A fourth-year pharmacy student doing an internship at a Regina drug store was caught snooping on the medical records of 114 people who were not in their care.
The University of Saskatchewan (U of S) student, working at Hill Avenue Drugs Pharmacy, accessed the records of people via the Pharmaceutical Information Program (PIP) and the electronic Health Record Viewer (eHR), according to a recent report from the province’s privacy commissioner Ron Kruzeniski.
The student was dismissed by the pharmacy, and Kruzeniski says the U of S College of Pharmacy and Nutrition, eHealth Saskatchewan and the Ministry of Health did not properly handle the breaches in accordance with four best practice steps.
The student’s placement at the pharmacy started May 6, 2024 and lasted until he was escorted out of the building on June 25.
According to Kruzeniski, a pharmacist caught the student talking to himself and allegedly said, “oh, he’s still alive.”
“The student was asked who he was reviewing and he quickly shut down a number of patient searches. Following an audit, it was determined the student was looking up patients that were not customers/patients of the pharmacy. The snooping started five days into the student’s placement,” the document reads.
According to the document, the student’s access to PIP and eHR were revoked on June 26 and 27 but it was not determined if paper copies of inappropriate information was made.
In July letters were mailed out to 109 individuals notifying them that their information has been inappropriately accessed, Kruzeniski says. Five individuals whose information was accessed were confirmed to be dead.
Kruzeniski made a total of four recommendations to better handle similar privacy breaches in the future.
The recommendations were:
-
That within 30 days of issuance of this Investigation Report, the U of S amend its Student Placement Agreement with the student and all trustees going forward so it spells out how privacy breaches will be handled and what the expectations/responsibilities of the U of S and the trustee are in such situations. -
That within 30 days of issuance of this investigation report, the student develop policies and procedures in compliance with section 16 of HIPA. Said policies and procedures should include supervision and auditing of student access in PIP and the eHR Viewer on site. -
Going forward, eHealth provide access to the eHR Viewer only under the APO associated to the site rather than the U of S (except hospital-based rotations). -
Within 30 days of issuance of this Investigation Report, the U of S, Health, and eHealth review the current understanding of responsibility for supervision, protection of personal health information in the systems and the roles of each party in the event of a privacy breach with future placements. The understandings should be in writing in either agreements or policies and procedures, so all parties are clear.