NWTs medical record system under the microscope after 2 reported cases of snooping CBC News

pRecent reports of privacy breaches involving medical records including a case in which two healthcare workers viewed the records of a woman one of them had been in a relationship with  illustrate vulnerabilities in the Northwest Territories Health and Social Services Authoritys electronic medical record systemppThe Northwest Territories Information and Privacy Commissioner issues reports on cases in which an investigation yields evidence of intentional and unauthorized access to private health information commonly known as snooping ppThis year Commissioner Andrew Fox publicly reported two distinct cases of snooping in electronic medical records They both involved employees of the Northwest Territories Health and Social Services Authority NTHSSA ppAn electronic medical record EMR is a digital version of a patients medical history It can include things like test results Xrays and prescriptionsppThese records are among the most sensitive pieces of information that a government agency keeps on citizens and yet according to at least one expert the territorys electronic medical record system doesnt appear to meet the highest ethical standards for patient privacyppOne case published this year involved two NTHSSA employees who on multiple occasions snooped in the medical records of a patient who wasnt in their care The employees were siblings and the patient had previously been in a relationship with one of them  ppIt wasnt until the patient filed a record of activity request in July of 2023 a report on who had looked at her EMR that she learned of the breach ppI was disgusted I felt incredibly violated said Maryse Gravelle the patient who had her medical records snoopedppAnother case published online this year by the privacy commissioner involved an instance in 2021 of an administrative clerk with NTHSSA who deliberately opened a persons EMR and relayed some of their private health information to another person The clerk did this without consent and without lawful authority wrote FoxppThe clerk admitted to wrongdoing during an NTHSSA investigation and was fired some months later ppFox called this a particularly egregious intentional privacy breach He said the health authoritys response was appropriate but that the agency should have revoked the employees EMR access as soon as it confirmed the breach ppThe health authority uses rolebased access to the EMR system meaning an employees access is limited to what is necessary for their role ppFox noted that on occasions when the clerk was assigned to other roles the NTHSSA didnt restrict her EMR access in accordance with those roles ppGravelle told CBC she thinks health records should have more safeguardsppOur financial institutions have software in place to identify when theres a fraudulent charge possibly being made on our accounts she said How can a banking institution have those sorts of safeguards in place but theres no alerts on hospital software on emergency medical records to alert when theres a suspicious action in somebodys chart  ppIn his report on Gravelles case the privacy commissioner said the siblings jobs granted them broad access to the EMR system Their motivation for opening the patients records seems to have been curiosity proceeding from a personal relationshipppFox called the privacy breach a deliberate and serious breach of trust and said it caused the patient significant distressppBoth siblings admitted to misconduct were suspended without pay for 10 days and had their EMR access revoked for at least 18 months ppThe health authority is required by law to notify a patient about a breach of their medical records as soon as reasonably possibleppIn a statement NTHSSA CEO Kim Riles said the health authority must investigate all reports of privacy breaches and upon completion of an investigation notify the affected peopleppAt times the investigation process can take a significant amount of time wrote Riles She added the NTHSSA is reviewing its practices and has committed to ensuring the notification occurs as soon as a privacy breach is confirmed regardless of whether a full investigation has been completedppShe said the agency accepted the privacy commissioners recommendations and continues to improve and update mandatory trainingppLivia KurinskaHrdlickova is the territorys chief health privacy officer She said routine audits check for suspicious activity in the EMR system which if found is flagged to the health authority ppBut Fox told CBC that auditing EMRs for instances of unauthorized access is a real challenge ppIf you looked at some random sample of employees looking at health records theres really nothing that you could infer from the fact that a lab assistant looked at someones medical record he said You couldnt tell whether that was authorized or not ppNeither of the two snooping cases Fox published this year were flagged by a routine auditppKurinskaHrdlickova explained that an employee with rolebased access to the EMR system has gone through mandatory privacy training and taken an oath of confidentiality They need a patients first and last name and their date of birth or healthcare number to open their medical record ppThe system also relies on trust that employees with access will only use the EMR system when its required for their work on a specific case  ppAny system across Canada is not perfect said KurinskaHrdlickova You never go to a zero risk right Because thats impossible ppAs Fox noted the NTHSSA extended trust to the employees with EMR access and the employees breached that trustppEike Kluge a University of Victoria biomedical ethics professor said in the case of the siblings the EMR system shouldnt have allowed them to open Gravelles record in the first place ppThere should be a challenge Justify who you are and what right you have to access that record he saidppIts unclear what kind of challenges like that if any are built into the system right now CBC requested more details about this from NTHSSA but didnt get a response before deadline ppKluge said the system shouldnt just flag improper access it should prevent itppIf the system isnt blocking improper access its not properly structured he said Certainly not according to ethicsppKurinskaHrdlickova disagreed with Kluges assertion and said the territorys EMR system complies with territorial privacy legislation ppShe also said the territorys EMR system is set to be replaced in the near future and that the new system will have even stronger privacy protections ppThere isnt readily available data on the prevalence of medical record snooping in the NWT or in CanadappAny resident whos concerned about the privacy of their health information can file an access to health information request onlineppJournalistppSidney Cohen is a reporter and editor with CBC North in Yellowknife You can reach her at sidneycohencbccappAudience Relations CBC PO Box 500 Station A Toronto ON Canada M5W 1E6 ppTollfree Canada only 18663064636ppIt is a priority for CBC to create products that are accessible to all in Canada including people with visual hearing motor and cognitive challengesppClosed Captioning and Described Video is available for many CBC shows offered on CBC Gemppp