On a daily basis, health care practitioners are required to collect, use, and disclose personal health information of their patients. In addition to policies and training that a medical institution implements, individual health care practitioners have a professional obligation, prescribed by the Personal Health Information Protection Act, and their respective College guidelines, to ensure confidentiality of personal health information. Failure to comply with their legal and professional obligations may lead to disciplinary action by their regulatory College or civil actions for violation of privacy.

Recently, the Discipline Committee of the College of Nurses of Ontario considered the appropriate penalty for a member who had admitted to improperly accessing patient information. In this case, a Registered Nurse employed at the Health Sciences North-Sudbury Outpatient Centre ("the Hospital") improperly accessed personal health information of multiple patients on multiple occasions including her own personal health information.

The Committee noted that the Member accessed information of numerous individuals including a co-worker, a spouse of a co-worker, and a family member. An audit of the Hospital's Meditech system reveled the unauthorized access. The Hospital's policy, titled Protection of Personal Information & Confidentiality, acknowledged that all staff members have a "legal, ethical and at times a professional obligation to protect the confidentiality of personal health information and other sensitive information." Further, the Policy required that personal health information not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The Member admitted that she did not have a professional purpose or proper authorization to access the personal health information.

The Hospital also had a policy that permitted an individual to access her own health records. However, once again, the Member acknowledged that she did not follow the proper protocols. Additionally, the Policy required that all requests and accesses to personal health information be documented. The Member failed to comply with this obligation as well.

In addition to breaching the obligations under the Hospital Policy, the Committee noted that the College of Nurses of Ontario's Professional Standards provides further guidance and obligations. These obligations include ensuring that each nurse is accountable to the public and responsible for ensuring that their conduct meets legislative requirements and the standards of the profession. More specifically, the College's Confidentiality and Privacy: Personal Health Information standard requires that Nurses comply with their obligations under the Personal Health Information Protection Act, 2004. This includes a requirement that nurses ensure that personal health information be kept confidential and secure.

In deciding the appropriate penalty, the College found that the mitigating facts were (1) the Member had been a long standing member of the College; (2) there was no previous discipline history with the College; (3) there was an admission of misconduct by entering a plea and avoiding a hearing; (4) the Member had accepted responsibility; (5) the Member cooperated with the College; and, (6) the Member attended the hearing. In contrast, the aggravating factors included (1) the Member's actions were not isolated and there was a breach of trust; (2) the Member accessed five different patients' personal files including her own; and, (3) the access had occurred over a five-year time span.

There was a Joint Submission for penalty which as accepted by the Committee. The terms included a three month suspension of the Member's certificate of registration; a requirement of meeting with a Regulatory Expert to discuss the incidents, the professional obligations of nurses, and the consequences of the misconduct; as well as a requirement that for a period of 12 months after the Member returns to practice, employers must be made aware of the decision.

Regulatory Colleges consistently receive complaints regarding a member's failure to preserve the personal health information of their patients. Although there are instances throughout any given day that a privacy breach may occur at a medical clinic, individual health care practitioners must take an active role in determining what actions are permitted within the course of their employment and what actions will result in a potential regulatory proceeding. When unsure, a practitioner should consult with the privacy officer at their place of employment; contact their College for guidance; or, contact legal counsel to identify the extent of their obligations. Although a disciplinary action is not analogous to a civil action brought by a patient, such an action may tarnish a professional record.

Originally published 11 August, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.