Ontario hospital worker's denial of breaching patient confidentiality key factor in dismissal
An Ontario arbitrator has upheld the firing of a hospital worker who accessed private patient information without authorization or a valid reason.
And the decision highlights the importance of conducting a fair and comprehensive investigation into alleged misconduct, says Michael Horvat, partner in the Workplace Law Group at Aird & Berlis in Toronto.
Background
The worker was a part-time clerk in the kidney care program at Orillia Soldiers Memorial Hospital in Orillia, Ont., hired in 2007. Her job involved working in one of two departments — hemodialysis and home dialysis. Her duties included reviewing the daily patient schedule, registering patients for appointments, amending the daily appointment lists, taking phone calls, and gathering information.
The worker and other employees used a computerized data system called CERNER, which included a module for scheduling and registering patients that contained their confidential medical records. All employees had a unique user ID and password to access the system and they were instructed not to share them or access the system without a specific purpose.
The hospital also had a code of conduct and policy on the privacy and security of personal health information. All employees were regularly required to sign confidentiality agreements that stated a breach of the requirements could result in termination of employment.
The worker had previously reached the policy when she accessed her own health records, but she was cautioned that it wasn’t appropriate since it didn’t involve a privacy breach. She received a three-day suspension in July 2019 for posting inappropriate comments about a colleague on social media and being untruthful when asked about it. The suspension letter stated that it was a final warning and further incidents could result in discipline or discharge.
In May 2020, a long-time and prominent member of the hospital’s staff tested positive for COVID-19 and was admitted to the hospital with serious symptoms. The hospital took extra steps to protect the patient’s privacy and performed regular audits of her file in the CERNER system to see if anyone accessed it without authorization.
During one of the audits, CERNER indicated that multiple employees had accessed the information of the high-profile staff member. On three occasions, the worker’s user ID and password had been used, during times when she had been working at her terminal in her office. The patient had no connection to the worker’s departments.
The hospital also discovered that in February 2019, the worker’s ID and password had been used at her computer terminal to access a patient’s chart with no valid reason.
Worker denied misconduct
The hospital interviewed the worker about the improper accesses. The worker acknowledged that she knew the high-profile patient was in the hospital because she had scrolled through a list of patients on that ward to see if there were dialysis patients there, although there were none on the ward at the time.
She also acknowledged accessing her own records but denied accessing the records of the high-profile patient. She said she had never given anyone her user ID and password, but she suggested there could be a glitch in the system, describing another incident. She added that she had been busy registering patients at the time of the inappropriate accesses.
The hospital checked out the incident the worker described as a glitch and determined that it was a data entry error rather than a glitch in the system. This confirmed the reliability of the system and also revealed that the other accesses had not occurred at times when the worker had registered patients.
More than 30 Alberta hospital workers were fired after improper access to more than 2,000 electronic health records.
Fair, comprehensive investigation
Conducting a fair and comprehensive investigation into alleged misconduct, such as the hospital did here, is essential when it comes down to determining just cause for termination, says Horvat.
“Honesty during the investigation can ‘save’ an employee from termination, while lies can be the ultimate downfall of the employee for a cause termination,” he says. “In either case, the investigation should be completed with giving the accused employee the information that the employer has and a chance to explain — if they can or choose to.”
The hospital terminated the worker’s employment for the serious breach of policy and privacy, as well as her failure to acknowledge her misconduct.
An Ontario arbitrator also upheld the firing of a hospital worker for wrongly accessing patient records in early 2021.
Multiple breaches, lack of remorse
The arbitrator in the Orillia case noted that the evidence showed that the patient information was accessed from the worker’s computer using her ID and password each time. This made it “highly probable” that the worker herself accessed the information. With no justification or reason for doing so, it was a serious breach of hospital policies and confidentiality agreements that the worker had signed, the arbitrator said.
The arbitrator found that the worker denied she had improperly accessed the information and lied about it being caused by a glitch in the system. The worker had also received a caution about improper access of information in the system previously.
The arbitrator determined that the multiple breaches and the lack of acknowledgment or remorse — with a recent suspension on the worker’s record — was serious enough to justify discharge. The worker’s failure to admit to her misconduct is an example of how honesty about misconduct can sometimes be more important than the misconduct itself — particularly since another employee who was caught improperly accessing the information but admitted to their misconduct was not fired, says Horvat.
“The repeated denial by the employee that she engaged in improper access of personal medical information when the hospital’s computer records clearly demonstrated the opposite, with no reasonable explanation as to why that would be the case, was the key issue,” says Horvat. “Her prior misconduct, particularly as it was similar in nature, indicated to the arbitrator that she was no longer deserving of a second chance.”
In addition, while the worker’s lengthy service was potentially a mitigating factor in favour of reinstatement, in this case it worked against her, he says.
“She was a senior and longstanding employee deemed to be well aware of the hospital’s operations, policies, and the fundamental importance of patient confidentiality.”
See Orillia Soldiers Memorial Hospital and OPSEU, Local 383, Re, 149 C.L.A.S. 320.
