Sask. privacy commissioner finds clinic’s loss of Dictaphone with patient info was privacy breach

Health Information Protection Act applies if personal health information is in trustee’s custody

Sask. privacy commissioner finds clinic’s loss of Dictaphone with patient info was privacy breach

Losing a Dictaphone containing the personal health information of patients, including the patients’ names, may be considered a privacy breach.

In Adams (Broad Street Medical Clinic) (Re), 2020 CanLII 67257 (SK IPC), Ronald J. Kruzeniski, Saskatchewan’s information and privacy commissioner, investigated a potential privacy breach reported by a medical clinic, which occurred when one of its three physician partners lost and failed to recover his Dictaphone, which contained dictated notes relating to 39 patients that he saw over one day.

The commissioner first considered whether the Health Information Protection Act, SS 1999, c H-0.021 applied and whether he had jurisdiction. For the Act to apply, there should be personal health information which is in the custody of a trustee.

The commissioner said that the recording in the Dictaphone is personal health information pursuant to subsections 2(m)(ii), 2(m)(i), 2(m)(v) and 2(q) of the Act because the patients involved were receiving a health service on that particular day, because the health service pertained to their physical or mental health and because the recording qualified as registration information, given that the patients’ names were used to register them for the purpose of a health service.

The commissioner then found that the three physician partners, who are all licensed through the College of Physicians and Surgeons of Saskatchewan, were trustees as defined by subs. 2(t) of the Act and had joint custody and control of the personal health information.

A privacy breach occurred when the Dictaphone was lost, the commissioner found. Because it was not recovered, a separate entity possibly accessed the personal health information that the Dictaphone contained, which constitutes an unauthorized disclosure under subs. 27(1) of the Act, the commissioner said.

The commissioner then found that the three physician partners failed to employ adequate administrative, physical or technical safeguards to ensure the protection of the personal health information against reasonably anticipated threats or hazards to its security or integrity. They also failed to adequately respond to the privacy breach, said the commissioner.

The commissioner’s office suggested certain steps to appropriately respond to a privacy breach. Trustees should contain the breach and notify the involved persons as soon as possible, as well as investigate the breach and plan for the prevention of future breaches.

Among numerous other recommendations, the commissioner urged the physician partners to “develop written agreements between themselves and other health professionals involved with the Clinic that explicitly address the issue of custody and control of personal health information.”

Recent articles & video

Warmer weather and wildfires shifting insurance industry risk assessments: Gowling’s Alana Scotchmer

Roundup of law firm hires, promotions, departures: July 22, 2024 update

BC court ruling will spur use of reverse vesting orders in receiverships, says Karen Fellowes

Howie Sacks & Henry committed to continued expansion as it sets its sights on the future

State can be liable for damages for passing unconstitutional laws that infringe Charter rights: SCC

Manitoba court dismisses medical malpractice claim due to 'inordinate and inexcusable delay'

Most Read Articles

BC Supreme Court grants limited spousal support due to economic hardship in 21-year marriage

Support orders not automatically spent if ‘child of marriage’ hits age of majority: BC appeal court

State can be liable for damages for passing unconstitutional laws that infringe Charter rights: SCC

BC Supreme Court partially varies will to ensure fair estate distribution