The Information and Privacy Commissioner of Ontario has issued her second order under the province's new Personal Health Information Protection Act.
The complaint concerns a pretty deplorable situation that took place at the Ottawa Hospital. The complainant was admitted to the hospital and advised that shd did not want her estranged husband and his girlfriend (both were employees of the hospital) to know of her admission or of her situation. Subsequent discussion with her husband demonstrated that he knew about her admission and the patient complained.
An investigation revealed that the girlfriend had accessed the complainant's electronic health record a number of times and disclosed it to the estranged husband. The Commissioner was less than impressed, as demonstrated by the postscript to the executive summary:
This was a truly regrettable situation in which a patient who was admitted to a hospital, made a specific request to prohibit her estranged husband and his girlfriend, a nurse at the hospital, from having any information regarding her hospitalization, only to learn that the exact opposite had occurred.
Despite having alerted the hospital to the possibility of harm, the harm nonetheless occurred. While the hospital had policies in place to safeguard health information, they were not followed completely, nor were they sufficient to prevent a breach of this nature from occurring. In addition, the fact that the nurse chose to disregard not only the hospital’s policies but her ethical obligations as a registered nurse, and continued to surreptitiously access a patient’s electronic health record, disregarding three warnings alerting her to the seriousness of her unauthorized access, is especially troubling. Protections against such blatant disregard for a patient’s privacy by an employee of a hospital must be built into the policies and practices of a health institution.
This speaks broadly to the culture of privacy that must be created in healthcare institutions across the province. Unless policies are inter-woven into the fabric of a hospital’s day-today operations, they will not work. Hospitals must ensure that they not only educate their staff about the Act and information policies and practices implemented by the hospital, but must also ensure that privacy becomes embedded into their institutional culture.
As one of the largest academic health sciences centres in Canada, the Ottawa Hospital had properly developed a number of policies and procedures; but yet, they were insufficient to prevent members of its staff from deliberately undermining them.