Health Privacy Update: New class action certified in Ontario after privacy breach at a hospital
Just when you thought it was safe … a new class action was recently certified after a health privacy breach at a hospital in Ontario. Here’s what every health Privacy Officer needs to know.
Stewart v. Demme and William Osler Health System (2020)
“The central question … is whether a privacy violation can be “highly offensive” and actionable even if it is fleeting and causes no harm.”
That is the court’s opening statement in its decision.
The answer is probably, yes. At least the court is willing to find out more.
Background
A nurse stole more than 20,000 Percocet pills (opioids) over a nine-year period of working in a hospital. To do so, she had to look at the medical records of more than 11,000 patients to obtain active patient names she could enter into the medication system to open the medication drawers.
It is alleged that her viewing of the paper and electronic health information systems was fleeting. It took her fewer than 60 seconds to look in a record to get a name of an active patient.
Some affected individuals were patients on the floor where she worked in the hospital. Others were not. It is alleged she was not viewing the records to provide clinical services – she did so to steal medication. There was no evidence that she read through the records of health information out of general curiosity or to learn about any particular individual. It is alleged she did so to obtain enough information to assist her to gain access to the controlled substances and override the security precautions of the hospital’s controlled medication systems.
When her activity was discovered, the nurse was fired from her job at the hospital, criminally convicted of theft and she lost her license to practice nursing.
The Law
Is it a privacy breach if someone views a record quickly?
If it is a privacy breach, should there be compensation to affected individuals?
The court is willing to find out the answers to these questions.
In this recent case, the hospital and nurse did not persuade the court to dismiss the action against them for “intrusion upon seclusion”. This case will go forward on its merits as a class action. We will have to wait and see the outcome.
The tort of intrusion upon seclusion first came to Ontario in the case of Jones v. Tsige in 2012. We now have a three-part test to establish this cause of action:
- the defendant’s conduct must be intentional (including recklessness)
- the defendant had to have invaded the plaintiff’s private affairs or concerns without lawful justification
- the intrusion would be highly offensive to a reasonable person (causing distress, humiliation or anguish).
Affected individuals can now go to court to be compensated for this type of breach of privacy.
In Stewart v. Demme, the court said that the first two components of intrusion upon seclusion are not disputed: (1) the nurse’s actions were intentional; and (2) the information she looked at in the patients’ health records was private and she did not have authority to view those records as part of her job. The issue to be decided is whether the third part of the test can be established – whether the intrusion would be highly offensive to a reasonable person.
The hospital and the nurse argued that a fleeting look at health records is not “highly offensive” and should not entitle the affected patients to be paid. They argued the patients were not harmed and the privacy breach was minimal.
The court did not agree and permitted the class action to proceed.
Messages for Privacy Officers
I get asked from time to time by health Privacy Officers whether viewing a health record for mere seconds counts as a privacy breach. The issue usually arises in snooping cases where an audit of electronic systems captures that a staff member viewed a patient’s health record (or many health records) for seconds.
Count to yourself – 1 one thousand – 2 one thousand – 3 one thousand – 4 one thousand – 5 one thousand – 6 one thousand – 7 one thousand – 8 one thousand – 9 one thousand – 10 one thousand.
If you know what you are doing in an electronic system, how much can you read and learn in 10 seconds?
A lot.
You can learn someone’s diagnosis.
You can read that someone has been referred for a particular procedure or consultation.
With a few more seconds, you can read a whole note of their counseling session.
This case of Stewart v. Demme teaches health Privacy Officers to double down on privacy training and auditing electronic information systems for unauthorized use and disclosure. You must teach your staff that they should not view any records of patients unless they need to do so for their authorized role. If they need information to provide care – they must look at records. If it is part of their job to engage in quality improvement activities – they must look at records. But they must never view health records out of curiosity or for personal benefit let alone as part of a criminal act.
Stay tuned!