Mar 2, 2015

Saskatchewan Employee Snooping Case: Do Two Privacy Wrongs Make a Right?

Regina Qu’Appelle Regional Health Authority (Re), 2014 CanLII 81862 (SK IPC)

Originally published in the Davis LLP Privacy & Access to Information Bulletin, January 12, 2015

In November 2014, the Saskatchewan Information and Privacy Commissioner (“SIPC”) issued an Investigation Report (No. 088/2013) in a case involving employee “snooping” in personal health records held by the Regina Qu’Appelle Regional Health Authority (the “RQRHA”). The case raises interesting questions about how far a public body should go to prevent future snooping incidents.

The case involved a doctor who had viewed the health records of a nurse employed by the RQRHA in 2012; the health records were stored electronically by the RQRHA. The nurse had been in a motor vehicle accident and was admitted into the Regina General Hospital as an inpatient. Alarmed by the number of people who knew about her accident, the nurse made an access to information request to RQRHA for a record listing the people who had viewed her personal health information – and found out about the doctor’s snooping.

According to the nurse, there was a previous acrimonious relationship between she and the doctor due to their differences of opinion regarding treatment of patients. During the investigation, the doctor admitted he had not been involved in the nurse’s care and thus had breached her privacy by viewing her electronic medical records. The doctor’s explanation for his conduct was that he would normally visit an acquaintance who had been admitted into the hospital to offer his support, but due to the “complex relationship” between he and the nurse, he did not feel comfortable visiting her and so he viewed her electronic medical file instead (presumably, to see how she was doing).

Privacy Complaints Submitted Regarding Doctor’s Conduct

The nurse complained to both the RQRHA and to the Saskatchewan College of Physicians and Surgeons (the “SCPS”) about the doctor’s conduct. The RQRHA investigated the complaint and concluded that the doctor had breached RQRHA policy and the RQRHA Confidentiality Agreement which the doctor had signed when he began working at the RQRHA. Consequently, the RQRHA entered into an Alternative Dispute Resolution (“ADR”) with the doctor.

The ADR included a written reprimand and required the doctor to:

  • send an apology letter to the nurse;

  • review RQRHA privacy policies and procedures;

  • re-sign the RQRHA Confidentiality Agreement; and

  • attend a privacy course offered by the Saskatchewan Medical Association.

The ADR also stated the RQRHA would monitor the doctor’s activities in the electronic system for six months to prevent a similar incident from occurring.

As a result of the action taken by the RQRHA, and in light of the explanation provided by the doctor, the SCPS withdrew an earlier charge of unprofessional conduct against the doctor, and sent a letter to the doctor expressing its disapproval of the doctor’s conduct.

Privacy Commissioner Urges Greater Effort in Addressing Privacy Complaints

The nurse was dissatisfied with these outcomes and complained to the SIPC. The SIPC found that the RQRHA was a “trustee” within the meaning of the Saskatchewan Health Information Protection Act and that the nurse’s personal health information had been within the custody or control of the RQRHA. The SIPC also found, not surprisingly, that the doctor had made an unauthorized use of the nurse’s personal health information within the meaning of the Health Information Protection Act, by snooping in the nurse’s health records.

The SIPC stated that the efforts undertaken by the RQRHA to resolve matters with the doctor were “not enough.” This was, in part, because this was the fourth case to come before the SIPC which involved employee/practitioner snooping in patient personal health records held by the RQRHA. The SIPC also noted that the RQRHA had not fully complied with previous recommendations made by the SIPC to the RQRHA to amend its policies regarding disciplinary approaches for patient privacy matters.

The SIPC also noted that a more strict approach had been taken by the province’s Prairie North Regional Health Authority in relation to staff violations of patient privacy, noting the termination of a 25-year employee for snooping through the personal health information of 99 persons (which termination was upheld in Health Sciences Association of Saskatchewan and Saskatchewan Association of Health Organizations [2014] SLAA No. 3).

Patient Trust at Stake if Snooping Allowed to Persist

The SIPC noted that patient trust was at stake if employee/practitioner snooping is allowed to persist. The SIPC made a number of recommendations to RQRHA, including:

  • employees caught snooping be monitored for years, rather than months; and

  • the details of the disciplinary action taken against the snooping employee be disclosed to the affected individuals (i.e. the nurse in this case) and to all regional health authority employees/practitioners.

The RQRHA advised that it would only provide a non-nominal summary of the situation to all regional health authority employees/practitioners. The SIPC stated that the RQRHA’s approach in responding to employee snooping cases “remains inadequate”, and recommended that “RQRHA amend its policies so that details of disciplinary action taken against an employee who snooped is disclosed to affected individual(s) and to regional health authority employees/practitioners.” They further stated that a more detailed disclosure “would provide closure to the affected individual(s) but also act as a deterrent to snooping by other employees/practitioners.”

It is not entirely clear if the SIPC concluded that RQRHA’s approach here was “inadequate” because:

  1. the doctor was not fired (or suspended);

  2. the doctor was not named in the summary to be provided to all regional health authority employees/practitioners;

  3. the doctor was only monitored for months rather than years; or

  4. for all of these reasons.

If the SIPC concluded that the RQRHA’s approach was inadequate because the doctor in question was not fired or suspended (or monitored for years), this is arguably a reasonable conclusion. One has to wonder what the discipline meted out to a nurse might have been if a nurse had snooped in a doctor’s personal health records. However, if the SIPC concluded that the RQRHA’s approach was inadequate because the doctor in question was not named in the summary to be provided to all regional health authority employees/practitioners, there is room for debate.

Publicly Naming Disciplined Employees – Invasion of Privacy?

Normally, disciplinary measures taken against an employee constitute that employee’s “personal information”. Disclosure of such disciplinary information would generally be presumed an unreasonable invasion of the employee’s personal privacy (see, for example, section 22(3)(b) and (d) of British Columbia’s Freedom of Information and Protection of Privacy Act). Generally, privacy over such disciplinary information is only lost when the disciplined employee chooses to make it public by bringing a grievance or other legal proceeding to challenge the employer’s disciplinary action.

It may be true that publishing the name of the employee/practitioner disciplined (and the details of the discipline imposed and underlying transgression) will have a deterrent effect on both the disciplined employee/practitioner and other employees/practitioners who may be tempted to “snoop”. However, in endorsing such an outcome in the name of deterrence, are we not abandoning basic privacy principles?

The doctor in this case did something wrong and, perhaps, should have been suspended or terminated. But, should his privacy be breached in order to “teach him a lesson”? To my mind, that sends an inconsistent message.

There is certainly value in the RQRHA issuing a summary of the situation (without the names of the nurse/doctor involved), as a teaching mechanism and as part of its overall privacy training program. However, I’m not sure I see the value in breaching the doctor’s privacy in order to teach him (and others) not to breach their co-workers’ (or patients’) privacy. In that regard, I fall back on what my mother always told me when I was a child – “two wrongs don’t make a right.”