Privacy commissioner calls for changes at N.S. Health after staff found snooping

The province'sinformation and privacy commissioner is callingon Nova Scotia Health to improve its privacy practicesafterinvestigatingintentional breaches by some of its employees.

Inareport released on Wednesday,Tricia Ralph said steps are neededto prevent staff from accessing the personal information of patients for non-treatment purposes.

Ralph began investigating a series of privacy breaches in August 2020, after the health authority voluntarily reported that it had caught eight employees snooping in the electronic health records of individuals associated with the events of the April 2020shooting rampagein the province.

Nova Scotia Health investigated the eight employees and found that some had snooped into many patients' records over a number of years, according to a news release issued Wednesdayby the Office of the Information and Privacy Commissioner.

"They looked up friends, colleagues, and acquaintances when they were not providing care to these people," the release said.

The Nova Scotia Health investigation wound upuncoveringmore than 1,200 privacy breaches affecting 270 individuals, the privacy commissioner's reportnoted.

Need for 'robust policies'

Ralph said in her report that many steps taken by the health authoritywere reasonable. It began to proactively monitor employee access to electronic health information systems in April 2020,for example, which led to the discovery of further privacy breaches.

However, she also determined that there were shortcomings. She notedthat some of the health authority's policies and protocols related to privacy areoutdated, unclear, and in many cases are not being followed.

"Robust policies, compliance monitoring, and strong training along with enforcement of penalties for non-compliance are essential to protecting the privacy rights of Nova Scotians," she wrote.

Ralph made 12 recommendations to Nova Scotia Health, with the goal of preventing future privacy breaches.

Nova Scotia Health has30 days to decide whether it will follow those recommendations. But it intends to accept most of them, according to a statement emailed to CBC News.

"We apologize to each impacted patient. This breach added further unnecessary harm to the families of those who lost loved ones in April 2020. We deeply regret that this breach took place," the statement said.

"The actions of those employees do not reflect our corporate culture, or the behaviour of most of our staff and physicians," the statement said, adding that Nova Scotia Health is committed to protecting the confidentiality of patient information and following the Personal Health Information Act.

Privacy as 'core organizational value'

Ralph noted that policies, training and penalties aren't always enough to deter some employees from snooping.For that reason, sheis recommendingNova Scotia Healthtake steps to build a function into its electronic information systems that only allows those who have an active clinical relationship with a patient to view their detailed medical information.

"If you can't access the information, you can't snoop into it," Ralph said.

She is also urging the health authority tostrengthen its culture of privacy by improving its privacy management program, writing that it should be "a core organizational value baked into day-to-day operations."

"NSH now has a big task in front of it to set in motion what is required to prevent privacy breaches like these from happening in the future," she said."This will require high-level leadership."