2010canlii78802 Medical Records Disclosed To Employer

   EMBED

Share

Preview only show first 6 pages with water mark for full document please download

Transcript

NORTHWEST TERRITORIES INFORMATION AND PRIVACY COMMISSIONER 2010 CanLII 78802 (NWT IPC) Review Recommendation 10-089 File 09-246-4 May 13, 2010 BACKGROUND On approximately December 4th, 2009, I received a complaint from an individual (the “Complainant”) who was upset because he felt that his medical health information had been improperly disclosed to his employer. The Complainant was an employee of a northern mining company. He was experiencing some health problems which dictated that he be on short term disability leave from his job. At the request of the employer, the Complainant was seen a specific doctor (referred to herein as Dr. A), who was under contract with the employer as the company’s Medical Director. In the course of treating the Complainant, Dr. A asked for and obtained from him signed consents. The Complainant understood that the consents were required so that the doctor could obtain medical records from two southern institutions at which the Complainant had been previously treated. These were the only consents that the Complainant remembers signing. The Complainant says that he signed the releases in good faith and on the understanding that the information gathered would be used to assist Dr. A to diagnose and treat his condition. It appears that he thought Dr. A was his doctor and was doing what was necessary to diagnose and treat him as his physician. It does not appear that he was told that Dr. A had an additional interest in this referral in that he was reporting to the employer and protecting the employer’s interests. The Complainant is quite adamant that he did not know that his detailed health information would be shared with the employer. While still on leave, however, the Complainant received a letter from his employer advising him that they were requiring him to attend a drug rehabilitation program as a condition of his continued employment because records provided to them by Dr. A indicated that there were traces of illegal drugs in his system. 2010 CanLII 78802 (NWT IPC) The Complainant was extremely upset, particularly because he felt that the information provided to the employer was totally unrelated to the medical condition for which he was on disability. He says he was never told that his medical records could or would be shared with his employer. PRELIMINARY ISSUE Upon receiving the Complainant’s submission, I made some inquiries and determined that Dr. A is one of a small handful of doctors practicing in the Northwest Territories who are not government employees. My office has no jurisdiction over private sector business and, therefore, no jurisdiction over Dr. A personally. However, that does not end the matter. I determined that Dr. A practices out of two different clinics. One is his own private clinic. His activities in that office are clearly outside my jurisdiction (however, his practice is subject to the Personal Information Protection and Electronic Documents Act, which is federal legislation setting out rules and regulations for the protection of privacy in the private sector). However, he also sees patients in a facility owned and administered by Yellowknife Health and Social Services (YHSS). The Access to Information and Protection of Privacy Act provides that it’s provisions apply to all records in the custody or under the control of a public body. It was, therefore, necessary for me to determine the exact nature of the relationship between Yellowknife Health and Social Services and Dr. A and who has the custody and control of the medical records gathered by Dr. A. The Health Authority, with input from Dr. A, provided me with the following information: a) Dr. A’s treatment of the Complainant took place in the Yellowknife Health and Social Services (YHSS) clinic, not in his private clinic b) Dr. A did not see the Complaint by reason of the fact that he was a patient of YHSS but in his capacity as Medical Director for the employer 2010 CanLII 78802 (NWT IPC) c) Dr. A is not an employee of YHSS. He has a contract with YHSS wherein he leases space and support services from YHSS and provides medical services through their office d) Dr. A does not employ any staff when working at the YHSS office but relies on the staff employed by YHSS for administrative and nursing assistance. e) The information contained in files at the YHSS office belong to individual patients and the physical records belong to YHSS. The files for the patients Dr. A sees are not kept separately from YHSS files and are not differentiated in any way from the other clinic files. No separate files are kept by Dr. A for patients he sees in his capacity as Medical Director for the mining company or for any of his other patients. f) The Complainant’s family doctor is in the same clinic in which Dr. A examined and treated the Complainant and there was a patient file for the Complainant at the YHSS clinic which predated the Complainant’s interaction with Dr. A. The information on the file is, therefore, intermingled with the information gathered by Dr. A. g) Dr. A has access to all YHSS patient files while he is working in the YHSS clinic h) Dr. A’s agreement with YHSS provides for his use of space, support staff and services. Dr. A advised that he is not paid by the employer for the patients he sees in his capacity as Medical Director for the employer. Instead, THIS (Territorial Health Insurance) is billed for all patient care, whether he sees the patients in his own clinic or in the YHSS clinic and whether the patients he sees are seen in his capacity as Medical Director for the company, or in some other capacity. All of his billing is done by the staff of YHSS on his behalf. 