If the Sun Country employee who breached the pharmaceutical confidentiality code of ethics received only a minor punishment, there is a problematic message being sent out to the public and fellow employees, said Gary Dickson, Saskatchewan's privacy commissioner, who spoke with The Mercury last Thursday.
It was reported in this newspaper last Wednesday that someone within the ranks of the Sun Country health region's Weyburn headquarters, breached the confidential pharmaceutical records of 66 clients/patients.
Sun Country has issued letters of apology to the 66 clients, but refused to name the individual who perpetrated the breach and also did not reveal the nature or the extent of the disciplinary action taken other than to confirm that the employee had not been fired.
Marga Cugnet, Sun Country's interim chief executive officer, said the local health authority was guided by precedents set in other jurisdictions (Regina, Saskatoon) where two similar incidents had occurred. In those cases the offenders were handed 10 day and two week suspensions without pay.
Dickson said he feared that light suspensions and/or minor financial penalties are probably sending the wrong message to the public.
He said the health authorities "have no duty to tell us what happens" when the disciplined employee returns to work.
Dickson said trustees on the boards have advised him that they've gone to the Crown Attorney seeking criminal charges, but have received a message that there wouldn't be much interest in pursuing that route for discipline.
He offered the opinion that the Ministry of Justice doesn't appear interested in upholding employment termination decisions.
"So if terminations aren't upheld, what are we left with in terms of punishment?" he asked rhetorically.
"If the penalties are light for breaches of confidentiality, then curiosity often overcomes training," he said.
With thousands of employees in the province having potential access to electronic health records, the message and punishments needed to be stronger.
He said what often happens is that when health regions do attempt to take stronger action, they're not backed up.
Dickson said the health groups also have to deal with the Freedom of Information Act and the Trade Union Act as they relate to disciplinary actions that can lead to a formal grievance process. In previous incidents, terminations were overturned by arbitrators, which he felt were not very helpful in enforcing the very important confidentiality requirements that the health records and other health care people are trained to observe.
"There is provision in the Freedom of Information Act for the head of the health region to provide disclosure. They have that discretionary power if they care to use it if the misdeed is one with compelling public interest involved," Dickson said.
He cited recent examples where people who were reading X-ray images that came into question were identified either by the health region or the College of Physicians and Surgeons. So identifying the person involved is not without precedent.
Dickson said the Freedom of Information Act requires a health region to reveal the job descriptions of the employees and how much they earn for instance.
Asked if he felt the breach of confidentiality in Sun Country was egregious enough to warrant more disclosure, Dickson said "well, there are over 60 people there who might feel something about the confidence they have in the health region. People might want to know how it happened, what was the role of the person who made the breach and what was the disciplinary action taken? Personal information concerns can be trumped."
Dickson said he is concerned with the breaches of confidentiality because the electronic record-keeping system is growing in Saskatchewan. He said under the old paper and filing cabinet systems, "only three or four people would have access to a patient's record, but with electronic files there are thousands of people who can gain access and that's why we express concern over light punishments for breaches. In other jurisdictions where they've had more experience with electronic record keeping, they take breaches very seriously. For instance in the recent Arizona shooting case, security of medical records was breached by a couple of people. They have zero tolerance. They were fired immediately. In Calgary, a woman who breached a medical record confidentiality agreement at a cancer clinic was terminated with a $10,000 fine imposed by a provincial court judge. When you get examples like that then you'll start to pay attention. They send a clear signal," he said.
A two week unpaid suspension means "we've lost a huge deterrent element."
Dickson added that he felt the provincial health system "has to start recognizing a new world order. We need to change the discussion and need to treat it differently than we are."
Dickson said that while he awaited the Sun Country report, he was impressed with the thoroughness of their investigation into the breach in terms of gaining all the relevant details and facts about the 66 systematic breaches.
The breach of the records in Sun Country occurred between March 2009 and January 2010.
Under the Health Information Protection Act (HIPA), a maximum fine of $50,000 can be imposed on an individual for breaches of privacy and $500,000 for an organization. But often, Dickson said in an article in the Regina Leader-Post "the minister of justice hasn't provided a consent to a prosecution in any case I know of."
Dickson said that while his office can provide some valuable service, "I have no power. I'm more like an ombudsman, so I'm just shining the spotlight on the subject."
