I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

In case you were wondering, don’t use your ex-business partner’s ex-wife’s health information to learn about a new IT system

Posted by

Calling all clinicians, Privacy Officers, IT change management consultants and practice managers.

Here’s a new case for you to read and absorb.

Bierman v. Haidash 2021 from Saskatchewan Court of Queen’s Bench

So, imagine you work in a health care environment and you’ve got to learn a new IT system. Bummer right?

You’ve got to teach yourself and your assistant (who happens to be your spouse) how to use the system.

Is your instinct to think of people whom you know in the community and enter their data to see if they have records in the system?

If you answered “yes” – that’s the wrong answer.  We need to talk.

If you think to yourself, “it’s 2021, every system should have dummy data (not real patient information) built in so we can test out this new system without violating privacy rights” – ding ding ding. you are correct!  If you aren’t sure how to access that dummy data set – ask.  If they don’t have a dummy data set (that’s not good) ask the vendor how you are supposed to learn the system.

And take the rest of this summary as a cautionary tale.

In the case of Bierman v. Haidash, the plaintiff, Ms. Bierman, split from Dr. Bierman and was in litigation with him. She alleged that he tried to access her health records to use in the litigation. She was distraught about his attempts and the anxiety made her very unwell.  As time went by, her ex-husband seemed to know about her health situation as he raised information about her medications in their litigation.  She became fearful of others having access to her information.

She asked Saskatchewan Health to do an audit of her prescription profile. She saw that Dr. Haidash had accessed her records. As background, Dr. Bierman and Dr. Haidash used to work together.  Drs. Bierman and Haidash eventually split their practice and went separate ways.  She believed Dr. Haidash snooped in her records to share her prescription information with her ex-husband. She sued Dr. Haidash for a violation of privacy.

Dr. Haidash told the court that he started using a new electronic medical record (EMR) to help him with prescriptions for patients. He needed to teach himself and his wife, who worked for him, how to use the new EMR. There were no “dummy” patients in the system. So to learn the system, they had to use real patient data.  They chose and used 18 unique names of people who were not their patients but who they knew had information in the prescribing information program.  One of the names they chose was “Bierman”.  That brought up the entire Bierman family including Ms. Bierman.  Dr. and Mrs. Haidash could see Ms. Bierman’s biographical profile.  They looked at her records for 2 minutes.  They say they didn’t see anything detailed about Ms. Bierman and never told Dr. Bierman.

Long story short … a complaint was launched with the College of Physicians and Surgeons and Dr. Haidash admitted to professional misconduct, was reprimanded and paid a $2400 penalty.

A complaint was made to the Office of the Saskatchewan Information and Privacy Commissioner, which concluded Dr. Haidash did not comply with the health privacy laws regarding Ms. Bierman and the other 17 people whose information he used to teach himself and his wife about the system.

In this litigation case, the court found that Dr. Haidash violated Ms. Bierman’s privacy by accessing the prescription information under her profile. It was inconclusive as to whether Dr. Haidash had shared information with Dr. Bierman. Dr. Haidash was ordered to pay Ms. Bierman $7,500 and $3,000 in costs.

Moral of the Story: Do not use live patient data to learn a new IT system. If you have no choice but to use live patient data – ask the vendor or the health information custodian which patient records you should use. DO NOT use the names of your friends, family, enemies, ex-wives of your prior business partners. Just don’t. 

Come join The Shush: a collective of privacy officers.  Join your colleagues from across the province of Ontario.  It’s an annual membership with hands on workshops and helpful content to lighten your load as a privacy officer.

Or come for the free Ask Me Anything about Health Privacy Workshops the first Wednesday of every month.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
starts October 2024

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2024

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2024 program is now live.
Full details of the 2024 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2024

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557

    .