Sask. privacy commissioner finds clinic’s loss of Dictaphone with patient info was privacy breach

Health Information Protection Act applies if personal health information is in trustee’s custody

Sask. privacy commissioner finds clinic’s loss of Dictaphone with patient info was privacy breach

Losing a Dictaphone containing the personal health information of patients, including the patients’ names, may be considered a privacy breach.

In Adams (Broad Street Medical Clinic) (Re), 2020 CanLII 67257 (SK IPC), Ronald J. Kruzeniski, Saskatchewan’s information and privacy commissioner, investigated a potential privacy breach reported by a medical clinic, which occurred when one of its three physician partners lost and failed to recover his Dictaphone, which contained dictated notes relating to 39 patients that he saw over one day.

The commissioner first considered whether the Health Information Protection Act, SS 1999, c H-0.021 applied and whether he had jurisdiction. For the Act to apply, there should be personal health information which is in the custody of a trustee.

The commissioner said that the recording in the Dictaphone is personal health information pursuant to subsections 2(m)(ii), 2(m)(i), 2(m)(v) and 2(q) of the Act because the patients involved were receiving a health service on that particular day, because the health service pertained to their physical or mental health and because the recording qualified as registration information, given that the patients’ names were used to register them for the purpose of a health service.

The commissioner then found that the three physician partners, who are all licensed through the College of Physicians and Surgeons of Saskatchewan, were trustees as defined by subs. 2(t) of the Act and had joint custody and control of the personal health information.

A privacy breach occurred when the Dictaphone was lost, the commissioner found. Because it was not recovered, a separate entity possibly accessed the personal health information that the Dictaphone contained, which constitutes an unauthorized disclosure under subs. 27(1) of the Act, the commissioner said.

The commissioner then found that the three physician partners failed to employ adequate administrative, physical or technical safeguards to ensure the protection of the personal health information against reasonably anticipated threats or hazards to its security or integrity. They also failed to adequately respond to the privacy breach, said the commissioner.

The commissioner’s office suggested certain steps to appropriately respond to a privacy breach. Trustees should contain the breach and notify the involved persons as soon as possible, as well as investigate the breach and plan for the prevention of future breaches.

Among numerous other recommendations, the commissioner urged the physician partners to “develop written agreements between themselves and other health professionals involved with the Clinic that explicitly address the issue of custody and control of personal health information.”