Are your staff looking at medical records when they shouldn’t be?
Many people have the mistaken impression they can look at a patient's medical records as long as they don’t tell anyone else.
We see over and over again in ‘snooping’ cases where seasoned and new healthcare providers and support team members don’t realize that looking at patient’s health information without a need to know that information to provide a health service right away is wrong.
Kate Dewhirst summarized this as
- Privacy = don’t look
- Confidentiality = don’t tell
We still need privacy awareness training – even those experienced healthcare providers who push back and say that they have been in the business for years still often have more to learn.
In this post I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC) complaint investigation from the family of a deceased individual. Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.
In 2014, a physician acting in his role as a coroner, accessed the deceased’s health record. Shortly thereafter, the family alleged that the physician, who was also a family member of the deceased, continued to access the deceased’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).
The family submitted a complaint to the hospital. Initially, the hospital's response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.
The IPC started a complaint investigation.
Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.
During the IPC investigation, the physician confirmed he “accessed the health information in response to his concern about the individual’s well-being.”
“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.
The physician acknowledged he did not fully appreciate the related but distinct concepts of patient privacy, the circle of care, and the ‘need to know’ principle.
Confidentiality rights arise out the special relationship between the client and the health professional or provider.
In contrast, privacy rights are the general rights of all persons to limit the access to their PHI. Individuals have the right to privacy, even after death.
4 Step Response Plan
The hospital received a complaint from the family, which triggers the first step to spot and stop the breach.
Secondly, the hospital did an initial investigation to evaluate the risks of the incident. Later, after the IPC initiated their complaint investigation, the hospital re-visited the internal investigation and completed a comprehensive review and used audit log reporting tools to assist them.
Eventually, the hospital took the third step and notified the individuals’ family of the privacy breach. However, the notification was not timely. A more comprehensive response to the families’ complaint, followed by a notice to the family may have provided a better response.
Preventing a similar breach is the fourth step.
Since this incident, the hospital has:
- installed a new auditing program that considerably enhances its ability to detect unauthorized access.
- updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
- developed a yearly electronic privacy training program for all staff, volunteers and learners and will require all credentialed physicians to complete this training as part of the annual reappointment process.
- strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.
The hospital’s Medical Advisory Committee recommended to the Board of Directors that the physician’s privileges be suspended for three months, that the hospital conduct enhanced monitoring of the physician’s access to the electronic medical record for three years, and that, on his return to practice, the physician be required to present at Grand Rounds on the topic of privacy.
The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.
Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.
Privacy awareness education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.
If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.
If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Plan.
When we know better, we can do better…
I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.
PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.
Jean L. Eaton, Your Practical Privacy Coach
References and Resources
Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/
Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.