Canadian HR Reporter is the national journal of human resource management. It features the latest workplace news, HR best practices, employment law commentary and tools and tips for employers to get the most out of their workforce.
Issue link: https://digital.hrreporter.com/i/468616
Canadian HR RepoRteR March 9, 2015 8 News Should victims be told who breached their records? heAlth records < pg. 1 PARTNERS IN PREVENTION 2015 HEALTH & SAFETY CONFERENCE & TRADE SHOW PartnersinPreventionConference.com THE INTERNATIONAL CENTRE 6900 AIRPORT ROAD, MISSISSAUGA, ONTARIO APRIL 28-29, 2015 Just one new idea can spark change Just one new idea can spark change Where Discoveries Begin MICHAEL LANDSBERG Darkness & Hope: Depression, Sports, & Me CHRIS HADFIELD The Sky is Not the Limit DR. JOE MACINNIS Leadership Lessons from the 7-Mile Dive into the Marianas Trench MICHAEL LANDSBERG KEYNOTE SPEAKERS CHRIS HADFIELD To register or request a copy of our Preliminary Guide: PartnersinPreventionConference.com 1 877 494 WSPS (9777) in damages for future incidents involving unauthorized access to personal health information by a rogue employee or third party," law firm Osler said in a briefing. e firm also said the ruling could open the door to similar lawsuits outside Ontario in ju- risdictions with comprehensive privacy statutes or in regulated sectors and industries "where the legislature has created a sepa- rate regulatory and enforcement regime." Even if most health-care work- ers are going to be professional and avoid snooping, "the fre- quency with which it happens still creates some problems and undermines public confidence in not only the providers but in the electronic health record system," said Gary Dickson, former infor- mation and privacy commissioner for Saskatchewan and a consul- tant at staffing firm Beckenhill in Ottawa. But Dan Michaluk, a part- ner at Hicks Morley in Toronto, wondered whether this really is a problem of perception. "Clearly, it's perceived that hos- pital personnel can't be trusted at this point — that's based on a number of high-profile events. Is that perception a valid percep- tion or not could be debated," he said. "I sense a bit of moral panic, frankly, where we've got a couple of high-profile incidents that have caused people to throw their arms up and feel that the sky is falling." Every hospital takes privacy se- riously and there's no evidence of a systemic problem, said Michaluk. "Regardless, I think hospitals have to reckon with the percep- tion nowadays." ere are a variety of reasons why health-care staff breach pa- tient privacy, ranging from mis- understanding or stretching the rules to curiosity or malicious intent. Hospital information systems are fairly open, so once people have the credentials to log in, there aren't many barriers, said Michaluk. "As soon as you start to put bar- riers up, you create potential pa- tient safety risks, so those systems rely on trust and that is seen to be a premise that's quite acceptable." Human nature is also a factor, said Dickson. "Curiosity sometimes over- comes their professional training and their ethical obligations, and they peek, they snoop." Some breaches are malicious and intentional while others are inadvertent, said Cathy Yaskow, director of information steward- ship, access and privacy at VIHA. "ey happen because people are either careless or because the system doesn't support them in doing the right thing, so the tech- nology isn't designed or hasn't been designed in a way that en- ables them to make good choic- es… and other times, they're just trying to be helpful." ere may also be something going on in that staff person's life, such as a sick friend, that makes him disregard his ethical, legal and professional obligations, she said. ere are more than a few ways organizations, authorities and the snoopers themselves can curtail the breaches, according to the experts. For one, better training makes sense, said Yaskow. "It's not about just doing a whole bunch more education… it's about distilling it down to those practice standards, those codes of conduct, those ways of behaving around information that resonate with staff on the front line, with physicians in their day-to-day practice, and enable them to very quickly use critical decision sup- ports and tools to make the right decisions about that information." Sometimes hospitals fail when it comes to the frequency of the training, said Beamish. "We definitely recommend that at least there be annual train- ing and that people on an annual basis be required to sign an oath of confidentiality. It needs to be continually reinforced." e IPC has also recommended hospitals use messaging around privacy similar to that found around hand washing, such as posters and emails. e commis- sion recently released a guideline that included nine steps to take to prevent unauthorized access. e IPC is also recommend- ing mandatory notification by hospitals when there is a signifi- cant breach of privacy — cur- rently, many institutions do so voluntarily. "We can fulfill a function in en- suring that the breach has been addressed and all the proper steps have been taken," said Beamish. But there should be a balance, said Yaskow. "We would not have the capac- ity nor, in my view, would it be reasonable for us to be reporting every single instance. But, yes, clearly there is value in reporting serious and significant breaches to the (B.C.) privacy commissioner and Island Health already does that, even in the absence of leg- islated obligations in that regard." e Ontario commission is also strongly recommending that vic- tims be told who breached their records and what steps were taken, including discipline, said Beamish. "We get some pushback from hospitals on that but we feel if your privacy has been violated, you have a right to know the de- tails of that violation," he said. "An employee who violates the rules should expect a diminished right to their own privacy." ere are times when it's im- portant to identify the snooper if it may help a victim to take protec- tive action, said Dickson, such as a spouse feeding information to his lawyer. "In lots of other cases, where there's not that kind of relation- ship, I think the important thing is to say that there's been an in- vestigation…. but I'm reluctant to name the offender in every case. And partly because the issue is that it's the organization that has to be responsible for it." It's a remarkable suggestion that the employee should be re- vealed, said Michaluk. "A lot of hospitals are going to be uncomfortable with that be- cause it opens a whole range of consequences to the named indi- vidual," he said, adding it's "a little aggressive from a human resourc- es/labour relations norm view. ere is an element of discretion that's normally applied and I think the IPC is trying to push hospitals beyond that." It's also important to have clar- ity around the concept of the "cir- cle of care," said Dickson, when it comes to implied consent to collect, use or disclose personal health information for the pur- pose of providing care. "People in health-care settings seem to be very comfortable with it but it's proven… to be hopelessly unhelpful, it's been confusing," he said. "When we found people who snooped, they would say, 'Well, it's not a big deal because I'm a health-care worker, I'm part of this amorphous circle of care.' Well, in fact, what the law says is you only get to look at a patient's personal health information if you have a 'need to know.'"