I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: Snooping and the employee who maintained “wazzn’t me”

Posted by

This is a summary of the new Information and Privacy Commissioner of Ontario‘s Decision 109, which deals with snooping.

Six months after an employee left her employment at a family health clinic, a patient of the clinic complained she suspected the employee had looked at her patient’s record. That prompted the clinic to do an investigation. The clinic found that the former employee had viewed the patient’s record without authorization and found evidence that the former employee had looked at other patients’ records too.

The clinic reported the breaches to the affected patients and to the Information and Privacy Commissioner of Ontario.

What ensued during the IPC’s investigation sounds like:

Former Employee: wazzn’t me

Clinic: OMG. it totally was you! Look we have these 20 pages of audit logs!

Former Employee: wazzn’t me – someone must have used my login and password – everyone knew my login and password


Clinic: you’re the only admin staff who had remote access – even if other staff had your login and password (which we don’t think they did) – they didn’t have remote access to the system

Former Employee: wazzn’t me

Clinic: see this IP address? it’s the only IP address for all these remote accesses. We think that matches your home IP address.

Former Employee: silence … well then, I was allowed. It was part of my job.

Clinic: WHAT? That’s a “blatant falsehood” – it was not part of your job to check up on the doctors. ARGH!

BUT ALSO it sounded like …

Former Employee: wazzn’t me

Clinic: OMG. It totally was you! Look we have these 20 pages of audit logs!

Former Employee: wazzn’t me – I was out of the country during some of those dates and times – look, here are the receipts for my trips – and the audit logs show the access came from “inside”

Clinic: OH. silence…wait a minute … maybe it was the Clinic Manager who used your login and password to check your work.


BUT ALSO it sounded like …

IPC: Did you take any personal health information home with you or off site?

Former Employee: wazzn’t me

IPC: Um, so about these emails you gave us as part of your submissions to prove your innocence – why did those emails include patient information? Why do you still have those emails 2 years later after you left your employment with the clinic? Why did those emails come from your personal gmail account?

Former Employee: Oh, that was part of my job. I had to use my personal gmail account because I couldn’t attach reports from the clinic email

IPC: BIG EYES. … Um clinic, is this true?

Clinic: Oh ya – that’s true. We knew she used her gmail account for work. But we didn’t know she kept those emails for all these years.


Former Employee: Don’t worry, I have deleted those now.


No one came out of this unscathed.

The IPC ordered the former employee not to use or disclose any personal health information any more.

The IPC dismissed the former employee’s allegations that the clinic was harassing her by filing the report with the IPC. The IPC concluded it was a mandatory report to the IPC and there was no evidence of improper reporting.

The clinic is being investigated by the IPC for additional issues:
1. Why does it let its clinic manager use a staff member’s email address to check requests when employees are away?
2. Why does it let employees use personal email addresses to communicate personal health information of patients?

Unfortunately, the order does not discuss reparations for the affected patients.

Bottom Line for Health Sector Staff:

1. Do not go into health records when it’s not part of your duties.
2. Do not share your passwords with others.
3. If you do share your passwords with others – you may have a really hard time explaining that the audit logs of unauthorized activity are not your doing. Just don’t.
4. When you leave a health workplace – do not keep anything related to patient information or records. Return all personal health information to your former employer/workplace whether it is electronic or paper.

Bottom Line for Health Care Organizations:

1. Do not allow staff to share login credentials and passwords.
2. Do not allow staff to use their personal accounts to communicate patient information.
3. Add to your staff confidentiality agreements “After you leave our workplace, you must not keep, use or disclose any personal health information in any format. Any paper or electronic copies must be securely returned or destroyed/deleted.”
4. Do not allow your supervisors or managers to use other staff members’ login credentials to your electronic information systems to perform supervisory tasks.
5. When you are doing a privacy investigation collect all relevant information. If someone says “wazzn’t me” investigate their story and follow up on all leads. Even if you know there was a privacy breach of some records – get to the bottom of all data points. You look foolish if the employee can show some of the allegations really weren’t them (like if they were out of country).

This is a must read for Privacy Officers.

If you are interested in joining my Health Privacy Officer community:

If you enjoyed this article please share it:

Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
September 14, 21, 28, October 5, 12, 19, 26 2021

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2021

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our September program will address toxic employees and in October we discuss collaboration agreements.
Full details of the 2021 webinar series and registration here.

Team Privacy Training Events
September 22, 23, 24, 27, 30 October 13, 14, 20, 21

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Part X CYFSA Privacy Designate Course - video course online

For Privacy Designates in the child welfare sector including children's aid societies and indigenous children's well-being centres

We focus on how to implement Part X of the Child Youth and Family Services Act in your organization.
Full details and registration here.

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

NEW! Ontario Hospital Association Professional Staff Credentialing Toolkit

2nd Edition is now available for managing physicians, dentists, midwives and nurse practitioners in hospitals Read here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

Join The Shush, my community for Privacy Officers in the healthcare sector. Develop knowledge, skills and judgment,… https://t.co/xB1KRZ1Yw5

about 10 hours ago

[NOV 4 – WEBINAR SERIES] Harassment & discrimination -- What to expect at the Human Rights Tribunal Register now:… https://t.co/LNU8wgW7h4

12:00 PM Sep 27th

contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557