“Close-Up on Complaints” explores incidents reported to the College that have occurred in the provision of patient care and which present learning opportunities. Ideally, pharmacists and pharmacy technicians will be able to identify areas of potential concern within their own practice, and plan and implement measures to help avoid similar incidents from occurring in the future.
Protecting Patient Privacy
Summary of the Incident
This incident occurred when a patient at a pharmacy noticed that there were documents and medication vials around the pharmacy’s dumpster and parking lot. The patient informed the Designated Manager (DM) of the fact that patient information was visible.
The DM accompanied the patient outside to examine the dumpster. He indicated to the patient that he did not own the dumpster and therefore could not do anything about the contents on the ground and stated that the documents were records from the surrounding medical clinics and not his pharmacy.
The patient reported that, other than picking up a few of the documents, the DM did not take any other action that the patient was witness to.
When the patient drove by the pharmacy a few days later, the documents and other items were still there.
Why Did This Happen?
This incident illustrates a lack of appropriate care with private patient information.
In his interactions with the patient and during the course of the investigation, the DM took little responsibility for a potential patient information privacy breach. He denied that the documents were from the pharmacy, placing blame on the building management for not managing the dumpster and not taking care of picking up documents or other items that were on the ground.
The College’s Inquiries, Complaints & Reports Committee oversees investigations of each complaint the College receives. A committee panel considers a pharmacy professional’s conduct, competence and capacity by assessing the facts of each case, reviewing submissions from both the complainant and the professional, and evaluating the available records and documents related to the case.
In this case, the panel emphasized that photos provided by the patient definitively show that pharmacy documents with identifiable patient information were in the dumpster area. They noted that the DM did not take immediate action when notified of the issue. He continually placed the blame on others for the situation and did not acknowledge that the documents there were related in any way to the pharmacy.
The panel noted that healthcare professionals must take certain actions with respect to privacy breaches. The DM provided no indication that he addressed the privacy breach, particularly notifying any affected patients.
Due to the seriousness of this issue, and the panel’s impression that the DM may not understand the importance of protecting patient information and his related obligations as a regulated healthcare professional, the committee issued an oral caution and directed him to engage in additional learning on his obligations under the Personal Health Information Protection Act (PHIPA).
Appropriate Care with Patient Information: Learnings for Pharmacy Professionals
Pharmacies are considered health information custodians under PHIPA. As custodians, pharmacies must collect, use and disclose personal health information in accordance with the rules established under PHIPA and implement appropriate physical, administrative and technical safeguards to protect personal health information.
In the event of a privacy breach, the responsible health information custodian must notify the individual(s) affected at the first reasonable opportunity. When the custodian notifies a patient of a privacy breach, they must also inform the patient that they can make a complaint about the breach to the Information and Privacy Commissioner of Ontario.
The Standards of Practice require that pharmacists protect patients’ privacy when collecting and using relevant information. Pharmacists must also ensure that the confidentiality of patient information is maintained at all times. This means that from collection of the information to its storage, its use, and its destruction, the information must not be disclosed without an authorized purpose.
Under the Drugs and Pharmacies Regulation Act (DPRA), every pharmacy must have procedures in place to protect the confidentiality of all personal information maintained by the pharmacy and to protect the privacy of persons who receive pharmacy services there.
The pharmacy is responsible for the safety and security of patient records even if the storage or disposal of those records is contracted out to a service provider. It does not matter whether the dumpster in this case really belonged to the pharmacy or not – what was important is that the patient information was in the care and control of the pharmacy. If the established system for disposing of records is not adequate, then that is the pharmacy’s responsibility to manage.
Designated Managers should provide the appropriate supports to ensure that policies and procedures are followed, including confidentiality agreements for staff, agents and any external contractors hired to dispose of patient records. Staff should be appropriately trained on how to prevent unauthorized or accidental disclosures of patient information and how to respond to any incidents that may occur.
The Code of Ethics requires pharmacy professionals to assume responsibility for all decisions and actions they undertake in their practice, including a failure to make a decision. In this case, the DM did not take action when presented with a clear issue in his pharmacy’s practice and processes. When presented with issues in practice by a patient, pharmacy professionals should listen to their concerns, evaluate them and respond to them appropriately, with the goal of maintaining patient trust and upholding their obligations as healthcare professionals.
When patients provide confidential personal health information to their pharmacy, they are doing so with the understanding that their information will be protected and used appropriately. A careless disregard for patient privacy through the improper disposal of records is not acceptable practice. Pharmacy professionals and Designated Managers should regularly review their processes for complying with legislation related to patient health information. Patient concerns raised in this regard should be dealt with appropriately and quickly, keeping in mind their rights under PHIPA.