Protecting the privacy and confidentiality of patients
May 4, 2022
Lessons Learned: health information must only be accessed for authorized purposes.
A recent Hearing Tribunal issued its written decision on the merit and orders regarding the conduct of a pharmacist who was found to have accessed a previous patient’s health information without an authorized purpose. The patient’s provincial electronic health records were accessed via Netcare without authorization on four separate occasions. These incidents occurred after the patient terminated the patient-pharmacist relationship. The Hearing Tribunal found that the pharmacist misused his authority as a health information custodian and pharmacist. Although there was no information to suggest the pharmacist disclosed the health information of his former patient, the Hearing Tribunal found that the pharmacist’s conduct was unprofessional and warranted sanctions.
The requirement for registrants to properly collect, use, disclose, and safeguard their patients’ health information is foundational to the relationship between pharmacy professionals and patients. When health information is accessed and used for an unauthorized purpose, this relationship is eroded, as is the integrity of the profession.
There had been no previous history of unprofessional conduct on the part of the pharmacist, there was no disclosure of patient health information, and the pharmacist admitted to his unprofessional conduct. Regardless, the Hearing Tribunal imposed significant penalties as follows:
- a reprimand;
- the pharmacist to successfully complete an ethics course, at his own cost, within one year;
- a three-month suspension, with the first month to be served and the remaining two months to be held in abeyance, pending there being no further privacy concerns for a period of two years (note that the suspension was served from March 11, 2022, to April 10, 2022);
- an order that the pharmacist must disclose the Hearing Tribunal’s written decision to any pharmacy employer or licensee for a period of two years; and
- a payment of $10,000 towards the costs of the investigation and hearing.
Rationale for the Tribunal’s decision is reflected in its following statements:
Regulated members are granted the privilege of accessing Netcare, which contains a significant amount of personal health information, for specific and authorized purposes related to the provision of medical services. It is a fundamental expectation that pharmacists will only access the information when authorized to do so and only use it for a proper purpose.
The breaches are a significant violation of privacy and are not merely technical in nature. While there was no evidence that [the pharmacist] disclosed the information, that does not excuse his unlawful access of the information. [The pharmacist] did not abide by his obligations as a pharmacist and licensee and such individuals cannot be seen to be allowed to access health information without a purpose. Given that health information is increasingly digital and “easy” to access for health professionals, a patient’s right to privacy and confidentiality must be protected. The public has a right to expect that their health information will only be accessed for authorized purposes.
Pharmacists and pharmacy technicians – review your ethical duties to your patients, your profession, and yourself
- Review, understand, and comply with all aspects of the collection, use, disclosure, and safeguarding responsibilities of health information. Information about these responsibilities can be found on the ACP website. The publication Helping pharmacists and pharmacy technicians understand the Health Information Act may be particularly informative.
- Visit the Alberta Office of the Information and Privacy Commissioner website. In addition to health information resources, this website also provides summaries of recent OIPC investigations and decisions involving health information.
- Discuss the proper use of health information with your peers.
- Understand that Albertans are empowered to access their Netcare disclosure logs. They can identify those custodians that access their health information and can question unfamiliar accesses.
- Review and update your pharmacy’s health information policies and procedures as needed.
- Review and discuss with peers your fundamental ethical obligations. Principles 1, 4, and 10 of the Code of Ethics will provide you with valuable guidance in this respect.
- Review ACP’s tenets of professionalism and discuss with your peers.