A recent decision by the Information and Privacy Commissioner of Ontario involving a medical clinic highlights the importance of having written job duties and policies regarding the protection of patient personal health information. The decision addresses the risks of departing employees accessing and retaining patient personal health information without proper authorization.
The case originated from a complaint by a patient to her medical clinic. In the spring of 2018, the patient had concerns that an employee of the clinic had improperly accessed the patient's personal health information contrary to the Personal Health Information Protection Act. The employee had left the clinic in September, 2017. It appears after that time, the employee reached out to contact the patient for "networking" opportunities. Resulting from the investigation, the Privacy Commissioner determined there had been at least three instances of unauthorized use of personal health information by the employee and she had retained a number of e-mails after her employment had ceased. These e-mails included medication lists of patients.
In response to the allegations, the clinic reviewed the audit trail of its electronic medical records system. The clinic found numerous incidents of access to the patient's information. The clinic concluded these instances were unauthorized. The clinic, as required by PHIPA, reported the breach to the Privacy Commissioner. The respondent employee disputed that there had been unauthorized use or disclosure. The employee alleged that several of the instances were part of her job description.
A key issue was whether the employee's access of records was part of her authorized job duties. There was a significant difference between what the employee and the clinic considered her role to be at the clinic. The employee stated that her position was the Director of Prevention & Chronic Conditions, and described wide-ranging responsibilities, including training, querying the EMR system for matters for follow up, and addressing third party requests, in addition to her reception duties. She stated that her remote access was necessary to ensure that emergency hospital visits were being followed up, that fee for service doctors were sufficiently booked, and for data management, among other reasons.
The clinic's description of her duties was significantly different. They identified her as largely a secretary, handling income and outgoing calls, scheduling patients, taking care of administrative tasks, manning the front desk, and handling third party requests from lawyers and insurance companies. Near the end of her employment she had been given the title of "Director, Chronic Conditions and Preventions" in anticipation of possibly using her to assist the lead physician because most of the other research assistants would have had university degrees in science, it would have been difficult for the employee to work with them if it was known she was coming from a receptionist role.
Ultimately, the Privacy Commissioner accepted the clinic's description of her employment duties. While the Commissioner determined there had been unauthorized access of the records, there was no finding that the clinic was responsible or that it authorized employee's retention of the e-mails.
Unsurprisingly, the Privacy Commissioner found that maintaining health records after an agent's employment had ceased was not authorized by the Act. The Commissioner confirmed that the obligations of an "agent" of a health information custodian outlined in section 17(2) must continue after an agent ceases having a role with a custodian. Importantly, while the clinic agreed that the e-mail retention was not authorized, it conceded there was no written policy that dealt with proper procedure for shutting down access or returning patient information. The employee, for her part, provided an affidavit advising she had subsequently deleted all the e-mails. Ultimately, the Privacy Commissioner ordered the employee to not disclose any personal health information in oral or recorded form. The clinic avoided having any orders issued against it.
The Take Aways
The take away for employers governed by PHIPA is that having proper policies and procedures in place to handle the use and disclosure of personal health information is essential. In the present case, the clinic's lack of a clear employment duties resulted in an unclear delineation of authority for the employee. While the Commissioner ultimately agreed with the clinic's description of employment, it would likely have been easier if the clinic could point to written job duties to confirm what activities and duties were within the scope of the employee's employment. Further, health information custodians should ensure that there are clear policies upon the departure from employment. It is important that health information custodians impress upon their departing agents that the duties outlined in PHIPA continue despite the cessation of employment. Whether this is embedded into the agent's contract of employment or a written policy that is regularly reviewed and enforced is a case by case decision based on the unique situation of each health information custodian.
See: A named individual (Re), 2020 CanLII 12690 (ON IPC)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.