Health-care privacy breaches highlight staff challenges

Better training, reporting required to curtail employee misbehaviour, says privacy commissioner
By Sarah Dobson
|Canadian HR Reporter|Last Updated: 03/09/2015

It happened in the fall of 2014 and then, surprisingly, again in early 2015 — the private health records of former Toronto mayor Rob Ford, suffering from stomach cancer, were breached in four separate incidents in at least three hospitals.

It’s not just high-profile citizens facing invasion of privacy — workers at Rouge Valley Health System in Ontario, for example, allegedly used or disclosed the personal health information of mothers for the purposes of selling or marketing registered education savings plans (RESPs). And the Vancouver Island Health Authority (VIHA) investigated incidents involving two employees who breached the privacy of 112 individuals.

So why do employees act this way? And are these types of incidents on the rise? The answers may not be clearcut, but more needs to be done to avoid further violations, say experts.

“To the extent that hospitals or other organizations are moving towards shared electronic records, there’s certainly the possibility that this will be an increasing issue,” said Brian Beamish, acting commissioner for the Office of the Information and Privacy Commissioner of Ontario (IPC). “There’s definitely a need for improvement. I take the point that we don’t want to over react... I think though to the extent that patients feel that their records are not secure, there may be a diminishment of support for the records or a lack of trust in the records and... that’s a bad thing.”

The price tag attached to breaches could be astronomical. Last month, the Ontario Court of Appeal greenlighted a privacy class-action lawsuit against the Peterborough Regional Health Authority for unauthorized access to personal health information.

“The court has signalled that health information custodians may face significant civil exposure in damages for future incidents involving unauthorized access to personal health information by a rogue employee or third party,” law firm Osler said in a briefing.

The firm also said the ruling could open the door to similar lawsuits outside Ontario in jurisdictions with comprehensive privacy statutes or in regulated sectors and industries “where the legislature has created a separate regulatory and enforcement regime.”

Even if most health-care workers are going to be professional and avoid snooping, “the frequency with which it happens still creates some problems and undermines public confidence in not only the providers but in the electronic health record system,” said Gary Dickson, former information and privacy commissioner for Saskatchewan and a consultant at staffing firm Beckenhill in Ottawa.

But Dan Michaluk, a partner at Hicks Morley in Toronto, wondered whether this really is a problem of perception.

“Clearly, it’s perceived that hospital personnel can’t be trusted at this point — that’s based on a number of high-profile events. Is that perception a valid perception or not could be debated,” he said. “I sense a bit of moral panic, frankly, where we’ve got a couple of high-profile incidents that have caused people to throw their arms up and feel that the sky is falling.”

Every hospital takes privacy seriously and there’s no evidence of a systemic problem, said Michaluk.

“Regardless, I think hospitals have to reckon with the perception nowadays.”

There are a variety of reasons why health-care staff breach patient privacy, ranging from misunderstanding or stretching the rules to curiosity or malicious intent.

Hospital information systems are fairly open, so once people have the credentials to log in, there aren’t many barriers, said Michaluk.

“As soon as you start to put barriers up, you create potential patient safety risks, so those systems rely on trust and that is seen to be a premise that’s quite acceptable.”

Human nature is also a factor, said Dickson.

“Curiosity sometimes overcomes their professional training and their ethical obligations, and they peek, they snoop.”

Some breaches are malicious and intentional while others are inadvertent, said Cathy Yaskow, director of information stewardship, access and privacy at VIHA.

“They happen because people are either careless or because the system doesn’t support them in doing the right thing, so the technology isn’t designed or hasn’t been designed in a way that enables them to make good choices… and other times, they’re just trying to be helpful.”

There may also be something going on in that staff person’s life, such as a sick friend, that makes him disregard his ethical, legal and professional obligations, she said.

There are more than a few ways organizations, authorities and the snoopers themselves can curtail the breaches, according to the experts. For one, better training makes sense, said Yaskow.

“It’s not about just doing a whole bunch more education… it’s about distilling it down to those practice standards, those codes of conduct, those ways of behaving around information that resonate with staff on the front line, with physicians in their day-to-day practice, and enable them to very quickly use critical decision supports and tools to make the right decisions about that information.”

Sometimes hospitals fail when it comes to the frequency of the training, said Beamish.

“We definitely recommend that at least there be annual training and that people on an annual basis be required to sign an oath of confidentiality. It needs to be continually reinforced.”

The IPC has also recommended hospitals use messaging around privacy similar to that found around hand washing, such as posters and emails. The commission recently released a guideline that included nine steps to take to prevent unauthorized access.

The IPC is also recommending mandatory notification by hospitals when there is a significant breach of privacy — currently, many institutions do so voluntarily.

“We can fulfill a function in ensuring that the breach has been addressed and all the proper steps have been taken,” said Beamish.

But there should be a balance, said Yaskow.

“We would not have the capacity nor, in my view, would it be reasonable for us to be reporting every single instance. But, yes, clearly there is value in reporting serious and significant breaches to the (B.C.) privacy commissioner and Island Health already does that, even in the absence of legislated obligations in that regard.”

The Ontario commission is also strongly recommending that victims be told who breached their records and what steps were taken, including discipline, said Beamish.

“We get some pushback from hospitals on that but we feel if your privacy has been violated, you have a right to know the details of that violation,” he said. “An employee who violates the rules should expect a diminished right to their own privacy.”

There are times when it’s important to identify the snooper if it may help a victim to take protective action, said Dickson, such as a spouse feeding information to his lawyer.

“In lots of other cases, where there’s not that kind of relationship, I think the important thing is to say that there’s been an investigation…. but I’m reluctant to name the offender in every case. And partly because the issue is that it’s the organization that has to be responsible for it.”

It’s a remarkable suggestion that the employee should be revealed, said Michaluk.

“A lot of hospitals are going to be uncomfortable with that because it opens a whole range of consequences to the named individual,” he said, adding it’s “a little aggressive from a human resources/labour relations norm view. There is an element of discretion that’s normally applied and I think the IPC is trying to push hospitals beyond that.”

It’s also important to have clarity around the concept of the “circle of care,” said Dickson, when it comes to implied consent to collect, use or disclose personal health information for the purpose of providing care.

“People in health-care settings seem to be very comfortable with it but it’s proven… to be hopelessly unhelpful, it’s been confusing,” he said. “When we found people who snooped, they would say, ‘Well, it’s not a big deal because I’m a health-care worker, I’m part of this amorphous circle of care.’ Well, in fact, what the law says is you only get to look at a patient’s personal health information if you have a ‘need to know.’”

Add Comment

  • *
  • *
  • *
  • *