This article is part 1 of our 3-part Privacy Training Series: Financial Impacts & Consequences of a Privacy Breach.
Any Unauthorized Access of an Individual’s Health Information is Forbidden
A recent decision by the Alberta College of Pharmacy Hearing Tribunal provides a cautionary example of what a privacy breach can cost.
First, let’s look at the basics of the case according to the February 2021 decision by the Hearing Tribunal:
- A pharmacist accessed multiple patients’ health information without any authorised purpose.
- The unauthorized accesses, including accessing her own electronic health records, occurred on multiple occasions over a 20-month period.
- No evidence that the pharmacist disclosed the health information to a third party however the Hearing Tribunal found the pharmacist’s conduct was unprofessional and warranted significant sanctions
“[The pharmacist’s] decision to review the personal information of individuals for purposes unrelated to medical care constitutes a serious violation of privacy. It was a breach of her obligations owed to the public, as well as to the profession, and is conduct that harms the integrity of the pharmacy profession,” the Tribunal stated in their decision.
According to the published description, the pharmacist conducted these breaches with no apparent motivation or personal gain. However the Tribunal noted the pharmacist was very experienced and should clearly have known better. The significant span of time over which the breaches occurred also suggests this was not a ‘one-time lack of good judgement’ type of event.
The Cost of Privacy Breach
The Tribunal imposed significant penalties even though there was no previous history of unprofessional conduct and no disclosure of patient health information. The pharmacist admitted to her unprofessional conduct, and her employment was terminated. As described by the Hearing Tribunal, the penalties included:
- Formal reprimand by the College
- Pharmacist must undergo ethics course at own expense
- Three month suspension
- Conditions of future employment and restrictions
- An order that the pharmacist must disclose the Hearing Tribunals written decision to any pharmacy employer for two years
- $10,000 payment of costs
A very high price was paid for what appears to be a casual approach to privacy. As previously noted, the pharmacist was terminated by the employer and has clearly suffered professional reputation damage. The Tribunal also pointed out the harm to the integrity of all pharmacists. The requirement for pharmacists to properly collect, use, disclose, and safeguard their patients’ health information, including their registration information is foundational to the relationship between pharmacy professionals and patients. When health information is accessed and used for an unauthorized purpose, this relationship is eroded, as is the integrity of the profession.
Recommendations by the College
Based on the circumstances of this case, the college has published a checklist of reminders to their members to help keep the importance of privacy at the forefront of their pharmacy. Best practices mentioned by the College included educational training to ensure members are familiar with the up-to-date health information policies and procedures.
Corridor Interactive is your partner in the educational process for privacy training to keep pharmacists, pharmacy technicians and other custodians and affiliates operating in a safe and privacy compliant manner as expected Canada’s Health Information Act and provincial health legislation. Corridor offers online training for Privacy Awareness in Health Care that will instruct participants on all the requirements and best practices for handling personal health information and privacy compliance in Canada. Courses specific to health care workers in Alberta and Ontario are also available to meet the specific requirements in those jurisdictions.
If you’ve already completed the Privacy Awareness course, Corridor offers Privacy Refresher Online Training. Designed to be completed in under 30 minutes, the Refresher tests the user to determine their level of familiarity with privacy restrictions and issues. This unique training program identifies deficiencies or lapses in policy knowledge and targets specific training modules for the user to revisit to freshen their skills.
Summary
The costs of privacy breaches go well beyond what was prescribed by the Hearing Tribunal. Both employer and employee are involved in a time consuming hearing and disciplinary process that can drag over several years. For a pharmacy the leak of personal information can have devastating consequences to their customers and the general reputation of the business. It is a high price to pay when there are simple, easy to use solutions that can be employed to train everyone about the importance of privacy and safe handling procedures.
Sources:
Alberta College of Pharmacy
https://abpharmacy.ca/articles/only-access-health-information-authorized-purposes
Calgary Herald
https://calgaryherald.com/news/local-news/calgary-pharmacist-suspended-for-wrongfully-accessing-patient-files