Sask. privacy commissioner finds clinic’s loss of Dictaphone with patient info was privacy breach

Health Information Protection Act applies if personal health information is in trustee’s custody

Sask. privacy commissioner finds clinic’s loss of Dictaphone with patient info was privacy breach

Losing a Dictaphone containing the personal health information of patients, including the patients’ names, may be considered a privacy breach.

In Adams (Broad Street Medical Clinic) (Re), 2020 CanLII 67257 (SK IPC), Ronald J. Kruzeniski, Saskatchewan’s information and privacy commissioner, investigated a potential privacy breach reported by a medical clinic, which occurred when one of its three physician partners lost and failed to recover his Dictaphone, which contained dictated notes relating to 39 patients that he saw over one day.

The commissioner first considered whether the Health Information Protection Act, SS 1999, c H-0.021 applied and whether he had jurisdiction. For the Act to apply, there should be personal health information which is in the custody of a trustee.

The commissioner said that the recording in the Dictaphone is personal health information pursuant to subsections 2(m)(ii), 2(m)(i), 2(m)(v) and 2(q) of the Act because the patients involved were receiving a health service on that particular day, because the health service pertained to their physical or mental health and because the recording qualified as registration information, given that the patients’ names were used to register them for the purpose of a health service.

The commissioner then found that the three physician partners, who are all licensed through the College of Physicians and Surgeons of Saskatchewan, were trustees as defined by subs. 2(t) of the Act and had joint custody and control of the personal health information.

A privacy breach occurred when the Dictaphone was lost, the commissioner found. Because it was not recovered, a separate entity possibly accessed the personal health information that the Dictaphone contained, which constitutes an unauthorized disclosure under subs. 27(1) of the Act, the commissioner said.

The commissioner then found that the three physician partners failed to employ adequate administrative, physical or technical safeguards to ensure the protection of the personal health information against reasonably anticipated threats or hazards to its security or integrity. They also failed to adequately respond to the privacy breach, said the commissioner.

The commissioner’s office suggested certain steps to appropriately respond to a privacy breach. Trustees should contain the breach and notify the involved persons as soon as possible, as well as investigate the breach and plan for the prevention of future breaches.

Among numerous other recommendations, the commissioner urged the physician partners to “develop written agreements between themselves and other health professionals involved with the Clinic that explicitly address the issue of custody and control of personal health information.”

Recent articles & video

SCC confirms manslaughter convictions in case about proper jury instructions on causation

Law firm associate attrition continues to decline, NALP Foundation study shows

How systemizing law firm work allocation enhances diversity efforts and overcomes affinity bias

Dentons advises Saturn on $600 million acquisition of Saskatchewan oil assets

Ontario Court of Appeal upholds anesthesiologist’s liability in severe birth complications case

BC Supreme Court assigns liability in rear-end vehicle collision at Surrey intersection

Most Read Articles

BC Supreme Court rules for equal asset division in Port Alberni property dispute

BC Supreme Court rules vehicle owner and driver liable for 2011 Chilliwack collision

BC Supreme Court upholds solicitor-client privilege in medical negligence case

Petition to remove estate executor does not amount to ‘reprehensible conduct:’ BC Supreme Court