of extra thorough reporting and he anticipates that quantity to proceed to extend.
Transmitting private well being data by electronic mail or fax machines continues to be a supply of privateness breaches, he mentioned.
In his report, Fox advisable making certain workers have required coaching, together with figuring out breaches and applicable reporting necessities.
He additionally urged reviewing procedures on how you can set up docs’ notes are correct earlier than going into the digital system.
NTHSSA spokesperson David Maguire mentioned that the division plans to replace its coaching system. The upgrades are anticipated to higher monitor coaching, together with coaching on managing non-public data.
Maguire mentioned the brand new system shall be carried out this fall. Within the meantime, he mentioned NTHSSA gives entry to privateness coaching for all workers.