I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: New class action certified in Ontario after privacy breach at a hospital

Posted by

Just when you thought it was safe … a new class action was recently certified after a health privacy breach at a hospital in Ontario. Here’s what every health Privacy Officer needs to know.

Stewart v. Demme and William Osler Health System (2020)

“The central question … is whether a privacy violation can be “highly offensive” and actionable even if it is fleeting and causes no harm.”

That is the court’s opening statement in its decision.

The answer is probably, yes. At least the court is willing to find out more.

Background

A nurse stole more than 20,000 Percocet pills (opioids) over a nine-year period of working in a hospital. To do so, she had to look at the medical records of more than 11,000 patients to obtain active patient names she could enter into the medication system to open the medication drawers.

It is alleged that her viewing of the paper and electronic health information systems was fleeting. It took her fewer than 60 seconds to look in a record to get a name of an active patient.

Some affected individuals were patients on the floor where she worked in the hospital. Others were not. It is alleged she was not viewing the records to provide clinical services – she did so to steal medication. There was no evidence that she read through the records of health information out of general curiosity or to learn about any particular individual. It is alleged she did so to obtain enough information to assist her to gain access to the controlled substances and override the security precautions of the hospital’s controlled medication systems.

When her activity was discovered, the nurse was fired from her job at the hospital, criminally convicted of theft and she lost her license to practice nursing.

The Law

Is it a privacy breach if someone views a record quickly?

If it is a privacy breach, should there be compensation to affected individuals?

The court is willing to find out the answers to these questions.

In this recent case, the hospital and nurse did not persuade the court to dismiss the action against them for “intrusion upon seclusion”.  This case will go forward on its merits as a class action. We will have to wait and see the outcome.

The tort of intrusion upon seclusion first came to Ontario in the case of Jones v. Tsige in 2012. We now have a three-part test to establish this cause of action:

  1. the defendant’s conduct must be intentional (including recklessness)
  2. the defendant had to have invaded the plaintiff’s private affairs or concerns without lawful justification
  3. the intrusion would be highly offensive to a reasonable person (causing distress, humiliation or anguish).

Affected individuals can now go to court to be compensated for this type of breach of privacy.

In Stewart v. Demme, the court said that the first two components of intrusion upon seclusion are not disputed: (1) the nurse’s actions were intentional; and (2) the information she looked at in the patients’ health records was private and she did not have authority to view those records as part of her job.  The issue to be decided is whether the third part of the test can be established – whether the intrusion would be highly offensive to a reasonable person.

The hospital and the nurse argued that a fleeting look at health records is not “highly offensive” and should not entitle the affected patients to be paid. They argued the patients were not harmed and the privacy breach was minimal.

The court did not agree and permitted the class action to proceed.

Messages for Privacy Officers

I get asked from time to time by health Privacy Officers whether viewing a health record for mere seconds counts as a privacy breach. The issue usually arises in snooping cases where an audit of electronic systems captures that a staff member viewed a patient’s health record (or many health records) for seconds.

Count to yourself – 1 one thousand – 2 one thousand – 3 one thousand – 4 one thousand – 5 one thousand – 6 one thousand – 7 one thousand – 8 one thousand – 9 one thousand – 10 one thousand.

If you know what you are doing in an electronic system, how much can you read and learn in 10 seconds?

A lot.

You can learn someone’s diagnosis.

You can read that someone has been referred for a particular procedure or consultation.

With a few more seconds, you can read a whole note of their counseling session.

This case of Stewart v. Demme teaches health Privacy Officers to double down on privacy training and auditing electronic information systems for unauthorized use and disclosure.  You must teach your staff that they should not view any records of patients unless they need to do so for their authorized role. If they need information to provide care – they must look at records. If it is part of their job to engage in quality improvement activities – they must look at records.  But they must never view health records out of curiosity or for personal benefit let alone as part of a criminal act.

Stay tuned!


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Health Privacy Officer training
September 22, 2020

For Privacy Officers within healthcare organizations - now totally online.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our September program is on privacy litigation and the October program will address harassment issues and scenarios.
Full details of the 2020 webinar series and registration here.

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month (Off for the Summer - next up: September 2 and October 7)

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Free Part X CYFSA privacy webinar - ask me anything!
the second Wednesday of every month (next up: July 8 and August 12)

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Team Privacy Training Events
July 8, 23, 28 August 4, October 7, 8

For Primary Care clinics, Hospitals, Community Agencies and Children’s Aid

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets



contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557

.