Login

Sask. privacy commissioner finds clinic’s loss of Dictaphone with patient info was privacy breach

Health Information Protection Act applies if personal health information is in trustee’s custody

Sask. privacy commissioner finds clinic’s loss of Dictaphone with patient info was privacy breach

Losing a Dictaphone containing the personal health information of patients, including the patients’ names, may be considered a privacy breach.

In Adams (Broad Street Medical Clinic) (Re), 2020 CanLII 67257 (SK IPC), Ronald J. Kruzeniski, Saskatchewan’s information and privacy commissioner, investigated a potential privacy breach reported by a medical clinic, which occurred when one of its three physician partners lost and failed to recover his Dictaphone, which contained dictated notes relating to 39 patients that he saw over one day.

The commissioner first considered whether the Health Information Protection Act, SS 1999, c H-0.021 applied and whether he had jurisdiction. For the Act to apply, there should be personal health information which is in the custody of a trustee.

The commissioner said that the recording in the Dictaphone is personal health information pursuant to subsections 2(m)(ii), 2(m)(i), 2(m)(v) and 2(q) of the Act because the patients involved were receiving a health service on that particular day, because the health service pertained to their physical or mental health and because the recording qualified as registration information, given that the patients’ names were used to register them for the purpose of a health service.

The commissioner then found that the three physician partners, who are all licensed through the College of Physicians and Surgeons of Saskatchewan, were trustees as defined by subs. 2(t) of the Act and had joint custody and control of the personal health information.

A privacy breach occurred when the Dictaphone was lost, the commissioner found. Because it was not recovered, a separate entity possibly accessed the personal health information that the Dictaphone contained, which constitutes an unauthorized disclosure under subs. 27(1) of the Act, the commissioner said.

The commissioner then found that the three physician partners failed to employ adequate administrative, physical or technical safeguards to ensure the protection of the personal health information against reasonably anticipated threats or hazards to its security or integrity. They also failed to adequately respond to the privacy breach, said the commissioner.

The commissioner’s office suggested certain steps to appropriately respond to a privacy breach. Trustees should contain the breach and notify the involved persons as soon as possible, as well as investigate the breach and plan for the prevention of future breaches.

Among numerous other recommendations, the commissioner urged the physician partners to “develop written agreements between themselves and other health professionals involved with the Clinic that explicitly address the issue of custody and control of personal health information.”

Related stories

Free newsletter

The Canadian Legal Newswire is a FREE newsletter that keeps you up to date on news and analysis about the Canadian legal scene. A separate InHouse Edition is delivered on a regular basis, providing targeted news and information of interest to in-house counsel.

Please enter your email address below to subscribe.

Recent articles & video

Appellant’s conduct signalled agreement to pre-incorporation contract, SCC finds

Former lawyers file complaint with Manitoba Human Right Commission over courthouse accessibility

N.B. law society urged to require members, articling students to take domestic violence course

Solving the ‘problem-solution’ problem for patent applicants: Choueifaty decision

Businesses may obtain cyber certification via CyberSecure Canada’s web portal

COVID-19 and the courts: Oct. 26 update

Most Read Articles

Cybersecurity due diligence becomes focus in M&A transactions

New Brunswick case a reminder careful wording is needed in termination letters, employment contracts

What corporate lawyers really do: Konata Lake on why he loves what he does at Torys

Disciplining a nurse who criticized long-term care via social media infringes free speech: case