A recent decision from Ontario has highlighted the serious nature of privacy breaches and the need for employers to be vigilant about their employees’ access to personal and sensitive information.
The College of Nurses of Ontario recently ruled that a nurse charged under Ontario’s Personal Health Information Protection Act (PHIPA) committed professional misconduct by accessing the personal health records of 5800 patients over six years.
Melissa McLellan had worked as a registered nurse at a North Bay hospital since 1999, until she was dismissed in May 2011. She admitted that it was her practice between 2005 and 2011 to routinely access electronic client records of clients who were not under her care. She saw looking at the records as part of “self-education” and “was curious” about the medical conditions and treatments of different patients.
The records included “extraordinarily personal” information such as diagnoses for depression and suicide risks. There was no evidence that McLellan had misused the information or shared it with anyone.
McLellan appeared before a disciplinary panel of her regulatory professional body to address the massive privacy breach. She admitted to professional misconduct at the hearing. The panel ordered that she lose her license as a nurse for four months, and receive a formal reprimand.
An audit on McLellan’s access to the personal health records indicated that the hospital “did not have an effective system of monitoring access to electronic health records.” McLellan and the hospital are the subject of a class-action lawsuit brought by some patients arising out of the breach of privacy.
A spokesperson for the hospital provided a statement asserting that the hospital provides privacy orientation and training and has all staff sign a confidentiality agreement. The spokesperson also wrote that the hospital “has taken corrective action to prevent reoccurrence” of privacy breaches by other staff.
The decision sends a clear message to employees that privacy breaches regarding personal information amount to improper and reprehensible conduct and will be treated seriously. It also sends a message to employers about the importance of having systems in place to prevent privacy breaches by employees. Where possible, access to information should be limited to a need-to-know basis, and access should be revoked immediately when employees leave their organizations.