|
When Canadian provinces started rolling out stand-alone health information laws there was a confident assumption that health professionals would not abuse their access to personal health information. This meant that compliance efforts were focused on what might be called ‘soft safeguards’. This includes providing training, comprehensive policies and procedures and requiring individual oaths to comply with the law. These measures would be back-stopped by audit trails and the ability to identify improper viewing of patient information.
Since Manitoba’s ground breaking health information law in 1997, we now have the experience to allow us to revisit that assumption. Common to all Canadian jurisdictions that have adopted such a law, or are in the process of doing so, is a version of ‘role-based’ access. It has been determined that more finely grained access controls would be either too costly or too cumbersome.
We have seen that although most health care workers will follow both the law and their professional codes of ethics, the soft safeguards have not been completely effective. That has led to implementation, or at least consideration, of ‘hard safeguards’. This would include dismissal for cause of snooping hospital employees and prosecution in egregious cases. In terms of termination of employment, the early experience was that dismissals were being overturned when the employee appealed to arbitration boards and a much lesser penalty substituted. The reason was often that arbitrators failed to recognize the qualitative difference between paper records or charts in a file accessible to a relatively small number of workers and an electronic health record that allows a health care worker anywhere in a province the ability to view a patient’s comprehensive record (including health history, diagnostic, treatment and care details, laboratory reports, medication details, diagnostic imaging pictures and radiology reports) and in some cases even to alter the record. More recent arbitration decisions in Ontario, British Columbia and Saskatchewan have suggested that snooping should attract summary dismissal barring some unusual circumstances.
In the last two years there have been prosecutions of health care workers for snooping in electronic health records in Newfoundland, Ontario, Manitoba, Alberta and British Columbia. Manitoba has changed its Personal Health Information Act to include a snooping offence. In Saskatchewan, a high-level task force considering the enforcement mechanism in the Health Information Protection Act determined that it was inadequate. It recommended a specific snooping offence provision be incorporated into HIPA.
At issue is patient confidence that, when dealing with the health care system, their personal health information will be protected and their privacy respected. While the number of snooping incidents may be relatively small, the notoriety that attaches to such breaches tends to cast a shadow over virtually all health care workers. This warrants careful consideration by ministries of health and health system administrators.
|
