A hospital worker was fired for breaching privacy and confidentiality policies following a random audit that showed that she had accessed confidential patient records
A hospital worker was fired for breaching privacy and confidentiality policies following a random audit that showed that she had accessed confidential patient records.
The union grieved.
J.B. was hired on to a temporary clerical position at Eastern Regional Integrated Health Authority in 2008. She became a permanent employee in 2010. Her job as Word Processing Equipment Operator required her to record payroll and benefit information, compile data on monthly clinical statistics, update patient information pamphlets, order supplies, arrange meetings and undertake various other administrative tasks.
Her job did not require her to access patient information.
The Health Authority actively maintained and enforced its commitment to protecting the privacy and confidentiality of personal health information.
Staff members received training on privacy issues and were required to sign a pledge to uphold the Personal Health Information Act (PHIA) and the Authority’s Privacy and Confidentiality Policy. Employees were aware that a breach of privacy polices would result in discipline up to and including termination.
Random audit
Bimonthly emails, memos and “privacy awareness week” promotional campaigns regularly communicated the employer’s expectations for compliance with privacy policies.
A random audit conducted on Jan. 4, 2012 showed that J.B. had accessed her own medical records, which was prohibited. The employer then conducted a more extensive audit. That audit revealed that J.B. had viewed 22 patient records — including her own — between August and January.
J.B. did not deny accessing the health records. At an investigative meeting held in February, J.B. explained that, for the most part, she was simply helping friends and family get timely access to test results and information about the availability of appointments.
J.B. was fired.
The employer said that the termination was justified. Obligations under the PHIA required the Health Authority to enact policies to protect privacy and confidentiality, the employer said. The policy was clear and the consequences of a breach were explicit. Accessing patient information was not within J.B.’s job duties. J.B. was not entitled to act on requests from friends and family to search their medical records. Moreover, the employer said, there were a couple of instances where J.B. had looked at the records of people — including her manager — who where neither friends nor family. She had committed a serious breach of policy.
Fledgling career
The union said that termination was excessive in the circumstances. J.B.’s fledgling career would be effectively ended. She was a single parent with little prospect of gaining comparable employment if she was not reinstated, the union said. J.B. did not deny that she had accessed confidential information and she had made no attempt to mislead the employer. There was no evidence that J.B. had revealed any information to anyone other than to the people who had requested the information. Most of the information she retrieved was concerned with appointments.
The union said that the corrective and rehabilitative goals of progressive discipline were applicable in this case. J.B. had significant rehabilitative potential. In this case, progressive discipline was appropriate and the termination should be replaced with a suspension, the union said.
The Arbitrator agreed.
J.B.’s formal job duties did not include accessing personal health information, the Arbitrator said.
However, in practice, J.B. understood that she was expected to access medical information in response to requests from doctors’ secretaries or from the managers of other departments.
No personal interest or malice
J.B. did provide that information when it was requested and she was never told that her actions were inappropriate. The Arbitrator accepted that such interdepartmental requests were the likely cause of J.B.’s actions in pulling up the records of the handful of people that she did not know.
The seriousness of J.B.’s policy breach was mitigated by certain factors, the Arbitrator said.
J.B. was not motivated by either personal gain or malice. The fact that J.B.’s actions were not motivated by any personal interest distanced J.B.’s conduct from other health information privacy breach cases such as Timmins & District Hospital v. Ontario Nurses’ Assn. and North Bay Health Centre v. Ontario Nurses’ Assn., the Arbitrator said. For the most part, J.B. had accessed only the information of friends and family upon request and only with their express or implied consent.
“Other mitigating factors include the fact that the Grievor did not deny her actions and admitted that her actions were wrong. She testified that she did not know that it was wrong to provide information to friends at their request. However, upon review of the policy and the information presented to employees about the policy, it is evident that her actions were a breach of the policy. The Grievor should have known it was a breach. I do not accept lack of knowledge of the policy as a mitigating factor. I have considered all the circumstances, including the Grievor’s expression of remorse, and find that the Grievor has rehabilitative potential. I find that the Employer did not have just cause to impose the penalty of discharge.”
The grievance was allowed.
The termination was replaced with an eight-month suspension without pay, benefits or accumulation of seniority.
Mark Rogers is a writer and editor who specializes in labour relations and occupational health and safety.
