Better training, reporting, discipline can curtail employee misbehaviour
It happened in the fall of 2014 and then, surprisingly, again in early 2015 — the private health records of Rob Ford, former mayor of Toronto, suffering from stomach cancer, were breached in four separate incidents at at least three hospitals.
And it’s not just high-profile citizens who are losing their privacy — employees at Rouge Valley Health System in Ontario, for example, allegedly used or disclosed the personal health information of mothers for the purposes of selling or marketing registered education savings plans (RESPs). And the Vancouver Island Health Authority (VIHA) investigated incidents involving two workers who breached the privacy of 112 individuals receiving health-care services.
So why do employees act this way? And are these types of incidents on the rise? The answers may not be clearcut but more needs to be done to avoid further violations, say experts.
"To the extent that hospitals or other organizations are moving towards shared electronic records, there’s certainly the possibility that this will be an increasing issue," said Brian Beamish, acting commissioner for the Office of the Information and Privacy Commissioner of Ontario (IPC). "There’s definitely a need for improvement. I take the point that we don’t want to over react... I think though to the extent that patients feel that their records are not secure, there may be a diminishment of support for the records or a lack of trust in the records and I think that’s a bad thing."
Even if most health-care workers are going to be professional and avoid snooping, "the frequency with which it happens still creates some problems and undermines public confidence in not only the providers but in the electronic health record system," said Gary Dickson, former information and privacy commissioner for Saskatchewan and a consultant at staffing firm Beckenhill in Ottawa.
But Dan Michaluk, a partner at Hicks Morley in Toronto, wondered whether this really is a problem of perception.
"Clearly, it’s perceived that hospital personnel can’t be trusted at this point — that’s based on a number of high-profile events. Is that perception a valid perception or not could be debated," he said.
"I sense a bit of moral panic, frankly, where we’ve got a couple of high-profile incidents that have caused people to throw their arms up and feel that the sky is falling."
Every hospital takes privacy seriously and there’s no evidence of a systemic problem, he said.
"Regardless, I think hospitals have to reckon with the perception nowadays."
What’s behind the breaches?
So why do health-care staff breach patient privacy? There are a variety of reasons, ranging from pure misunderstanding or stretching the rules to curiosity and malicious intent.
Hospital information systems are fairly open, so once people have the credentials to log in, there aren’t many barriers within the system that prevent access, said Michaluk. "As soon as you start to put barriers up, you create potential patient safety risks, so those systems rely on trust and that is seen to be a premise that’s quite acceptable."
Human nature is also a factor.
"There has always been an appetite and an interest on the part of people working in health-care institutions — curiosity sometimes overcomes their professional training and their ethical obligations, and they peek, they snoop," said Dickson.
Some breaks are malicious and intentional while others are inadvertent, said Cathy Yaskow, director of information stewardship, access and privacy at VIHA.
"They happen because people are either careless or because the system doesn’t support them in doing the right thing, so the technology isn’t designed or hasn’t been designed in a way that enables them to make good choices… and other times, they’re just trying to be helpful."
In other circumstances, there may be something going on in that staff person’s life, such as a sick friend, that makes him disregarding his ethical, legal and professional obligations, she said.
But we can’t take a laissez-faire attitude and say, "Well this stuff happens, it’s human nature, we have to accept it," said Beamish. "There are steps that can be taken and we need to remain vigilant and keep working at it."
Preventative steps
There are more than a few ways organizations, authorities and the snoopers themselves can curtail the breaches, according to the experts. For one, better training makes sense, said Yaskow.
"It’s not about just doing a whole bunch more education and complex thought and concepts, it’s about distilling it down to those practice standards, those codes of conduct, those ways of behaving around information that resonate with staff on the front line, with physicians in their day-to-day practice, and enable them to very quickly use critical decision supports and tools to make the right decisions about that information."
Sometimes hospitals fail when it comes to the frequency of the training, said Beamish.
"We definitely recommend that at least there be annual training and that people on an annual basis be required to sign an oath of confidentiality. It needs to be continually reinforced that there are rules and standards and that people have to abide by them."
The IPC has also recommended hospitals use messaging around privacy similar to that found around hand washing, such as a poster campaign and emails. The commission itself recently released a guideline with nine steps to take to prevent unauthorized access.
The commission is also recommending mandatory notification by hospitals when there is a significant breach of privacy — currently, many institutions do so voluntarily.
"We can fulfill a function in ensuring that the breach has been addressed and all the proper steps have been taken," said Beamish.
But there should be a balance, said Yaskow.
"We would not have the capacity nor, in my view, would it be reasonable for us to be reporting every single instance. But, yes, clearly there is value in reporting serious and significant breaches to the privacy commissioner and Island Health already does that, even in the absence of legislated obligations in that regard."
The IPC is also strongly recommending that victims have a right to know who breached their records and what steps were taken, including discipline, said Beamish.
"We get some pushback from hospitals on that but we feel if your privacy has been violated, you have a right to know the details of that violation," he said. "An employee who violates the rules
