Practice Insight explores concerns reported to the College as part of the complaints and reports process that present learning opportunities for pharmacists and pharmacy technicians. This example reminds registrants of their duty to only access personal health information that they are entitled to as part of the patient’s circle of care.
Patient Records Were Inappropriately Accessed
A hospital reported that a pharmacy technician had inappropriately accessed the personal health information of patients who were not within that individual’s circle of care, including a high-profile individual in the community, family members, and the pharmacy technician’s own patient record.
Outcome of the Inquiries, Complaints and Reports Committee
A panel of the Inquiries, Complaints and Reports Committee noted that the pharmacy technician admitted to intentionally accessing the charts of patients not within their circle of care because they were curious about the patients’ health information. The panel pointed out that the registrant’s behaviour is inconsistent with the College’s Code of Ethics.
The panel remarked that registrants are obligated to safeguard confidential patient information and only access patient records when it is relevant and necessary to their role. The primary responsibility of healthcare professionals is to the safety of the patient, including demonstrating good judgment on protecting confidential information.
The panel issued the registrant an oral caution, with a focus on demonstrating professionalism, ensuring the confidentiality of patient information is maintained, and avoiding situations that may result in the breach of patient privacy. The registrant was also reminded that they must practice in accordance with ethical principles and was directed to complete a specified continuing education or remediation program focused on ethics.
Learnings for Registrants
There are a number of key learnings from this case that pharmacists and pharmacy technicians can consider in their own practice when handling personal health information.
- Know what the circle of care means for accessing and sharing information. The circle of care is a term commonly used to describe the ability of certain health information custodians, including pharmacy professionals, to assume an individual’s implied consent to collect, use or disclose personal health information for the purpose of providing health care, in circumstances defined in the Personal Health Information Protection Act, 2004 (PHIPA). Pharmacy professionals should understand what information they are entitled to access and share, including with other healthcare providers. Review the Circle of Care: Sharing Personal Health Information for Health-Care Purposes document from the Information and Privacy Commissioner of Ontario (IPC) for more details.
- Information should only be accessed for the purposes of care. Personal health information should only ever be accessed for the provision of healthcare or assisting in the provision of healthcare for the patient. The use of personal health information without consent and for purposes that are not required can be referred to as unauthorized access or “snooping”. The IPC specifies that “this can include the viewing of personal health information in electronic information systems and may be motivated by a number of factors including interpersonal conflicts, curiosity, personal gain or concern about the health and well-being of individuals.”
- Focus on the information you need to care for the patient. Patient records available through hospital networks, clinical viewers or other EMR systems may contain a significant amount of information about the patient’s medical status, medical history, personal details, and other private information. Pharmacy professionals should only access the information they need to provide safe and quality care for the patient.
- Even if you don’t share the information with anyone else, it is still a type of privacy breach. The IPC considers it an unauthorized access if a health information custodian accesses or views the personal health information of an individual without consent, for a purpose not permitted or required by PHIPA. Disclosure of the information accessed or viewed is not required for it to be considered a breach.
- Know your obligations under the Code of Ethics and legislation. The Code of Ethics requires that registrants respect the patient’s right to privacy and confidentiality and take every reasonable precaution to protect patient confidentiality by preventing unauthorized or accidental disclosure of confidential patient information. PHIPA and the IPC govern the use of personal health information in Ontario (see additional resources on the College’s website).
- Managers and owners have additional obligations. Designated Managers, pharmacy managers and pharmacy owners should be aware of their responsibilities to ensure that personnel are meeting the requirements of legislation, including that the appropriate policies and procedures required to use, protect, store and dispose of personal health information are in place and that staff receive training on their duties in this regard. The Standards of Operations also require that the personal health information of patients and those who receive pharmacy services is protected through the implementation of both administrative and technical safeguards.
Reporting Privacy Breaches to the IPC and the College
PHIPA requires health information custodians to notify the IPC at the first reasonable opportunity about certain privacy breaches. These breaches include use or disclosure of personal health information without authority (or further use or disclosure after a breach), stolen information, a pattern of similar breaches, and significant breaches. More information is available from the IPC.
Under PHIPA, employers are required to report to both the College and the IPC if:
- They terminate, suspend, or discipline a pharmacy professional because of a privacy breach; and/or
- The pharmacy professional resigns and the employer believes that the resignation is related to an investigation or other action carried out as a result of the alleged breach.