Accessing patient records just cause

Physical therapist said she accessed medical records out of ‘curiosity’
By Jeffrey R. Smith
|Canadian Employment Law Today|Last Updated: 04/02/2014

A Saskatchewan arbitration board has upheld the dismissal of a physical therapist who accessed the personal health information of people who weren’t her patients through an online health information system.

Jane McHattie, 56, was a physical therapist for the Prairie North Health Region in Saskatchewan. Hired in 1987, she was licensed with the colleges of physical therapists in both Saskatchewan and Alberta and worked at an extended care centre in Lloydminster, Sask., where she was considered a very good physical therapist.

Prairie North health-care workers were bound by legislation and policies that protected the personal health information of patients. A primary principle was that health information should only be accessed by those in the “circle of care” of the patient and only on a “need-to-know” basis.

All workers were required to sign an oath of confidentiality and it was stipulated that users of Prairie North’s information technology were required to protect information systems and any private information contained on them.

Worker’s accessing of patient information revealed

In May 2012, McHattie approached the facility operations manager of the care centre and asked about the name of a co-worker’s husband who had recently been injured. When asked why she wanted to know, McHattie said she wanted to look him up on Prairie North’s picture archiving and communication system (PACS), a digital imaging system that stored images of patients’ X-rays, ultrasounds and CT scans along with clinical notes. The system was accessed by approved health-care workers who had user IDs and passwords.

It was later discovered the individual McHattie was inquiring about wasn’t one of her patients. The manager thought she should report the incident, but wasn’t comfortable with new staff in the HR department. She waited until an HR consultant she knew came back from maternity leave in October 2012.

On Sept. 20, 2012, McHattie told the facility manager she had heard a patient had died that day of an aneurysm, but she looked at his CT scan and it was clear. She then began entering the patient’s name into the computer, but the manager told her it was wrong to look up the information and she didn’t want to be a part of it. This deterred McHattie from proceeding.

The facility manager completed a breach of confidentiality report the next day and sent it to the Prairie North privacy manager. However, the report got lost and the privacy manager never received it.

On Nov. 7, the operations manager finally reported the May incident to HR. The second incident also came to light and the breach of confidentiality report that had been filed in September was discovered.

Prairie Health conducted an audit of McHattie’s access to PACS from January to October 2012. The report listed the name, date and time of any patient records McHattie accessed. The two breaches that had been reported were discovered, as well as many others. It turned out McHattie had accessed the images and clinical notes of 153 patients, of which only about 50 were McHattie’s. With multiple accesses, the total confidentiality breaches over the 10 months numbered 438.

On Dec. 6, Prairie Health management scheduled a meeting with McHattie to discuss a privacy issue. They asked her about her understanding and knowledge of confidentiality. McHattie’s answer satisfied them that she had “a good understanding of the confidentiality of personal health information,” as she stated there was no right to know information about a patient if she wasn’t providing care for the patient and it should stay within the circle of care.

The PACS audit was discussed and McHattie acknowledged she knew what they were talking about. When they brought up the number of breaches and individual names, McHattie appeared embarrassed. She initially denied knowing what she did was wrong, but then said: “I didn’t speak of anything I saw. It was for myself. I know I was wrong.”

McHattie denied sharing the information she saw and said she only accessed it out of “curiosity” so she could learn about certain ailments. However, when confronted with the May incident with the operations manager, McHattie admitted she tried to show her the patient’s record on PACS.

Prairie Health determined McHattie’s breaches of confidentiality were serious misconduct, particularly considering the number of records she accessed and the large number of times she accessed them. It terminated her employment for “unethical and untrustworthy behaviour that cannot be tolerated by the employer and is entirely inconsistent with your professional obligations as a health-care provider.”

Prairie Health also notified the Alberta and Saskatchewan colleges of physical therapists of McHattie’s misconduct. Both conducted an investigation and McHattie expressed her regret, explaining she did it to help her understanding of medical diagnosis and she it would “have never ever happened again.”

The Saskatchewan governing body suspended McHattie’s licence to practice for three months and put her on probation for one year. The Alberta governing body suspended her for 30 days.

The union grieved McHattie’s dismissal, arguing she deserved discipline but dismissal was too harsh. The collective agreement stipulated progressive discipline should be used and this was McHattie’s first instance of misconduct in 25 years of service. Her reasons for accessing the files were good, she understood the seriousness of her misconduct and she was unlikely to re-offend, said the union. It also pointed out her dismissal caused significant hardship on her as it seriously damaged her employment prospects at her age.

Employee’s justification for misconduct not convincing: Board

The board found McHattie must have known accessing the information was wrong, though she insisted she didn’t. She acknowledged she understood the importance of protecting the privacy of personal health information and had even signed an information technology policy stating such access was prohibited in order to gain access to PACS. Given her status as a member of a licensed health-care profession for many years, her claimed ignorance was suspect, said the board.

The board also had trouble believing McHattie’s stated reason for accessing the information was “medical curiosity” and to learn about diagnosis and ailments, because some of the records she accessed had no medical conditions or had nothing to do with her specialty of knees and joints. In addition, there was at least one occasion where McHattie tried to share the information she accessed, with the operations manager in May 2012.

The board found there was no reason to believe that if Prairie Health did more privacy training it would have made any difference. Even after she was told she shouldn’t be doing it by the operations manager, McHattie continued to access PACS. It was not an isolated incident, but rather a pattern of behaviour that “likely would have continued unabated but for the PACS audit conducted by the employer,” said the board.

The board also found the financial hardship McHattie experienced and her lengthy employment record without prior discipline were not enough to mitigate McHattie’s serious breach of trust, which damaged the employment relationship beyond repair.

“The sheer magnitude of the confidentiality breaches perpetrated on such a diverse group of the public, at times on a daily basis over an extended period of time, is so appalling that we are not prepared to set aside the discharge,” said the board. “The task would be indeed onerous, if not impossible, for the employer to rebuild this trust with the community and its employees if the person that committed the breaches was reinstated.”

For more information see:

See Prairie North Health Region and HSAS (McHattie), Re, 2014 CarswellSask 54 (Sask. Arb.).