Unauthorized access to personal information leads to serious consequences
December 8, 2021
Lessons learned: health information must only be accessed for authorized purposes.
A Hearing Tribunal recently issued its written decision on the merit and orders about the conduct of a pharmacist who was found to have accessed a person’s health information without any authorized purpose. The single, unauthorized access of the person’s electronic health records occurred subsequent to a motor vehicle accident between the pharmacist and the person, who was not his patient. The Hearing Tribunal found that the pharmacist misused his authority as a health information custodian and pharmacist. Although there was no information to suggest the pharmacist disclosed the health information of the patient beyond his discussions with the patient, the Hearing Tribunal found that the pharmacist’s conduct was unprofessional and warranted sanctions.
The requirement for registrants to properly collect, use, disclose, and safeguard their patients’ health information is foundational to the relationship between pharmacy professionals and patients. When health information is accessed and used for an unauthorized purpose, this relationship is eroded, as is the integrity of the profession.
In this matter, the Tribunal imposed significant penalties, even though there had been no previous history of unprofessional conduct on the part of the pharmacist, there was no external disclosure of patient health information, the pharmacist admitted to his unprofessional conduct, and the pharmacist suffered consequences from a parallel complaint matter that was investigated by the Office of the Information and Privacy Commissioner (OIPC). The Hearing Tribunal ordered the following:
- a reprimand;
- the successful completion of an ethics course, at the pharmacist’s own cost, within one year;
- a three-month suspension, with the first month to be served January 1-30, 2022, and the remaining two months to be held in abeyance, pending there being no further privacy concerns for a period of two years;
- an order that the pharmacist must disclose the Hearing Tribunal’s written decision to any pharmacy employer or licensee for a period of two years; and
- a payment of $8,000 towards the costs of the investigation and hearing.
In addition, the pharmacist had been previously investigated by the OIPC, found guilty of breaching the Health Information Act (HIA) by the Court, and ordered to pay a fine and victim surcharge, totalling $6,000.
Rationale for the Tribunal’s decision, is reflected in its following statements:
- [The pharmacist’s] actions are inappropriate and contrary to the fundamental principle that pharmacists must only access and use health information for an authorized purpose. His accessing and using confidential information for a personal reason is not acceptable by any health professional for any reason.
- The HIA clearly prohibits health care providers from accessing personal information for personal reasons. There is no exception permitting access merely because the health care provider has concerns about the person.
- The public has a right to expect that their health information will only be accessed for authorized purposes.
Pharmacists and pharmacy technicians – review your ethical duties to your patients, your profession, and yourself:
- Review, understand, and comply with all aspects of the collection, use, disclosure, and safeguarding responsibilities of health information. Excellent information about these responsibilities can be found on the ACP website in the Resource section. The publication Helping pharmacists and pharmacy technicians understand the Health Information Act may be particularly informative.
- Visit the Alberta Office of the Information and Privacy Commissioner website. In addition to health information resources, this website also provides summaries of recent OIPC investigations and decisions involving health information.
- Discuss the proper use of health information with your peers.
- Understand that Albertans are empowered to access their Netcare disclosure logs, identify those custodians who access their health information, and question unfamiliar accesses.
- Review, and update as needed, your pharmacy’s health information policies and procedures.
- Review and discuss with peers your fundamental ethical obligations. Principles 1, 4, and 10 of the Code of Ethics will provide you with valuable guidance in this respect.
- Review, and discuss with your colleagues, ACP’s tenets of professionalism.