Focuses on occupational health and safety issues at a strategic level. Designed for employers, HR managers and OHS professionals, it features news, case studies on best practices and practical tips to ensure the safest possible working environment.
Issue link: http://read.uberflip.com/i/494992
6 Canadian HR Reporter, a Thomson Reuters business 2015 CSR | March 2015 | News Breaches of private health information cause for concern Better training, reporting, discipline can curtail employee misbehaviour BY SARAH DOBSON IT HAPPENED IN the fall of 2014 and then, surprisingly, again in early 2015 — the private health records of Rob Ford, former mayor of Toronto, suffering from stomach cancer, were breached in four separate incidents at at least three hospitals. And it's not just high-profile citizens who are losing their pri- vacy — employees at Rouge Val- ley Health System in Ontario, for example, allegedly used or disclosed the personal health in- formation of mothers for the pur- poses of selling or marketing reg- istered education savings plans (RESPs). And the Vancouver Island Health Authority (VIHA) investigated incidents involving two workers who breached the privacy of 112 individuals receiv- ing health-care services. So why do employees act this way? And are these types of in- cidents on the rise? The answers may not be clearcut but more needs to be done to avoid further violations, say experts. "To the extent that hospi- tals or other organizations are moving towards shared elec- tronic records, there's certainly the possibility that this will be an increasing issue," said Brian Beamish, acting commissioner for the Office of the Information and Privacy Commissioner of Ontario (IPC). "There's definite- ly a need for improvement. I take the point that we don't want to over react... I think though to the extent that patients feel that their records are not secure, there may be a diminishment of support for the records or a lack of trust in the records and I think that's a bad thing." Even if most health-care work- ers are going to be professional and avoid snooping, "the fre- quency with which it happens still creates some problems and undermines public confidence in not only the providers but in the electronic health record system," said Gary Dickson, former in- formation and privacy commis- sioner for Saskatchewan and a consultant at staffing firm Beck- enhill in Ottawa. But Dan Michaluk, a part- ner at Hicks Morley in Toronto, wondered whether this really is a problem of perception. "Clearly, it's perceived that hospital personnel can't be trust- ed at this point — that's based on a number of high-profile events. Is that perception a valid percep- tion or not could be debated," he said. "I sense a bit of moral panic, frankly, where we've got a couple of high-profile incidents that have caused people to throw their arms up and feel that the sky is falling." Every hospital takes privacy seriously and there's no evidence of a systemic problem, he said. "Regardless, I think hospitals have to reckon with the percep- tion nowadays." What's behind the breaches? So why do health-care staff breach patient privacy? There are a variety of reasons, ranging from pure misunderstanding or stretching the rules to curiosity and malicious intent. Hospital information systems are fairly open, so once people have the credentials to log in, there aren't many barriers within the system that prevent access, said Michaluk. "As soon as you start to put barriers up, you cre- ate potential patient safety risks, so those systems rely on trust and that is seen to be a premise that's quite acceptable." Human nature is also a factor. "There has always been an ap- petite and an interest on the part of people working in health-care institutions — curiosity some- times overcomes their profes- sional training and their ethical obligations, and they peek, they snoop," said Dickson. Some breaks are malicious and intentional while others are inadvertent, said Cathy Yaskow, director of information steward- ship, access and privacy at VIHA. "They happen because people are either careless or because the system doesn't support them in doing the right thing, so the tech- nology isn't designed or hasn't been designed in a way that en- ables them to make good choic- es… and other times, they're just trying to be helpful." In other circumstances, there may be something going on in that staff person's life, such as a sick friend, that makes him disre- garding his ethical, legal and pro- fessional obligations, she said. But we can't take a laissez-faire attitude and say, "Well this stuff happens, it's human nature, we have to accept it," said Beamish. "There are steps that can be tak- en and we need to remain vigi- lant and keep working at it." Preventative steps There are more than a few ways organizations, authorities and the snoopers themselves can curtail the breaches, according to the experts. For one, better train- ing makes sense, said Yaskow. "It's not about just doing a whole bunch more education and complex thought and con- cepts, it's about distilling it down to those practice standards, those codes of conduct, those ways of behaving around infor- mation that resonate with staff on the front line, with physicians in their day-to-day practice, and enable them to very quickly use critical decision supports and tools to make the right decisions about that information." Sometimes hospitals fail when it comes to the frequency of the training, said Beamish. "We definitely recommend that at least there be annual train- ing and that people on an annual basis be required to sign an oath of confidentiality. It needs to be continually reinforced that there are rules and standards and that people have to abide by them." The IPC has also recom- mended hospitals use messaging around privacy similar to that found around hand washing, such as a poster campaign and emails. The commission itself re- cently released a guideline with nine steps to take to prevent un- authorized access. The commission is also rec- ommending mandatory notifi- cation by hospitals when there is a significant breach of privacy — currently, many institutions do so voluntarily. "We can fulfill a function in ensuring that the breach has been addressed and all the prop- er steps have been taken," said Beamish. But there should be a balance, said Yaskow. "We would not have the capac- ity nor, in my view, would it be reasonable for us to be reporting every single instance. But, yes, clearly there is value in reporting serious and significant breaches to the privacy commissioner and Island Health already does that, even in the absence of legislated obligations in that regard." The IPC is also strongly rec- ommending that victims have a right to know who breached their records and what steps were taken, including discipline, said Beamish. "We get some pushback from hospitals on that but we feel if your privacy has been violated, you have a right to know the de- tails of that violation," he said. "An employee who violates the rules < pg. 7 "We can't take a laissez-fair attitude. ere are steps that can be taken and we need to remain vigilant and keep working at it."