An Ontario arbitrator has reinstated a hospital worker who was fired for accessing and disclosing patient health information without permission.
The employee was a health assistant, hired in 2001, with the Georgian Bay Hospital (GBGH). It operates two hospitals — in Midland, Ont., and Penetanguishene, Ont.
GBGH had a policy protecting the confidentiality of patient health records, which were only to be accessed by workers in the “circle of care” — practitioners who were directly attending to the patient’s health needs. Patient consent was also required to access or disclose health information.
GBGH staff were trained on the policy and signed an agreement that breaching it would lead to discipline up to and including termination of employment.
On May 19, 2012, a friend of the employee was in an accident and was taken to GBGH. The employee called an X-ray technician at the hospital and asked if the friend was one of the technician’s patients, which the technician confirmed and discussed the injury. The employee shared the information with her husband and the friend’s brothers.
The X-ray technician reported the incident to her manager, who completed a risk occurrence report for GBGH’s privacy officer. The privacy officer interviewed the employee and launced a privacy audit of all the employee’s accesses of medical records over the previous year.
The privacy audit showed the employee had accessed the personal health information of her friend on May 20. Though her friend was discharged on May 21, the employee accessed the records again on May 23. The employee also accessed the records of her husband, her sister and herself.
GBGH had a zero tolerance policy for privacy breaches and it decided to terminate the employee unless she could explain.
The employee was interviewed on June 14, where she admitted to accessing her own records and, when asked about her friend’s records, she said “you got me” and acknowledged it was a privacy breach.
The employee explained her husband had diabetes and sometimes test results weren’t given to his doctor quickly enough, so she accessed them. She also said her sister had cancer and she wanted to ensure the documentation was transmitted in a timely manner to the chemotherapy facility. She accessed her own records to determine if she had the same genetic code for cancer.
The arbitrator found the employee’s conduct in accessing and disclosing personal health information was “serious misconduct warranting significant disciplinary sanction.” GBGH’s policies and privacy legislation made it clear how important it was to maintain confidentiality, and the employee had acknowledged her awareness of the policies by signing her agreement.
However, the arbitrator found zero tolerance wasn’t required, as the policy allowed for discipline up to dismissal and the employee’s access of information relating to herself and her family might not warrant dismissal, said the arbitrator.
However, the arbitrator found the access of the friend’s information was more serious. She didn’t have the friend’s consent, which was a serious breach. On the other hand, the arbitrator noted that it was an emotionally charged situation. The employee also readily admitted her actions and acknowledged her wrongdoing, which “speaks to her rehabilitative potential,” said the arbitrator.The arbitrator found the employee was remorseful, appreciated the gravity of her misconduct and would likely not repeat it — she was an 11-year employee with no prior discipline. GBGH was ordered to reinstate her but without compensation for the 22 months since her dismissal, which would be a suspension. See Georgian Bay General Hospital and OPSEU, Local 367 (J.(K.)), Re, 2014 CarswellOnt 5923 (Ont. Arb.).