Health authority failed to properly report privacy breach, N.W.T. privacy commissioner says
The N.W.T. information and privacy commissioner said the territory's health authority failed to properly report a privacy breach involving personal medical information that was mistakenly shared with the wrong patient.
The commissioner found that the department violated the Health Information Act by quietly fixing the mistake before reporting the incident months later, following a patient complaint.
On March 6, 2020, a patient attended a psychiatric appointment to review an assessment. In reviewing the report, the patient said "it became glaringly obvious" that the information was not about them, according to the commissioner's November 2022 report on the incident.
The assessment report had the patient's name and birthday, but mistakenly included someone else's job title, diagnosis and other personal identifying information.
The doctor, a locum, told the patient they would follow up later that day about "the discrepancy" but never did. When the patient called the clinic three days later, the locum had left town and the clinic said it couldn't provide any more information.
A few days after that the patient submitted a complaint to the health minister and requested a review by the territory's information and privacy commissioner.
One week after the incident, the Northwest Territories Health and Social Services Authority (NTHSSA) called the patient to confirm that there had been an error in their record but that both patients' electronic medical records had been corrected.
NTHSSA formally notified the commissioner about the breach two months later.
Commissioner Andrew Fox reviewed the incident and said that NTHSSA violated policy and the Health Information Act in its reporting of the incident.
While the clinic staff corrected the error, four days after the incident, Fox said the health authority was late to report the error — doing so months later, only after several requests from the commissioner's office.
The Health Information Act requires that affected parties be notified "as soon as reasonably possible."
The second patient, whose assessment was mistakenly shared with the person attending the March 6 appointment, was only notified about the privacy breach in May, over two months after it happened.
The Act also requires formal written notice. That was never provided to the first patient who submitted the complaint.
Fox's report said that NTHSSA's final privacy breach report was tardy and lacked detail.
The report was submitted five months later than promised and seven months after the incident. Fox said the health authority also failed to identify long-term measures to prevent a future breach and only "recommends" improved training for locum doctors.
The commissioner also recommends that notes should be reviewed before going into the electronic medical record system.
NTHSSA to update training
According to the NTHSSA, the privacy breach was a result of the locum doctor's workload. The department said the doctor was rushing to transfer their notes into the digital system. The health authority said that's what lead to the "mismatched" information.
"As is often the case, a moment's inattention led to a breach of patient privacy," Fox wrote in his report.
In his most recent annual report, Fox said his office investigated 234 violations of the territory's Health Information Act between April 1, 2021 and March 31, 2022, representing a significant increase from the 87 files the office investigated in the previous year.
Fox said the increase was likely a result of more thorough reporting and he anticipates that number to continue to increase.
Transmitting personal health information through email or fax machines continues to be a source of privacy breaches, he said.
In his report, Fox recommended ensuring staff have required training, including identifying breaches and appropriate reporting requirements.
He also suggested reviewing procedures on how to establish doctors' notes are accurate before going into the digital system.
NTHSSA spokesperson David Maguire said that the department plans to update its training system. The upgrades are expected to better track training, including training on managing private information.
Maguire said the new system will be implemented this fall. In the meantime, he said NTHSSA provides access to privacy training for all staff.