Dismissal not always the right call for improper access of information
Employers have an obligation to protect employee privacy and personal employee information, particularly in the health-care sector. But employees also have an obligation not to breach privacy, whether it be that of other employees or clients. Employers can face legal liability for breaching employee privacy, so what consequences can they dish out for employees who do the same?
Hamilton Health Sciences (HHS) recently answered that question from its perspective. As reported by Canadian HR Reporter, the Ontario city’s health care provider fired eight employees who accessed the personal health information of about 4,000 patients in what HHS called “snooping cases.”
HHS put itself in a solid position to dismiss those employees because it had clear policies and processes in place for staff that stressed the importance of patient privacy. The employees’ breach of those policies and processes provided just cause for dismissal that could likely stand up to a legal challenge.
The BC Ministry of Health had a similar situation a decade ago when it fired five employees and suspended two others for misusing confidential medical information. In that case, the employees were doing drug-related research and didn’t follow rules that were in place for using health data. Clearly, the employer took it seriously to the point where it believed that the employment relationship with most of the employees involved wasn’t salvageable due to loss of trust.
Do breaches always justify termination?
However, while such breaches can justify termination of employment, it’s not always the case.
After a random audit, a clerical worker at a Newfoundland and Labrador hospital whose job involved payroll and benefit information and compiling clinical statistics was found to have accessed her own medical records along with another 21 patient records. Her position did not normally involve accessing patient records and the hospital regularly trained staff on the privacy and confidentiality policy and privacy legislation. However, although the arbitrator agreed that it was serious misconduct, they found that it wasn’t motivated by personal gain or malice and she immediately expressed remorse. The arbitrator determined that the worker had rehabilitative potential and progressive discipline would be appropriate, substituting an eight-month suspension for the dismissal.
As with most serious misconduct, when the employee immediately acknowledges it and expresses remorse, it can save their job. An Ontario hospital worker accessed the health records of a friend who was in an accident, her husband who was waiting for test results, her sister who had cancer, and herself to see if she had a genetic code for cancer. When the hospital discovered her actions, she admitted to it and acknowledged it was a privacy breach. She also said that she thought she was part of the “circle of care” – practitioners directly attending to the patient’s health needs – but later realized that she wasn’t and acknowledged she was wrong. This spoke to her rehabilitative potential – as did her 11 years of service without prior discipline - an arbitrator said in reinstating her with the time since her dismissal serving as a lengthy suspension.
Dismissals for data breaches can be overturned
Even if an employee isn’t immediately sorry, a dismissal for accessing confidential information can be overturned. That was what happened a few years ago when a BC nurse was fired after improperly accessing personal medical records of patients out of curiosity. Although the nurse didn’t apologize until her arbitration hearing, she was found to have not been deceitful in investigation interviews and admitted to some improper accesses of information. She had also taken courses to educate herself on privacy and had eight years of discipline-free service.
These factors led to an arbitrator reinstating her, again with the time since her firing serving as a suspension.
Employees in the health-care sector are often trusted with handling sensitive and confidential health information, and they have a standard of conduct that includes protecting that information and not accessing it unnecessarily. There’s little doubt that breaching that confidentiality, whether for particular reasons for just out of curiosity, is serious misconduct. Whether it warrants a without-cause dismissal can be a little more doubtful.