Receptionist’s patient privacy breach a ‘red flag’

12 February 2019 | Sonya Black, LLB (Hons), B.Com, Special Counsel – Employment Law, Avant Law, QLD

In 2018, 18% of all calls to our Medico-legal Advisory Service (MLAS) were about confidentiality and clinical records.

Privacy breaches are a risk in any practice, but knowing how to prevent breaches and deal with them effectively if they do arise, is important.  

In one case, a receptionist worked at a rural practice where her teenage son was a patient. He had recently consulted a GP at the practice and told his mother the consultation was about a UTI. 

The next day, while working at the practice, the receptionist accessed her son’s medical record and discovered the consultation was about an STD. That night, she told her son how disappointed she was about the diagnosis. The son expressed his anger at his mother for breaching his privacy.

While he didn’t make a formal complaint to the practice, he informed his GP about the privacy breach at his next consultation.    

The GP informed the practice owner of the breach, who called Avant’s Medico-legal Advisory Service for advice on how to deal with the situation. The GP had not yet spoken to the receptionist, who had worked at the practice for many years and been an exemplary employee. The practice owner did not wish to dismiss her, but was keen to send a clear message to practice staff about the importance of patient privacy.

As a condition of her employment, the receptionist had conditions in her contract regarding privacy and confidentiality. If she is proven to have accessed her son’s records, her conduct was in breach of her contract as well as being a breach of privacy legislation.

Managing the situation: recommended steps  

When concerns are raised about a staff member’s breach of patient privacy or confidentiality, it is important for the practice to deal with the concerns quickly. Concerns can be managed as either a performance issue or as a misconduct issue. 

A concern is generally dealt with as a performance issue when there are minor breaches of practice policy such as failing to shred documents after scanning them, or incorrectly checking patient contact details at the reception desk. Many performance issues can be resolved through communication and guidance about the practice’s policies and processes.  Ongoing performance issues may result in disciplinary action.

A concern should be dealt with as a potential misconduct issue when there is a specific breach of practice policies and procedures, for example, discussing confidential patient information outside the practice. In such cases, the practice should investigate the concern and take appropriate disciplinary and other action.

In the situation above, Avant’s medico-legal expert advised that the practice should treat the breach as a misconduct issue rather than a performance issue.

The practice owner was advised to conduct an initial investigation of the complaint (in this case, by reviewing the receptionist’s access to patient medical records) before raising the issue with the receptionist.  Some practice software will allow a practice to identify what records a staff member has accessed, when and for how long.   However, in this case, the practice software did not allow the practice to do this.  This meant the practice had no independent evidence the receptionist had accessed her son’s medical record.

Avant recommended the practice take the following steps:

1. Advise the receptionist you would like to meet with her to discuss a privacy breach at the practice. You should suggest she brings a support person to the meeting.

2. Meet with the receptionist and ensure a note-taker is present at the meeting. Start the meeting by explaining the role of the support person (i.e. they are there to support the receptionist but not to represent her or speak on her behalf).

3. Inform the receptionist her son advised his GP that she had accessed his medical record and discussed the results of the consultation with him. Tell her that, if proven, this conduct would constitute a breach of her contract and confidentiality agreement and could result in disciplinary action. Give her an opportunity to respond to the complaint.

4. If the receptionist confirms she did access the record, ask her whether she has any excuse or explanation for doing so. Tell her you will consider the next steps and advise her in due course. If you are not satisfied with her explanation, you can take disciplinary action which might be dismissal or a first and final written warning depending on all the circumstances.

5. If the receptionist says she did not access the record, you will need to determine whether you think she is telling the truth (for example, by asking her how she became aware of her son’s diagnosis). She may deny having the discussion with her son and allege her son is just trying to get her into trouble with her employer. If you are not satisfied with her explanation, you can still take disciplinary action, but it might be difficult to justify dismissal.

6. It is important to conduct the meeting appropriately to minimise the risk of the receptionist making a stress claim.

7. Ensure the receptionist is safe to return to work after the meeting or, alternatively, allow her to go home. It’s important to make sure she can get home safely if she is upset.

In this case, there is no need to notify the privacy breach to the Office of the Australian Information Commissioner under the privacy laws. A notification only applies if there is a risk of serious harm to an individual that cannot be remediated. In the case above, the son already knows about the privacy breach and steps have been taken to remediate the risk of harm. 

Treating people you know  

Your practice has an obligation under the Privacy Act 1988 to take all reasonable steps to protect the personal information you hold from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11).

As this case demonstrates, it is preferable practices do not treat staff, practice colleagues or their families, given the risks of privacy breaches and other risks as outlined in our article, Why you shouldn’t treat staff or family.

A staff member accessing another staff member’s medical record, or in this case, their child’s record, whether on purpose or inadvertently, is a privacy breach and may also be a notifiable data breach.

The situation can become even worse if the staff member who accessed the medical record discusses it with other people. This can lead to difficulties in the workplace and the need to take disciplinary action.

Strategies to prevent privacy breaches 

It may not be practicable for your practice to avoid treating staff and their families in rural locations where another doctor is some distance away. In these situations, having measures in place can minimise any risks:

  • Train your staff and regularly update them about their privacy obligations.
  • Appoint a senior staff member to be responsible for privacy compliance in your practice.
  • Have a privacy policy outlining how information is collected, used and disclosed in your practice.
  • Document processes for managing staff authorisation, authentication and access to records.
  • Place referrals and scripts etc into envelopes for collection by patients.
  • Have a process for proactively detecting data breaches.
  • Have a data breach response plan if a privacy breach is discovered.

View our range of resources developed to help practices prevent data breaches and if they do arise, how to respond.

Key take-outs 

Ensuring the privacy and confidentiality of patients’ information is fundamental to the doctor-patient relationship. Treating staff, practice colleagues and their families heightens the risk of a privacy breach.  The simplest answer is to not treat them, if you can avoid it.

If you do choose to treat staff, practice colleagues and their families:

  • Discuss the issue with new staff and set boundaries and expectations.
  • Ensure you have appropriate systems in place to guard against privacy breaches.
  • Train your staff and regularly update them about their privacy obligations.
  • Document processes for managing staff authorisation, authentication and access to records.

More information 

If you require advice on your obligations relating to privacy, visit our website or for immediate advice, call our Medico-legal Advisory Service (MLAS), 24/7 in emergencies on 1800 128 268.

Read section 3.14 on personal relationships in the Medical Board of Australia ’s Good medical practice: A code of conduct for doctors in Australia.

Share your view

We welcome your feedback on this article.