The requirement for registrants to properly collect, use, disclose, and safeguard patients’ health information is foundational to the relationship between pharmacy professionals and patients. Albertans need to know that their personal health information is secure and will remain confidential with pharmacy professionals. ACP complaints director, James Krempien, reminds pharmacy professionals that every Albertan can request their Netcare access audit log to see who has accessed their provincial electronic health records, and from which location.
“Albertans are empowered to access their Netcare access disclosure logs,” said James. “They can identify those custodians who access their health information and can question unfamiliar accesses.”
What can happen when someone identifies unauthorized access of patient records? James pointed to recent relevant decisions from ACP’s Hearing Tribunal, where penalties range from fines to practice permit suspensions.
In one recent decision from ACP’s Hearing Tribunal, a pharmacist faced a three-month suspension and costs of $10,000 for accessing a previous patient’s electronic health records in Netcare without an authorized purpose.
In the Tribunal’s decision, they shared their rationale for the penalties.
“It is a fundamental expectation that pharmacists will only access the information when authorized to do so and only use it for a proper purpose … Given that health information is increasingly digital and ‘easy’ to access for health professionals, a patient’s right to privacy and confidentiality must be protected. The public has a right to expect that their health information will only be accessed for authorized purposes.”
James referred pharmacy professionals to Section 27 of the Health Information Act, which outlines all purposes for which a custodian may use individually identifying health information in its custody or under its control.
“Something I’ve heard often is ‘I already have the patient’s consent,’” said James. “But that consent does not authorize a pharmacy professional to look at a patient’s health information without an authorized purpose.”
James spoke about scenarios where health professionals inadvertently view the wrong patient’s electronic record, which would result in the access being recorded on the patient’s Netcare access log. Even these types of accesses may need to be addressed if the patient becomes aware and has concern.
“Even if you’ve inadvertently breached someone’s privacy, you have an obligation to take steps to limit the breach and implement measures to prevent a similar breach,” said James. “You may also have a duty to report.”
Keeping patient health information secure goes beyond authorized access. James reminded all pharmacy teams to review and update their health information policies and procedures as needed, and to be proactive.
“Don’t wait until someone complains or someone’s privacy has been breached,” said James. “I know pharmacies are always busy, but set aside some time on an annual basis to review one section of your pharmacy’s operation from a patient confidentiality perspective. It could be as simple as standing in line where patients wait and making sure you can’t see patient information or overhear a pharmacist counselling another patient. From there, take steps to improve privacy as needed.”
When patient health information and privacy is not protected, the professional relationship between the pharmacy team and the patient is eroded, as is the integrity of the profession. James pointed to the Helping pharmacists and pharmacy technicians understand the Health Information Act guidelines as a practical, scenario-based tool to understand requirements as outlined in the Health Information Act, the Code of Ethics, and other relevant legislation.
Patients need to be able to trust that their pharmacy respects their privacy and keeps their information secure. Always remember to collect, use, and disclose the least amount of information necessary and preserve the highest degree of patient anonymity possible to carry out the intended purpose.