Serious pattern of privacy breaches sends long-term employee to the curbHealth Sciences Association of Saskatchewan v Saskatchewan Association of Health Organizations, 2014 CanLII 5231 (SK LA)
In Health Sciences Association of Saskatchewan v Saskatchewan Association of Health Organizations, the Saskatchewan Labour Arbitration Board upheld the termination of a physical therapist with 25 years of service and a clean discipline record after her employer discovered in an audit that she accessed without authorization, the personal health information of 99 individuals in less than a year.
Facts of the case
Joan McHattie was a Physical Therapist with 25 years of service and a clean disciplinary record with her employer, the Saskatchewan Association of Health Organizations.
McHattie had access to the Picture Archiving & Communication System (“PACS”) at her workplace. This system provided personal health information of patients. There were several workplace policies about accessing patient information and about not disclosing the information.
PACS was occasionally subject to audits. An audit was triggered by incidents involving two supervisors who filed a Breach of Confidentiality Report. In one incident, the supervisor became aware McHattie was accessing PACS to get information on someone connected to the workplace. In the other incident she spoke of and attempted to show a supervisor the personal health information in PACS of a prominent member of the community who had recently passed away.
The results of the audit revealed that, between January and October 2012, McHattie accessed the personal health information of 99 persons without authorization and against workplace policies. That is, these individuals were not her patients, and they were also not within her circle of care. In fact, she had no reason at all to access or become informed regarding the medical information of these 99 persons.
To that end, McHattie was terminated after the audit.
After she was terminated, a second audit was conducted regarding her access on PACS during the period June 2009 through December 2011. It revealed that she accessed 188 individuals, and 70 were not her patients. Some of the 70 individuals also appeared on the first audit. It was the same type of thing; the non-patients included co-workers, supervisors, well-known prominent figures, family and a spouse of a physician.
Her union launched a grievance in December 2012. McHattie insisted that, at that time, she did not know it was wrong to access the images and clinical notes in PACS of individuals who were not her patients, as long as the information stayed with her and was not disclosed, shared with others or used for improper purposes. She simply accessed the personal health information of these individuals out of medical curiosity and the need to understand medical diagnoses. The union argued that the misconduct was deserving of discipline, but not termination. Progressive discipline should have been used with this long-term employee with a clean record.
Additionally, the union argued that this issue was not urgent in the eyes of Saskatchewan Association of Health Organizations, given the amount of delay that occurred between the first known breach and the disciplinary response. Policies were inconsistently enforced and the training was lacking. In fact, McHattie insisted that she had never been told about the privacy policies; she actually said that if accessing this information was wrong why did someone not sit down and tell me?
Meanwhile, on May 17, 2013, the discipline committee for the Saskatchewan College of Physical Therapists issued an order that her professional license to practice be suspended for three months and she was subject to one year of probation. The same thing happened with the College of Physical Therapists of Alberta because she was licensed in this province too. On August 14, 2013, she received a reprimand to stay on the record for one year and she was suspended for 30 days.
The Board found:
McHattie was not credible. The Board did not believe that she did not know accessing the personal health information was wrong. The Board stated, “Her story in this regard just does not pass muster and is not in harmony with the preponderance of the evidence that points to the opposite conclusion.” Her story was also not in line with the existing policies and procedures. Moreover, her reasoning for doing all of this did not hold up-it could not have been for medical curiosity and for learning about medical diagnoses, medical issues had nothing to do with her specialty of knees and joints. In any case, any licensed health care practitioner would have known that accessing the information was wrong.
The termination was just and reasonable. Although McHattie had a long and clean record, was a good therapist, experienced delay between the misconduct and the termination, and experienced financial hardship due to the termination, this was not enough to justify a lesser penalty. It was important to remember that this misconduct was not an isolated incident-it was a pattern of repeated breaches with little, if any, respect for the confidentiality of personal health information. This pattern would likely have continued unabated but for the PACS audit conducted. The audit leading to the termination covered the period January 2012 through October 20, 2012. The audit disclosed the confidential electronic health records and images such as ultrasounds, X- Rays and CT scans along with the clinical notes of the radiologists that generate and interpreted these images of 99 persons, which had been improperly accessed. These persons were patients in Saskatchewan Health but were not patients treated by McHattie and were not within her circle of care. The misconduct was not provoked and this was not something she did in the spur of the moment-she simply gave in to the temptation and engaged in very serious misconduct that was so appalling it was not appropriate to set aside the discharge (this was without even considering the second audit).
- This was not a case for progressive discipline. Rehabilitation of McHattie was not possible here given the most serious problem, the breach of trust in the employer/employee relationship, irreparably damaged the relationship.
The Board reiterated that these cases were fact specific, and stated:
"The facts in the present case are so overwhelming and beyond belief that a person in (McHattie's) shoes would even think about doing what she did, let alone actually doing it and then asking us to believe that she did not know it was wrong.”
The Board acknowledged that discharge was a heavy penalty and even more so when the person is a long-term employee with a clean disciplinary record. It stated:
"However, in our view, discharge in these circumstances is just and reasonable.”
Therefore, the grievance was dismissed.
What can be takenfrom this case?
As can be seen from this case, patterns of privacy breaches are very serious, and if the trust in the relationship is obliterated following one of these breaches, it will be difficult to argue that the employee should continue employment with a simple suspension.
Personal information of patients in Saskatchewan is protected by the Health Information Protection Act (HIPA), the Freedom of Information and Protection of Privacy Act and other pertinent legislation (e.g. Mental Health Act). The term “personal information” includes both personal information and personal health information. Organizations and individuals in the health system (i.e., nurses) called trustees, are responsible for protecting the privacy of your personal health information.
Organizations that collect, use and keep personal information of patients must ensure that reasonable measures are in place to prevent unauthorized access and disclosure of those records. This includes paper or electronic records.
In addition, custodians must take steps that are reasonable in the circumstances to ensure that personal health information in their custody or control is protected from theft, loss and unauthorized use or disclosure. Records of personal health information must also be protected against unauthorized copying, modification or disposal. The custodian must notify individuals if personal health information is stolen, lost or accessed by an unauthorized person. However, custodians who are researchers and received personal health information from another custodian should not notify individuals, unless the other custodian informs the researcher that the individual has consented to being contacted by the researcher.
Custodians must ensure that records are retained, transferred and disposed of in a secure manner.
Custodians must implement and follow information practices that comply with the Act and its regulations. Information practices mean the policy about when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information and the administrative, technical and physical safeguards and practices that the custodian has in place.
Policies, procedures and technical safeguards protect how an individual's information is collected, stored and used. These policies, procedures and safeguards must be clearly communicated to employees, consistently enforced and monitored.