In 2018, 18% of all calls to our Medico-legal Advisory Service (MLAS) were about confidentiality and clinical records.
Privacy breaches are a risk in any practice, but knowing how to prevent breaches and deal with them effectively if they do arise, is important.
In one case, a receptionist worked at a rural practice where her teenage son was a patient. He had recently consulted a GP at the practice and told his mother the consultation was about a UTI.
The next day, while working at the practice, the receptionist accessed her son’s medical record and discovered the consultation was about an STD. That night, she told her son how disappointed she was about the diagnosis. The son expressed his anger at his mother for breaching his privacy.
While he didn’t make a formal complaint to the practice, he informed his GP about the privacy breach at his next consultation.
The GP informed the practice owner of the breach, who called Avant’s Medico-legal Advisory Service for advice on how to deal with the situation. The GP had not yet spoken to the receptionist, who had worked at the practice for many years and been an exemplary employee. The practice owner did not wish to dismiss her, but was keen to send a clear message to practice staff about the importance of patient privacy.
As a condition of her employment, the receptionist had conditions in her contract regarding privacy and confidentiality. If she is proven to have accessed her son’s records, her conduct was in breach of her contract as well as being a breach of privacy legislation.
When concerns are raised about a staff member’s breach of patient privacy or confidentiality, it is important for the practice to deal with the concerns quickly. Concerns can be managed as either a performance issue or as a misconduct issue.
A concern is generally dealt with as a performance issue when there are minor breaches of practice policy such as failing to shred documents after scanning them, or incorrectly checking patient contact details at the reception desk. Many performance issues can be resolved through communication and guidance about the practice’s policies and processes. Ongoing performance issues may result in disciplinary action.
A concern should be dealt with as a potential misconduct issue when there is a specific breach of practice policies and procedures, for example, discussing confidential patient information outside the practice. In such cases, the practice should investigate the concern and take appropriate disciplinary and other action.
In the situation above, Avant’s medico-legal expert advised that the practice should treat the breach as a misconduct issue rather than a performance issue.
The practice owner was advised to conduct an initial investigation of the complaint (in this case, by reviewing the receptionist’s access to patient medical records) before raising the issue with the receptionist. Some practice software will allow a practice to identify what records a staff member has accessed, when and for how long. However, in this case, the practice software did not allow the practice to do this. This meant the practice had no independent evidence the receptionist had accessed her son’s medical record.
Avant recommended the practice take the following steps:
In this case, there is no need to notify the privacy breach to the Office of the Australian Information Commissioner under the privacy laws. A notification only applies if there is a risk of serious harm to an individual that cannot be remediated. In the case above, the son already knows about the privacy breach and steps have been taken to remediate the risk of harm.
Your practice has an obligation under the Privacy Act 1988 to take all reasonable steps to protect the personal information you hold from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11).
As this case demonstrates, it is preferable practices do not treat staff, practice colleagues or their families, given the risks of privacy breaches and other risks as outlined in our article, Why you shouldn’t treat staff or family.
A staff member accessing another staff member’s medical record, or in this case, their child’s record, whether on purpose or inadvertently, is a privacy breach and may also be a notifiable data breach.
The situation can become even worse if the staff member who accessed the medical record discusses it with other people. This can lead to difficulties in the workplace and the need to take disciplinary action.
It may not be practicable for your practice to avoid treating staff and their families in rural locations where another doctor is some distance away. In these situations, having measures in place can minimise any risks:
View our range of resources developed to help practices prevent data breaches and if they do arise, how to respond.
Ensuring the privacy and confidentiality of patients’ information is fundamental to the doctor-patient relationship. Treating staff, practice colleagues and their families heightens the risk of a privacy breach. The simplest answer is to not treat them, if you can avoid it.
If you do choose to treat staff, practice colleagues and their families:
Sonya Black, LLB (Hons), B.Com, Special Counsel – Employment Law, Avant Law, QLD