I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

In case you were wondering, don’t use your ex-business partner’s ex-wife’s health information to learn about a new IT system

Posted by

Calling all clinicians, Privacy Officers, IT change management consultants and practice managers.

Here’s a new case for you to read and absorb.

Bierman v. Haidash 2021 from Saskatchewan Court of Queen’s Bench

So, imagine you work in a health care environment and you’ve got to learn a new IT system. Bummer right?

You’ve got to teach yourself and your assistant (who happens to be your spouse) how to use the system.

Is your instinct to think of people whom you know in the community and enter their data to see if they have records in the system?

If you answered “yes” – that’s the wrong answer.  We need to talk.

If you think to yourself, “it’s 2021, every system should have dummy data (not real patient information) built in so we can test out this new system without violating privacy rights” – ding ding ding. you are correct!  If you aren’t sure how to access that dummy data set – ask.  If they don’t have a dummy data set (that’s not good) ask the vendor how you are supposed to learn the system.

And take the rest of this summary as a cautionary tale.

In the case of Bierman v. Haidash, the plaintiff, Ms. Bierman, split from Dr. Bierman and was in litigation with him. She alleged that he tried to access her health records to use in the litigation. She was distraught about his attempts and the anxiety made her very unwell.  As time went by, her ex-husband seemed to know about her health situation as he raised information about her medications in their litigation.  She became fearful of others having access to her information.

She asked Saskatchewan Health to do an audit of her prescription profile. She saw that Dr. Haidash had accessed her records. As background, Dr. Bierman and Dr. Haidash used to work together.  Drs. Bierman and Haidash eventually split their practice and went separate ways.  She believed Dr. Haidash snooped in her records to share her prescription information with her ex-husband. She sued Dr. Haidash for a violation of privacy.

Dr. Haidash told the court that he started using a new electronic medical record (EMR) to help him with prescriptions for patients. He needed to teach himself and his wife, who worked for him, how to use the new EMR. There were no “dummy” patients in the system. So to learn the system, they had to use real patient data.  They chose and used 18 unique names of people who were not their patients but who they knew had information in the prescribing information program.  One of the names they chose was “Bierman”.  That brought up the entire Bierman family including Ms. Bierman.  Dr. and Mrs. Haidash could see Ms. Bierman’s biographical profile.  They looked at her records for 2 minutes.  They say they didn’t see anything detailed about Ms. Bierman and never told Dr. Bierman.

Long story short … a complaint was launched with the College of Physicians and Surgeons and Dr. Haidash admitted to professional misconduct, was reprimanded and paid a $2400 penalty.

A complaint was made to the Office of the Saskatchewan Information and Privacy Commissioner, which concluded Dr. Haidash did not comply with the health privacy laws regarding Ms. Bierman and the other 17 people whose information he used to teach himself and his wife about the system.

In this litigation case, the court found that Dr. Haidash violated Ms. Bierman’s privacy by accessing the prescription information under her profile. It was inconclusive as to whether Dr. Haidash had shared information with Dr. Bierman. Dr. Haidash was ordered to pay Ms. Bierman $7,500 and $3,000 in costs.

Moral of the Story: Do not use live patient data to learn a new IT system. If you have no choice but to use live patient data – ask the vendor or the health information custodian which patient records you should use. DO NOT use the names of your friends, family, enemies, ex-wives of your prior business partners. Just don’t. 

Come join The Shush: a collective of privacy officers.  Join your colleagues from across the province of Ontario.  It’s an annual membership with hands on workshops and helpful content to lighten your load as a privacy officer.

Or come for the free Ask Me Anything about Health Privacy Workshops the first Wednesday of every month.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
April 12, 19, 26, May 3, 10, 17, 24 2021

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2021

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Team Privacy Training Events
March 24, 25, 31 and April 6, 8, 22, 28

For Primary Care clinics, Hospitals, Community Agencies, Public Health Units, Schools, Police departments

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our April program will address how to run a meeting and in May we discuss the legal pit of doom in having your employees also as your patients.
Full details of the 2021 webinar series and registration here.

Part X CYFSA Privacy Designate Course - video course online

For Privacy Designates in the child welfare sector including children's aid societies and indigenous children's well-being centres

We focus on how to implement Part X of the Child Youth and Family Services Act in your organization.
Full details and registration here.

Osgoode Health Law Certificate

Kate is presenting at the Osgoode Health Law Certificate on March 11 on Privacy Issues

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

[MAY 5] Register for my free upcoming Ask Me Anything About Health Privacy webinar at this link...… https://t.co/8nZgePgVZE

about 23 hours ago



contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557

.