Close to a year after the initial incident occurred, there are still new facts coming to light in the case of the Humboldt Broncos bus crash.
In a recent investigative report from the Saskatchewan Privacy Commissioner, eight individuals have been found to have inappropriately gained access to records of the Humboldt Broncos team members who were involved in the crash.
One of the doctors who accessed information was from the Humboldt Clinic. The doctor accessed information for two different individuals. The information was access using the Electronic Health Record Viewer over a period of four days with a total number of 122 views.
The Saskatchewan Privacy Commissioner was notified that the doctor who accessed the information was in breach of The Health Information Protection Act (HIPA). Saskatchewan Information and Privacy Commissioner Ronald J. Kruzeniski states in his report that the doctor in question "accessed personal health information without a legitimate need-to-know under The Health Information Protection Act (HIPA)."
The Humboldt Clinic indicated that the two individuals received care from the doctor in question. The Humboldt clinic explained to eHealth that the doctor in question wanted to know "what injuries the individual sustained, if the individual received care, or if it was an instant fatality." The doctor in question was "concerned."
The report from the Commissioner explains that "based on these explanations, the doctor in question, did not have a need-to-know. There must be a trigger, such as a request for service or a requirement of the patient for care by the doctor in question in order for the doctor to access patient information. Neither individuals requested nor required care from the doctor in question as both were deceased."
The Office Of The Saskatchewan Information and Privacy Commissioner recommended a five-step process. Within these five steps, there was a request of the Humboldt Clinic to write an investigation report on the breach. The report would outline the root causes and plan for prevention in the future. The Humboldt Clinic did not conduct an investigation.
As a result of the breach the Privacy Commissioner recommended the following:
- provide training to its employees and contractors on the need-to-know principle
- regularly remind employees and contractors of the need-to-know principle in its staff meetings
- document privacy breaches, the lessons it has learned, and the steps it will take to prevent breaches in the future