Health-record snooping a growing concern: Dewhirst

By Staff

Toronto health lawyer Kate Dewhirst says a growing issue of concern in health care is snooping – privacy breaches that occur when a provider looks at a patient's medical record when he/she didn't have a business reason to do so.

"So if you're not assigned to a particular patient and you look at their health record for your own purposes that would be considered snooping," she says.

Dewhirst, principal at Kate Dewhirst Health Law, says she regularly gives advice to health-care organizations that are managing cases of privacy breaches.

"I give advice almost daily on privacy breaches – how to manage them and how to prevent them," she says. "Health-care organizations have to notify the patient that this has happened and discipline or terminate the employment of the staff member," she says.

Dewhirst specializes in health-care privacy, relating to health-care organizations such as hospitals, family health teams, doctor's offices, community children's agencies and community mental health agencies.

There have been at least two cases of snooping before Ontario's information and privacy commissioner.

"The commissioner has jurisdiction over the compliance of the legislation, called the Personal Health Information Protection Act (2004)," says Dewhirst. "She has issued two orders in snooping cases."

There are also two related court cases that support the idea that snooping constitutes a privacy breach, the lawyer says.

And such breaches aren't restricted to health care.

Jones v. Tsige, for one, is a 2012 case that's based on an allegation that a bank employee looked at a person's banking information without authorization.

Similarly, there's a new case in the health-care field this year – Hopkins v. Kay – in which plaintiffs are bringing action for damages for breach of privacy based on an allegation that hospital patient records were improperly accessed, and in some cases, improperly disseminated.

"It happens and I help health organizations do training, reminders and policies," says Dewhirst. "If there is a privacy breach, I help them respond to the privacy breach, notify affected patients and deal with the privacy commissioner."

These cases have opened the door to civil actions as a result of privacy breaches, signalling a change in the legal landscape. This means there can be legal repercussions for people who snoop in addition to employment consequences, she says.

"What has happened in the past when there's a breach is that you can make a complaint to the organization and the organization would then be obliged to investigate and there might be employment consequences to the person who has done this," says Dewhirst. "But that doesn't give the individual whose privacy has been breached any remedy, any personal remedy.

"We are seeing now there's a real potential for damages. People whose privacy has been breached can take the facts to court and sue for damages."

And these cases are proving to be persuasive evidence of the need for employees to follow their organization's policies because of the threat of potential financial consequences, says Dewhirst.

"These civil cases really reinforce the message," she says. "Now that these civil cases are starting, there is more emphasis on an individual's responsibility."

Dewhirst says sometimes people snoop because they don't realize it's wrong and in those cases, the organization has a lot of responsibility in doing training, sending reminders and sending out notifications to staff to remind them they should only be looking at records for patients to which they either have authorization or are providing care.

"Some people know it's wrong and they go forward with it anyway," she says. "Then an organization has obligations to set up systems that will prevent that from happening so they would have electronic systems that wouldn't allow people to go into records when they're not supposed to."

In other cases, organizations have instituted an audit trail so administrators can see who has been into the records.

Dewhirst says instances of snooping that have come to light involve people who look at the health records of ex-partners or people who look at the information for their own use.

"They want to know something about their loved one's ex-partner or new partner," she says. "It's for their own interest."

But she stresses that peoples' health information is very sensitive and "obviously, it's important that it's protected."

To Read More Kate Dewhirst Posts Click Here