2010 CanLII 78802 (NWT IPC) Based on the above, I conclude that the patient files located at the YHSS clinic are in the custody or under the control of YHSS and, therefore, subject to the provisions of the Access to Information and Protection of Privacy Act. In the circumstances, therefore, although I have no jurisdiction over Dr. A, I do have jurisdiction to deal with complaints about the collection, use and disclosure of records maintained in the offices of YHSS clinics, regardless of which doctor a patient has seen. DISCUSSION The basic question in this case is whether or not the Complainant’s personal health records were improperly disclosed to his employer. I take it as a given that Dr. A shared the Complainant’s medical records with the employer and that the medical records he disclosed were those gathered and kept at the YHSS clinic. The simple answer to the question of whether or not there was an improper disclosure of the Complainant’s health records depends entirely on whether or not he provided his informed consent to that disclosure. It is not, in my opinion, enough that he signed a form without reading it or understanding its full impact. Nor would it be sufficient for the employer to present a general, wide ranging consent which might have been signed at the time of employment. Informed consent requires a clear explanation being given together with an understanding of the full implication of the consent on the part of the person giving the consent. There is no evidence that such a consent was given in this case. The Complainant remembers giving his consent to Dr. A to collect medical information from other clinics where he had been treated, but he does not remember signing any document in which he gave his consent for his medical information to be shared with his employer. Nor has YHSS provided me with a copy of any such consent. Section 42 of the Access to Information and Protection of Privacy Act provides that public bodies are responsible for the protection of personal information in their custody and control: 2010 CanLII 78802 (NWT IPC) 42. The head of a public body shall protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal. Based on this set of facts, I think it is fairly clear that the Complainant’s personal privacy was breached and his complaint is well founded. Furthermore, because the records were in the custody and control of YHSS, responsibility lies with them for the breach. Perhaps the more difficult problem lies in the relationship between Dr. A (and a handful of other fee for service physicians who apparently have similar arrangements with YHSS) and YHSS Authority. The arrangement which is in place appears to create huge gaps and question marks about who is responsible for health information privacy, raises concerns about accountability and, I would suggest, allows for assumptions by the public which are not borne out in fact. As I understand it, there is only one set of medical records kept for each patient who is seen at the YHSS clinic. All patient records are available to all of the doctors who treat patients at that clinic. Given that the records are in the custody and control of YHSS, it is their responsibility to ensure that the records are not improperly used or disclosed. I question, therefore, if the doctors who are not employees should be given access to the clinic’s patient files at all. If one analyzes the system at YHSS insofar as the fee for service physicians are concerned, there are some problems. The Act, for instance, requires a public body to collect information directly from the individual whenever possible: 41.(1) A public body must, where reasonably possible, collect personal information directly from the individual the information relates to unless (a) another method of collection is authorized by that individual or by an enactment; the information may be disclosed to the public body under Division C of this Part; ..... 