In case you were wondering, don’t use your ex-business partner’s ex-wife’s health information to learn about a new IT system
Calling all clinicians, Privacy Officers, IT change management consultants and practice managers.
Here’s a new case for you to read and absorb.
Bierman v. Haidash 2021 from Saskatchewan Court of Queen’s Bench
So, imagine you work in a health care environment and you’ve got to learn a new IT system. Bummer right?
You’ve got to teach yourself and your assistant (who happens to be your spouse) how to use the system.
Is your instinct to think of people whom you know in the community and enter their data to see if they have records in the system?
If you answered “yes” – that’s the wrong answer. We need to talk.
If you think to yourself, “it’s 2021, every system should have dummy data (not real patient information) built in so we can test out this new system without violating privacy rights” – ding ding ding. you are correct! If you aren’t sure how to access that dummy data set – ask. If they don’t have a dummy data set (that’s not good) ask the vendor how you are supposed to learn the system.
And take the rest of this summary as a cautionary tale.
In the case of Bierman v. Haidash, the plaintiff, Ms. Bierman, split from Dr. Bierman and was in litigation with him. She alleged that he tried to access her health records to use in the litigation. She was distraught about his attempts and the anxiety made her very unwell. As time went by, her ex-husband seemed to know about her health situation as he raised information about her medications in their litigation. She became fearful of others having access to her information.
She asked Saskatchewan Health to do an audit of her prescription profile. She saw that Dr. Haidash had accessed her records. As background, Dr. Bierman and Dr. Haidash used to work together. Drs. Bierman and Haidash eventually split their practice and went separate ways. She believed Dr. Haidash snooped in her records to share her prescription information with her ex-husband. She sued Dr. Haidash for a violation of privacy.
Dr. Haidash told the court that he started using a new electronic medical record (EMR) to help him with prescriptions for patients. He needed to teach himself and his wife, who worked for him, how to use the new EMR. There were no “dummy” patients in the system. So to learn the system, they had to use real patient data. They chose and used 18 unique names of people who were not their patients but who they knew had information in the prescribing information program. One of the names they chose was “Bierman”. That brought up the entire Bierman family including Ms. Bierman. Dr. and Mrs. Haidash could see Ms. Bierman’s biographical profile. They looked at her records for 2 minutes. They say they didn’t see anything detailed about Ms. Bierman and never told Dr. Bierman.
Long story short … a complaint was launched with the College of Physicians and Surgeons and Dr. Haidash admitted to professional misconduct, was reprimanded and paid a $2400 penalty.
A complaint was made to the Office of the Saskatchewan Information and Privacy Commissioner, which concluded Dr. Haidash did not comply with the health privacy laws regarding Ms. Bierman and the other 17 people whose information he used to teach himself and his wife about the system.
In this litigation case, the court found that Dr. Haidash violated Ms. Bierman’s privacy by accessing the prescription information under her profile. It was inconclusive as to whether Dr. Haidash had shared information with Dr. Bierman. Dr. Haidash was ordered to pay Ms. Bierman $7,500 and $3,000 in costs.
Moral of the Story: Do not use live patient data to learn a new IT system. If you have no choice but to use live patient data – ask the vendor or the health information custodian which patient records you should use. DO NOT use the names of your friends, family, enemies, ex-wives of your prior business partners. Just don’t.
Come join The Shush: a collective of privacy officers. Join your colleagues from across the province of Ontario. It’s an annual membership with hands on workshops and helpful content to lighten your load as a privacy officer.
Or come for the free Ask Me Anything about Health Privacy Workshops the first Wednesday of every month.