Getting Tough on Health Record Privacy

    Apr 28, 2014

    The Saskatchewan government is taking steps to protect patient health information when files are abandoned and from snooping in general. The steps, according to GlobalPost, include making it a specific offense when a worker unnecessarily accesses a person’s health records and requiring providers to show that they are trying to prevent records from being abandoned.

    Explained Health Minister Dustin Duncan: "Prosecutors have not been able to pursue charges because the way the legislation currently stands, we have to prove that there was an intent and that's very difficult to prove....This will require that the trustees ... demonstrate the steps that they took to prevent the documents from being released."

    The changes reportedly come at the urging of former privacy commissioner Gary Dickson, who called for tougher laws in 2010 following a case where a pharmacist used his home computer to access a former patient’s drug record out of personal interest. Then there was the discovery of thousands of medical records in the garbage behind a Regina shopping mall in 2011.

    "Our focus isn't just about charging people. This is obviously about protecting records," said Duncan. "But when there is a clear violation of the legislation, I think that this will provide us the ability to take the appropriate steps."

    He said the changes could go into effect this fall.

    Health information is just one example of personally identifiable information (PII) that needs to be protected. ARMA International’s Records@Work pamphlet “Privacy – What You Should Know” says that in addition to  personal health information (e.g., health profiles, physical or mental health diagnosis or treatment records, prescription or medication information, and health insurance and workers’ compensation claims),  other PII that needs to be treated as private or confidential includes:

    • Personal financial data:

    –        Social Security/Social Insurance, credit card, and other identifying numbers

    –        Credit reports, banking information, or anything that discloses details or insights into a person’s finances or financial history

    • Information that identifies a unique individual:

    -   Name, address, telephone number

    -   Age, sex, race, religion, sexual orientation

    -   Disability, blood type, healthcare history

    -   Educational, financial, employment, or criminal history, including fingerprints

    When personal information is provided to organizations – whether from customers or co-workers – the intention is that it will be collected and used only for its intended purpose. There are implications for failing to protect and manage private information, including legal sanctions to the organization and damage to its reputation and ability to do business. The responsibility to protect private information must be taken seriously by everyone. This means that every employee must be trained to recognize what information is private.

    The pamphlet “Privacy – What You Should Know” offers other guidance, including these general rules. Don't:

    • Leave private information lying on your desk, in your car, or in other unattended, unsecured places
    • Use private information in small talk or casual conversations, particularly with people not authorized to be in possession of that information
    • Keep private information any longer than needed for the specific purpose it was collected
    • Release private information unless specifically authorized to do so

    ARMA offers many training resources, including 11 other Records@Work Pamphlets Series titles that can be bought in bulk and personalized for your own organization. Click here to learn more.

    © 2016, ARMA International