For some reason I can’t quite understand, there have recently been a number of very serious privacy breaches involving health care professionals being caught snooping into patient personal health records. Surprisingly, some of these incidences have involved fairly high profile individuals (such as was the case concerning former Toronto Mayor Rob Ford)1, and some have occurred intentionally over a prolonged period of time for personal financial gain . In the latter case, a (now former) Rouge Valley employee sold personal health information obtained from confidential patient health records2. Unbelievable!
This problem is so concerning that the government now plans to increase financial penalties for each individual who inappropriately accesses patient health records. The fine, which was already quite steep at $50,000, will be doubled to $100,000. In addition, proposed amendments to the existing legislation will make it mandatory for organizations to report privacy breaches to the Information and Privacy Commissioner (and, in some cases, to the relevant regulatory College)3 . I’m not sure how much money the Rouge Valley employee made from selling personal health information, but I don’t think all that much – seeing as they were only charged with two counts of theft under $5,000. It certainly wasn’t worth incurring four other criminal charges, public humiliation and the loss of their livelihood.
As RTs, I know it can be a bit challenging to define who our patients are, because we can be asked to see any patient at any time – often at a moment’s notice. Therefore, when accessing patient health records, we must always ask ourselves one important question: “If questioned, could I provide a reasonable explanation for viewing this patient’s records?” If an RT has provided– or reasonably thinks they may be required to provide – a health care service to a particular patient, then accessing their records is likely acceptable. However, it’s essential that we understand that the only purpose for accessing personal health records is for the patient’s benefit – never our own.
1CBC News. (2014, Oct 16). Rob Ford’s medical records accessed by 2 unauthorized hospital staff members: Hospital took ‘appropriate action against individuals involved in privacy breach. Retrieved from http://www.cbc.ca/news/canada/toronto/rob-ford-s-medical-records-accessed-by-2-unauthorized-hospital-staff-members-1.2802038
2 CBC News. (2015, Jun 2). Rouge Valley Health System privacy breaches lead to 19 charges: 5 people accused of criminal and securities offences over sale of new mothers’ confidential records. Retrieved from http://www.cbc.ca/m/touch/canada/toronto/story/1.3097374
3 Ministry of Health and Long Term Care. (2015, June 10). Ontario to Introduce New Measures to Protect Patient Privacy: Strengthening Privacy and Accountability in the Health Care System. Retrieved from http://news.ontario.ca/mohltc/en/2015/06/ontario-to-introduce-new-measures-to-protect-patient-privacy.html