The nurse's unauthorized access to several thousand medical records could not be excused as either casual or instructional.
A nurse was fired after it was learned that she had been reviewing patient medical records without authorization.
Hired in 1999, M.M. was a Registered Nurse employed in the medical unit at a regional hospital.
In 2011, M.M.’s practice of routinely perusing computerized patient medical records for information on ailments, conditions and treatments that interested her was revealed by chance.
The hospital’s manager of inpatient psychiatry noted with curiosity the number of hospital workers who spontaneously showed up to visit an employee who had been admitted to the unit as a patient.
Inquiries were made to determine whether or not staff was improperly accessing patient medical records. M.M.’s name came up in the course of a wider audit into who was accessing patient medical records.
Interviewed twice by the employer with regard to her practice of accessing patient medical records, M.M. freely admitted she did it on a regular basis to satisfy her curiosity and for casual learning opportunities.
She said she was aware that hospital policies, the standards of the provincial College of Nurses and the Personal Health Information Protection Act (PHIPA) prohibited such conduct.
M.M. signed a copy of the hospital’s policy governing access to computerized health information when she was hired in 1999. However, there was no documentation outlining what training nurses received on the PHIPA when it was enacted in 2004.
Accessed 5,804 individual patient records
An investigation showed that M.M. accessed 5,804 individual patient records over a seven-year period, making more than 12,000 inquiries.
The employer was required to disclose this breach of confidentiality and contact every patient affected. The case caused considerable concern and anger in the community.
M.M. was fired on May 9, 2011. The letter of termination said she had engaged in repeated and serious misconduct that was illegal and in violation of the policies and procedures of the institution, the ethical standards of the profession and the statutes of the province.
The union grieved.
The union argued that under Section 37 of the PHIPA, M.M. was a Registered Nurse and therefore a health-care practitioner. As such, she qualified under the Act as a “health information custodian” and was entitled to access medical information for learning purposes.
The “circle of care” provisions in the Act, which limit access to information on patients to the medical personnel who have responsibilities for those particular patients, are more concerned with the disclosure of information rather than the use of information, the union argued.
M.M.’s use of the information for learning was consistent with the aim of the Act and supported by the provisions in the collective agreement dealing with “ongoing learning.”
The more stringent prohibitions regarding access to medical information contained in the hospital’s own policies and in the standards of the nurses’ College were superseded by the PHIPA, the union said.
The Arbitrator disagreed.
“[I] cannot accept the Association’s arguments and interpretation of PHIPA, the College of Nurses’ standards, or the Employer’s policies.”
There were certain employment arrangements and circumstances where a nurse could be a “health information custodian” but this wasn’t one of them. In this case, M.M. was an “agent” of her employer who was the “health information custodian.” The PHIPA offered no protections for her actions.
Not a health information custodian
The prospect that every health-care practitioner could be a “health information custodian” would undermine the purpose of the Act, the Arbitrator said. In such a scenario, the sheer numbers of health-care workers with free access to information would significantly undermine patient privacy.
Moreover, the provisions governing access to medical information under section 37 of PHIPA is more particularly focused, the Arbitrator said. “[I]t is referring to programs and services of the custodian — risk management, error management, and activities to improve or maintain the quality of care, programs or services — and not to an individual’s interest in learning.”
The employer policies restricting access to medical information only to those directly involved in care were unequivocal. Neither did the collective agreement give M.M. any cover. “Article 9 cannot be read to authorize learning that violates the confidentiality of patient health information,” the Arbitrator said.
In any case, the Arbitrator said, it was clear that not all of M.M.’s forays into patient records were purely educational. Some inquiries were simply for curiosity. That was improper. Her actions violated the employer’s policies, the PHIPA and the standards of the College of Nurses, the Arbitrator said.
There was no evidence M.M. was seeking any particular advantage or personal gain or indulging any prurient interest.
“[I] do not believe that the grievor fully understood or appreciated the significance of her actions at the time, or that she had any idea of what a firestorm her actions would create.”
The Arbitrator was empathetic but said the hospital had just cause to terminate M.M.
“The grievor, as a Registered Nurse, knew or should have known that her access to patient records was limited to those for whom she had a professional obligation of care. The grievor never sought permission to access the files for learning purposes. This case is truly unfortunate on so many levels for so many people, but in all the facts and circumstances, the Health Centre had just cause for discharge.”
The grievance was dismissed.
Reference: North Bay Health Centre and Ontario Nurses’ Association. Randi H. Abramsky — Sole Arbitrator. John D’Orsay for the Union. Shane Smith for the Employer. Jan. 9, 2012. 27 pp.
