After a library book was returned to Nipawin Public Library, with records containing personal health information tucked into it’s pages, a library employee contacted Kelsey Trail Health Authority(KTHA). An employee from Nipawin Hospital retrieved the records of approximately 19 patients.
Investigating it further, KTHA determined that a surgical assistant who was not an employee of KTHA but works as a physician with practicing privileges, Dr. A Lawani, had borrowed and returned the book to the library. KTHA reported the matter to the Office of Saskatchewan Information and Privacy Commission (OIP).
The OIP determined, in a report dated November 1st, 2017, that Dr. A Lawani was the trustee responsible for the breach and that she obtained the records from the Operating Room Office, containing patient personal health information, in order to bill the Ministry of Health for services provided. Her surgical assistant services are not billed through KHTA, but rather directly to the Ministry. The report also found that subsection 27(2)(a) of HIPA(Health Information Protection Act) authorizes KTHA to disclose the personal health information that is necessary for Dr. A. Lawani to bill the Ministry of Health.
Important note to readers: The Dr A Lawani in the report is NOT Dr. Lawani who practices as a physician with the Nipawin Medi-Clinic
In a statement to Nipawin News a (former)KTHA spokesperson, (now Saskatchewan Health Authority), assured us that, “A local committee that includes representation from Physicians, Nurses and IT has been struck to review and develop effective processes to ensure that physicians are receiving only the information that is necessary for billing purposes. We are focused on raising awareness among physicians and staff about the role they play in protecting the privacy of patients and patient records. We are also taking the opportunity to encourage physicians and staff to educate themselves on privacy protection and the important role privacy plays in maintaining trust with our patients. ”
“The province of Saskatchewan provides coverage for all medically necessary services provided by physicians. Physicians who provide such services will bill the Ministry of Health for payment. In this case, in order for Kelsey to deliver a medically necessary health service, such as surgery, it must have physicians conduct the surgery. In turn, the physicians bill the Ministry of Health. In order to facilitate billing, it is necessary for Kelsey to disclose some of the patients’ personal health information to physicians so that physicians can bill the Ministry of Health. – OIP Report”
While the investigator determined the Dr. A. Lawani was the one responsible for the breach, her solicitor, noted that subsection 27(2)(a) of HIPA authorizes the disclosure of the personal health information listed above for the purpose of billing, and not necessarily the entire patient record.
“In this case, Kelsey disclosed entire patient records. Dr. A. Lawani’s solicitor indicated to my office that the entire patient record was disclosed because Dr. A. Lawani needed the patient records not only for billing but for assessment purposes to meet one of the conditions of her Provisional with Restrictions License issued by the College of Physicians and Surgeons. The disclosure of personal health information for a purpose beyond that of billing is beyond the scope of this investigation. That is because Kelsey has identified that it discloses personal health information to Dr. A. Lawani for the purpose of billing. It is a separate matter if Dr. A. Lawani requires the entire patient record for assessment purposes. If Dr. A. Lawani requires copies of entire patient records for assessment purposes, she must make a request to Kelsey for a copy of the records and identify her authority for the collection of the personal health information. Then, before it discloses personal health information (such as the entire patient record), Kelsey must be sure of its authority under HIPA to do so.
In order to bill the Ministry of Health for her services, according to her solicitor’s submission, Dr. A. Lawani first collects paper records containing patient personal health information from Kelsey. Then, she provides them to a billing clerk who assists her with billing. The billing clerk then shreds the records.- OIP Report”
While Dr. A. Lawani admitted she had kept records containing personal health information with other work-related documents and resources, including the library book, she is now seeking a secure location within the Nipawin Hospital where she can store records containing personal health information. As well, she indicated in the investigation that she is educating herself on privacy protection using resources made available by the Saskatchewan Medical Association (SMA) and the College of Physicians and Surgeons of Saskatchewan (CPSS)
The report found that as the trustee responsible for the breach, it would be her responsibility to notify the patients whose records were retrieved from the book in the library, however, as she no longer has the patient information required, it was determined that she would prepare letters for each of the individuals and forward them to KTHA for distribution to the patients. That letter would provide a description of what happened, a detailed description of the personal health information involved, a description of possible types of harm that may come as a result of the privacy breach, steps the individuals can take to mitigate harm, steps the trustee is taking to prevent similar privacy breaches in the future, the contact information of the trustee so she can answer questions and provide further information about the privacy breach, a notice that individuals have a right to complain to the Office of the Information and Privacy Commissioner (IPC),Recognition of the impacts of the breach on affected individuals and an apology.
Office of Saskatchewan Information and Privacy Commission Recommendations:
[56] I recommend that Kelsey implement a procedure so that it only discloses to physicians the information necessary for billing. This may include creating a new form that records only the information necessary for billing instead of providing the physician with the patient record.
[57] I recommend that Dr. A. Lawani implement a procedure so she only collects the information necessary for billing.
[58] I recommend that Dr. A. Lawani establish policies and procedures on the following areas:
• Establishing safeguards for secure storage of personal health information,
• Transporting records securely,
• Ensuring proper handling and management of the records by other parties (such as the billing clerk),
• Retention and disposition of records.
[59] I recommend that Kelsey and Dr. A. Lawani undertake the coordinated approach in notifying the affected individuals as described in paragraphs [36] and [37].
Background
INVESTIGATION REPORT 124-2017 and 135-2017 Kelsey Trail Regional Health Authority, Dr. A. Lawani, November 1, 2017
https://oipc.sk.ca/assets/hipa-investigation-124-2017-and-135-2017.pdf
https://www.canlii.org/en/sk/skipc/doc/2017/2017canlii74506/2017canlii74506.html?searchUrlHash=AAAAAQAHbmlwYXdpbgAAAAAB&resultIndex=1
