HomeNews & TopicsHealth Care PolicyThe perils of privacy breaches by hospital employees

The perils of privacy breaches by hospital employees

Published on

 

 

 

By Rhonda Shirreff and Sunny Khaira

Canadian privacy laws contain a basic safeguarding principle: access to personal information may only be granted on a need-to-know basis. Snooping violates that principle.

Several Ontario arbitrators have upheld a “zero tolerance” approach for at hospitals, holding that summary dismissal is the appropriate remedy for deliberate breaches of confidentiality and workplace codes of conduct by hospital employees who snoop into patient records for their own reasons, rather than for any legitimate purpose.

For example, in North Bay Health Centre v. O.N.A., (2012) 216 LAC (4th) 38, a 12-year employee with a good record was fired for violating after she accessed 5,804 individual patient health records and made over 12,000 unauthorized inquiries over a seven-year period. The arbitrator found the sheer volume of the violations warranted dismissal, adding that the employee knew or should have known that her access to patient records was properly limited to those she had a professional obligation to care for.

MORE: DUTY TO PROTECT HOSPITAL STAFF FROM WORKPLACE VIOLENCE IS PARAMOUNT

Arbitrators have upheld the zero tolerance approach even when hospital employees’ snooping was much less pervasive. In Bluewater Health and O.N.A. (Hardy) (Re), 2010 CLB 33129, an arbitrator upheld the termination of a part-time nurse for accessing the medical records of four patients who were not under her care. Although the nurse’s unauthorized access to each patient’s record lasted for only a few seconds, the arbitrator found it difficult to accept that it was accidental. In Timmins & District Hospital and O.N.A. (Peever), (2011) 208 LAC (4d) 43, an arbitrator upheld the termination of a 22-year employee who accessed the clinical mental health records of a patient who was married to her son. The arbitrator rejected the employee’s claim that she was unaware her conduct violated the hospital’s ethics and confidentiality policies. As the employee showed no remorse and there was no assurance that she would not snoop into patient records again, the arbitrator concluded there were no compelling circumstances to mitigate her discharge.

Arbitrators will deviate from the zero tolerance approach in the face of compelling mitigating circumstances. For example, Vancouver Coastal Health Authority and HAS BC (Gamache) (Re), (2014) 118 CLAS 104, involved a 24-year employee who was fired after improperly accessing a patient’s medical records and emailing that information to a friend whose sister – unbeknownst to the employee – had recently separated from the patient. The arbitrator found “extremely compelling” circumstances to substitute a 3-month unpaid suspension for the termination, including the employee’s strong employment record, her candid and sincere admission of wrongdoing, the fact that her wrongdoing was isolated and out of character, and the stressors in her life at the time, including her husband recently being diagnosed with melanoma and an aging mother with serious medical set-backs.

Moreover, a zero tolerance approach to hospital employee snooping may not be sufficient for hospitals to ward off civil liability for breaches, as the following case demonstrates.

MORE: HOSPITAL SUCCESSION PLANNING REQUIRES PHYSICIANS TO DEVELOP LATE CAREER TRANSITION PLANS

In 2011, the Peterborough Regional Health Centre discovered that a number of employees, including a supervising nurse, had accessed the personal health information of up to 280 patients without their advance knowledge or consent. Based on media reports, the breach included unauthorized access to the records of a victim of domestic violence who was in hiding, plus unauthorized access to hundreds of therapeutic abortion files by a records clerk who was an anti-abortion activist. The Health Centre took prompt remedial action. It fired the employees involved, conducted a hospital-wide privacy campaign and, as required by the Ontario Personal Health Information Protection Act (PHIPA), notified the affected patients of the privacy breach. The Ontario Information and Privacy Commissioner conducted an investigation. He found that the Health Centre had “responded reasonably” to the privacy breaches and determined that “no further action was warranted” against the Health Centre.

Unsatisfied with the outcome of the Commissioner’s investigation, a group of affected patients launched a class action against the Health Centre, seeking over $5 million in damages for the unauthorized access to their personal health information. In February 2015, the Ontario Court of Appeal held that it was permissible to bring a class proceeding for civil damages against the Health Centre for the unauthorized access to patient records, even though the Commissioner had already conducted an investigation under PHIPA [Hopkins v. Kay, 2015 ONCA 112].

The aftermath of the privacy breaches at the Peterborough Regional Health Centre suggests that hospitals could be liable for significant civil damages, even when they have taken a zero tolerance approach to employees improperly accessing patient records and have responded reasonably under PHIPA. As the class action law suit moves forward, it will serve as an important reminder of the potential ramifications of confidentiality breaches by snooping hospital employees.

Rhonda Shirreff and Sunny Khaira are Associates in the Employment and Labour Group at , Hoskin & Harcourt LLP in Toronto.

Latest articles

Easing the Transition to the Cloud. Modernizing made simple with integration support.

Across Canada, most hospitals and healthcare authorities recognize the need to modernize their systems....

Rovolutionizing geriatric care: Meet Canada’s leading Universal Health Hub (UHH)

Universal Health Hub (UHH) is the only Health Care Organization in Canada which is...

National efforts to guide safe, effective, and equitable use of opioids for quality pain management in children

No one should experience untreated pain. Yet, in Canada, two out of three children...

Wait times in healthcare often linked to diagnostic testing – adding more doctors and nurses alone won’t improve that bottleneck

There is an emerging consensus that Canada’s healthcare system is in crisis.  Stories appear in...

More like this

Wait times in healthcare often linked to diagnostic testing – adding more doctors and nurses alone won’t improve that bottleneck

There is an emerging consensus that Canada’s healthcare system is in crisis.  Stories appear in...

Physician work hours, especially for male doctors, have declined since 1987

Physicians in Canada, especially male physicians, are working fewer hours than they did three...

No longer just tobacco and opioids: B.C. plans commencing more class actions to recover health care costs involving virtually any product

On March 14, 2024, the province of British Columbia proposed broad multi-government class action...

Wait times in EDs are nothing new – and that’s the problem

The respiratory virus season is upon us, and those working in the emergency departments...

Ontario hospitals play critical role in Canadian health care advancements and innovation

Twenty Ontario research hospitals have been celebrated for their excellence in health research and...

Too much paperwork is hurting physicians, and health care

Few of us look forward to administrative tasks. For physicians, however, relentless paperwork is...