In 2018, 18% of all calls to our Medico-legal Advisory Service (MLAS)
were about confidentiality and clinical records.
Privacy breaches are a risk in any practice, but knowing how to prevent
breaches and deal with them effectively if they do arise, is important.
In one case, a receptionist worked at a rural
practice where her teenage son was a patient. He had recently consulted a GP at
the practice and told his mother the consultation was about a UTI.
The next day, while working at the practice, the
receptionist accessed her son’s medical record and discovered the consultation
was about an STD. That night, she told her son how disappointed she was about
the diagnosis. The son expressed his anger at his mother for breaching his privacy.
While he didn’t make a formal complaint to the
practice, he informed his GP about the privacy breach at his next consultation.
The GP informed
the practice owner of the breach, who called Avant’s Medico-legal Advisory Service
for advice on how to deal with the situation. The GP had not yet spoken to the receptionist,
who had worked at the practice for many years and been an exemplary employee.
The practice owner did not wish to dismiss her, but was keen to send a clear
message to practice staff about the importance of patient privacy.
As a
condition of her employment, the receptionist had conditions in her contract
regarding privacy and confidentiality. If she is proven to have accessed her
son’s records, her conduct was in breach of her contract as well as being a
breach of privacy legislation.
Managing the situation: recommended
steps
When concerns
are raised about a staff member’s breach of patient privacy or confidentiality,
it is important for the practice to deal with the concerns quickly. Concerns
can be managed as either a performance issue or as a misconduct issue.
A concern is
generally dealt with as a performance issue when there are minor breaches of
practice policy such as failing to shred documents after scanning them, or
incorrectly checking patient contact details at the reception desk. Many
performance issues can be resolved through communication and guidance about the
practice’s policies and processes.
Ongoing performance issues may result in disciplinary action.
A concern
should be dealt with as a potential misconduct issue when there is a specific
breach of practice policies and procedures, for example, discussing
confidential patient information outside the practice. In such cases, the
practice should investigate the concern and take appropriate disciplinary and
other action.
In the
situation above, Avant’s medico-legal expert advised that the practice should
treat the breach as a misconduct issue rather than a performance issue.
The practice owner
was advised to conduct an initial investigation of the complaint (in this case,
by reviewing the receptionist’s access to patient medical records) before
raising the issue with the receptionist.
Some practice software will allow a practice to identify what records a staff
member has accessed, when and for how long. However, in this case, the practice software
did not allow the practice to do this.
This meant the practice had no independent evidence the receptionist had
accessed her son’s medical record.
Avant recommended
the practice take the following steps:
1. Advise
the receptionist you would like to meet with her to discuss a privacy breach at
the practice. You should suggest she brings a support person to the
meeting.
2. Meet
with the receptionist and ensure a note-taker is present at the meeting. Start
the meeting by explaining the role of the support person (i.e. they are there
to support the receptionist but not to represent her or speak on her behalf).
3. Inform the
receptionist her son advised his GP that she had accessed his medical record
and discussed the results of the consultation with him. Tell her that, if
proven, this conduct would constitute a breach of her contract and
confidentiality agreement and could result in disciplinary action. Give her an
opportunity to respond to the complaint.
4. If
the receptionist confirms she did access the record, ask her whether she has
any excuse or explanation for doing so. Tell her you will consider the next
steps and advise her in due course. If you are not satisfied with her explanation,
you can take disciplinary action which might be dismissal or a first and final
written warning depending on all the circumstances.
5. If the receptionist says she did not access
the record, you will need to determine whether you think she is telling the
truth (for example, by asking her how she became aware of her son’s diagnosis).
She may deny having the discussion with her son and allege her son is just
trying to get her into trouble with her employer. If you are not satisfied with
her explanation, you can still take disciplinary action, but it might be
difficult to justify dismissal.
6. It is important to conduct the meeting
appropriately to minimise the risk of the receptionist making a stress claim.
7. Ensure the receptionist is safe to return to
work after the meeting or, alternatively, allow her to go home. It’s
important to make sure she can get home safely if she is upset.
In this case, there is no need to notify the
privacy breach to the Office of the Australian Information Commissioner under
the privacy laws. A notification only applies if
there is a risk of serious harm to an individual that cannot be remediated. In
the case above, the son already knows about the privacy breach and steps have
been taken to remediate the risk of harm.
Treating
people you know
Your practice has an obligation under the Privacy Act 1988
to take all reasonable steps to protect the personal information you hold from
misuse, interference and loss, and from unauthorised access, modification or
disclosure (APP 11).
As this case demonstrates, it is preferable practices do not treat
staff, practice colleagues or their families, given the risks of privacy
breaches and other risks as outlined in our article, Why you shouldn’t treat staff or family.
A staff
member accessing another staff member’s medical record, or in this case, their
child’s record, whether on purpose or inadvertently, is a privacy breach and may
also be a notifiable data breach.
The situation
can become even worse if the staff member who accessed the medical record
discusses it with other people. This can lead to difficulties in the workplace
and the need to take disciplinary action.
Strategies to
prevent privacy breaches
It may not be practicable for your practice to avoid treating
staff and their families in rural locations where another doctor is some
distance away. In these
situations, having measures in place can minimise any risks:
- Train your staff and regularly update them about their
privacy obligations.
- Appoint a senior staff member to be responsible for privacy
compliance in your practice.
- Have a privacy policy
outlining how information is collected, used and disclosed in your
practice.
- Document processes for
managing staff authorisation, authentication and access to records.
- Place referrals and scripts etc into envelopes for
collection by patients.
- Have a process for proactively detecting data breaches.
- Have a data breach response plan if a privacy breach is
discovered.
View our range of resources developed to help practices prevent data breaches and if
they do arise, how to respond.
Key take-outs
Ensuring
the privacy and confidentiality of patients’ information is fundamental to the
doctor-patient relationship. Treating staff, practice colleagues and their
families heightens the risk of a privacy breach. The simplest answer is to not treat them, if
you can avoid it.
If
you do choose to treat staff, practice colleagues and their families:
- Discuss
the issue with new staff and set boundaries and expectations.
- Ensure
you have appropriate systems in place to guard against privacy breaches.
- Train your staff and regularly update them about their
privacy obligations.
- Document processes for
managing staff authorisation, authentication and access to records.
More
information
If you require advice on your obligations relating to privacy,
visit our website or for immediate advice, call our Medico-legal Advisory
Service (MLAS), 24/7 in emergencies on 1800 128 268.
Read
section 3.14 on personal
relationships in the Medical Board of Australia ’s Good medical practice: A code of conduct for doctors in
Australia.