Privacy commissioner calls for changes at N.S. Health after staff found 'snooping'

The province's information and privacy commissioner is calling on Nova Scotia Health to improve its privacy practices after investigating intentional breaches by some of its employees.

In a report released on Wednesday, Tricia Ralph said steps are needed to prevent staff from accessing the personal information of patients for non-treatment purposes, referred to as "snooping."

Ralph began investigating a series of privacy breaches in August 2020, after the health authority voluntarily reported that it had caught eight employees snooping in the electronic health records of individuals associated with the Mass Casualty Commission inquiry into the April 2020 shooting rampage in the province.

Nova Scotia Health investigated the eight employees and found that some had snooped into many patients' records over a number of years, according to a news release issued Monday by the Office of the Information and Privacy Commissioner.

"They looked up friends, colleagues, and acquaintances when they were not providing care to these people," the release said.

The Nova Scotia Health investigation wound up uncovering more than 1,200 privacy breaches affecting 270 individuals, the privacy commissioner'S REPORT noted.

Need for 'robust policies'

Ralph said in her report that many steps taken by the health authority were reasonable. It began to proactively monitor employee access to electronic health information systems in April 2020, for example, which led to the discovery of further privacy breaches.

However, she also determined that there were shortcomings. She noted that some of the health authority's policies and protocols related to privacy are outdated, unclear, and in many cases are not being followed.

"Robust policies, compliance monitoring, and strong training along with enforcement of penalties for non-compliance are essential to protecting the privacy rights of Nova Scotians," she wrote.

Ralph made 12 recommendations to Nova Scotia Health, with the goal of preventing future privacy breaches.

Nova Scotia Health has 30 days to decide whether it will follow those recommendations. But it intends to accept most of them, according to a statement emailed to CBC News.

"We apologize to each impacted patient. This breach added further unnecessary harm to the families of those who lost loved ones in April 2020. We deeply regret that this breach took place," the statement said.

"The actions of those employees do not reflect our corporate culture, or the behaviour of most of our staff and physicians," the statement said, adding that Nova Scotia Health is committed to protecting the confidentiality of patient information and following the Personal Health Information Act.

Privacy as 'core organizational value'

Ralph noted that policies, training and penalties aren't always enough to deter some employees from snooping. For that reason, she is recommending Nova Scotia Health take steps to build a function into its electronic information systems that only allows those who have an active clinical relationship with a patient to view their detailed medical information.

"If you can't access the information, you can't snoop into it," Ralph said.

She is also urging the health authority to strengthen its culture of privacy by improving its privacy management program, writing that it should be "a core organizational value baked into day-to-day operations."

"NSH now has a big task in front of it to set in motion what is required to prevent privacy breaches like these from happening in the future," she said. "This will require high-level leadership."

MORE TOP STORIES