...They were not her patients, nor were they within her circle of care. The Grievor had no need to know the medical information.
Arbitrator William F. J. Hood, Q.C.
A physiotherapist with 25 years of clean service was discharged after her employer discovered she inappropriately accessed her employer's Picture Archiving & Communication System ("PACS"). An audit disclosed that from January 2012 to October 2012, she accessed the personal health information of 99 persons without authorization and there was evidence apart from the audit of other improper access. In discharging, the employer relied on its comprehensive confidentiality, privacy and IT policies and the employee's responsibilities and duties under her professional regulating body. The union grieved the discharge. The majority of an arbitration board upheld the discharge. A brief review of the decision, Health Sciences Association of Saskatchewan and Saskatchewan Association of Health Organizations, Representing the Prairie North Health Region, 2014 CanLII 5231 (SKLA) ("Prairie North Health Region"), follows.
In a previous blog Workplace Confidentiality: More about insisting on privacy! we told you that arbitrators take breach of confidentiality, particularly accessing medical records, seriously. As a general rule, most arbitrators hold health care employees to higher standards than other workplaces saying there should be a zero tolerance standard for improper access. There are some arbitrations, however, where arbitrators substituted a lengthy suspension for discharge when they determined that an employee's access, although improper, "was not for personal gain" (see Eastern Regional Integrated Health Authority and NAPE, a 2012 Newfoundland and Labrador Arbitration decision ). What made Prairie North Health Region different when the access itself was not necessarily for "personal gain"? Tthe grievor's credibility and the fact that the employer/employee trust relationship was permanently broken.
What were some of the credibility issues?
The triggers for a credibility assessment, in Prairie North Health Region, were the "excuses" or attempts to "minimize" the privacy intrusion raised by the union and the physiotherapist during the hearing which were found to be either illogical or inconsistent with the evidence heard, namely:
- The union alleged there was improper confidentiality training and inconsistency.
- The physiotherapist claimed her access of personal health information was because of "medical curiosity", "learning" and the "need to understand", in one case, the medical diagnosis of a prominent member of the community who had passed away.
- The physiotherapist claimed she had not read any of the confidentiality and privacy policies before her termination and the employer did not instruct her to read them.
- She did not think accessing personal health information alone was wrong.
These allegations and claims were hard for the arbitration board to accept due to evidence received at the hearing, namely:
- The following statement appeared on the PACS login page:
- The physiotherapist admitted during the hearing that she had accessed information about an individual and shared it with that individual's spouse and that she also shared information about a patient with the patient's daughter.
- There was a pattern of accessing, not the physiotherapist's patient information, but information about co-workers, supervisors, well-known prominent figures, family and a spouse of a physician.
- The physiotherapist eventually acknowledged her signature on a form she signed to gain access to PACS and on a form she signed acknowledging that she had read and understood the IT Acceptable Use Policy. This was after she denied seeing the policies during her testimony in chief.
Arbitrator Hood, Q.C., said:
It defies logic that the Grievor would not look at the hard copy of the patient's chart, knowing that this was wrong, and at the same time somehow rationalize that electronic access to medical records through PACS was not wrong.
Further, the Grievor's story as to why she did what she did does not hold together. The Grievor asserts her reasons were for 'learning', 'medical curiosity' and the need to have a 'better understanding of the medical diagnosis'. The problem with this story is, in some cases, there was no medical predisposition, and even if there was, the medical issue had nothing at all to do with her speciality of knees and joints. It is not logical the Grievor accessed medical information online for learning purposes in disciplines other than her own.
Was the termination "just and reasonable?"
Having found that the physiotherapist knew what she was doing was wrong, Arbitrator Hood, Q.C., writing for the majority, considered whether the termination was just and reasonable. He concluded it was, based on the following:
- The access was not isolated.
- The grievor's appetite for medical information was not modest (438 confidentiality breaches occurring during working hours).
- The grievor was not provoked.
- The access was not on the "spur of the moment".
- The employer's confidentiality policies, codes of conduct and two governing professional bodies that licensed the grievor as well as the Health Information Protection Act were not enough to suppress the grievor's temptation.
Arbitrator Hood, Q.C. said:
An overriding factor is the overall seriousness of the misconduct. The sheer magnitude of the confidentiality breaches perpetrated on such a diverse group of the public, at times on a daily basis over an extended period of time, is so appalling that we are not prepared to set aside the discharge.
In this case, the seriousness is exacerbated by the members of the group whose confidentiality rights were violated. The persons included past and present co-workers, supervisors, senior management of the Employer, immediate and extended family, as well as well-known, prominent members of the community.
Should the board substitute another type of penalty?
Arbitrator Hood, Q.C. said no. Notwithstanding a progressive discipline scheme, the discharge without progressive discipline was upheld on the basis of the damaged trust in the employer/employee relationship:
The Employer is held accountable to protect the confidentiality of personal health information. The Employer is statutorily bound to maintain this confidentiality. The consequences of violating this confidentiality are significant. The Employer is reposed with a public trust to which it is held accountable. This trust is onerous.
What this means to employers charged with protecting the confidentiality of personal health information
The facts in the Prairie North Health Region were overwhelming and sometimes incredulous. Discharge is always viewed as a last resort, referred to as "the capital punishment for employee misconduct in collective bargaining agreements" in the decision. The outcome of an arbitration case can never be 100% predictable because of the large role individual facts play. Allegations of privacy and confidentiality breaches will continue, whether as a result of human curiosity, snooping or just plain nosiness. The issue for employers is what type of discipline is necessary to address the issue. Employers are equipped with strong guidance from arbitrators saying that in some industries, 'zero tolerance' is the standard and unless there are sufficient mitigating circumstances, dismissals should be upheld. Even in cases where mitigation does play a role, arbitrators are saying lengthy unpaid suspensions are appropriate.
Employers, whether unionized or non-unionized, in the health care, banking or any other sector where confidentiality is an expected condition of employment, should continue to educate employees through codes of conduct or confidentiality policies and should clearly say discipline will follow when these policies are violated. As in all cases, policies and discipline must always be consistent and equally applied.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.