2010 CanLII 78802 (NWT IPC) (b) There are a number of additional situations listed in which personal information can be collected from someone other than the individual to whom it relates, but none of them are applicable to this case. When a fee for service physician sees a patient in the YHSS clinic, and collects information about the patient, it is not YHSS collecting the information. Rather, it is the fee for service physician who is collecting the information, and then passing it on to YHSS to record and save. This is not, I would suggest, a collection directly from the patient and, because patients are not made aware of this special arrangement, I would suggest that they cannot be said to be consenting to this indirect collection of personal information. Secondly, when the fee for service physician is granted access to patient files of YHSS, there is a disclosure of the personal information, because the physician is not employed by YHSS. Again, because patients are not made aware of the special relationship between the doctors and the clinic, when these doctors are given access to the medical records, there is a disclosure to the fee for service physician which likely does not comply fully with the spirit or intention of the Act. This may not seem like a big deal in that the information is being collected and disclosed for the most part so that the patient can receive needed medical attention. The problem, however, lies in the situation where, as in this case, the fee for service physician to whom the information is disclosed is also contracted to another third party and is sharing medical health information with that third party, without the full and proper consent of the individual to whom the information relates. The bottom line remains that the records in question are in the custody and control of YHSS and they are, therefore, responsible for how they are collected, used and disclosed. 2010 CanLII 78802 (NWT IPC) RECOMMENDATIONS Obviously, the damage in this case is done and cannot be undone by “taking back” the information disclosed to the employer. That said, steps must be taken to change the way in which things are done in the YHSS clinics. To that end, I would make the following recommendations: a) the easiest way to avoid this kind of situation arising again is to disallow fee for service physicians from practicing out of the offices of YHSS. This will clearly avoid the situation which arose in this case, at least insofar as the records that are in the custody and control of the public body. b) if fee for service physicians are to continue to see patients at the YHSS offices, there should be clear and unequivocal contractual arrangements in place between YHSS and the fee for service physicians which would include the following: i) a requirement that patients who are seeing these doctors are fully informed about the nature of the relationship between the doctor and the clinic and how that might affect the use and/or disclosure of their personal information; ii) a requirement to obtain a written acknowledgment and consent from each patient seen by a fee for service physician at a YHSS clinic acknowledging that he/she has been advised about the nature of the doctor’s practice and indicating clearly the specific purposes for which his/her medical information will be collected, used and disclosed by the doctor and/or by YKHSS; iii) prohibiting the doctor from treating patients in YHSS clinics in any 2010 CanLII 78802 (NWT IPC) capacity other than as patients of YHSS. If a doctor is seeing patients as a result of a third party contract (such as in the capacity as the Medical Director of a corporation) those patients should be seen elsewhere. There should also be a prohibition on the use of any information which the doctor might have or receive by reason of having access to a patient file at YHSS unless, of course, a written consent from the patient is on the patient’s file; iv) requiring a written acknowledgment by the doctor that the records created by him/her while treating patients at YHSS are the property of YHSS and an undertaking not to use such information or records except in accordance with YHSS policies and the requirements of the Access to Information and Protection of Privacy Act v) providing for a mechanism to monitor and enforce these provisions. YHSS will then have to take active steps to monitor and implement these provisions and ensure that the fee for service physicians are complying with the contractual and legislative requirements outlined. The issue raised in this review is timely. I understand that in the next month or two, all but one clinic in Yellowknife currently run by YHSS will be rolled into one “super clinic” with everything from family counseling to specialist services being provided under one roof. I am assuming that thought and care has been put into how patient files will be handled in this super clinic. The facts and circumstances of ths case will, I hope, serve to focus some attention on these issues before the clinic opens, rather than after something like this happens again. Patients attending at the super clinic should be able to have confidence that their personal health records will not be generally available to anyone who works in any role within the clinic. Information collected and maintained should be compartmentalized and kept narrowly accessible and used only for the purpose for which it was collected and requiring the informed consent of the patient to have it accessible for another purpose, even if it is being used within the same physical 2010 CanLII 78802 (NWT IPC) space. Failure to do this will result in more complaints such as this one and will eventually lead to a loss of confidence in the system to the point that patients may choose to avoid seeing a doctor rather than to risk having their personal health information made widely available without their knowledge or consent. Finally, I would simply add a comment with respect to the specific case before me and Dr. A’s apparently wrongful disclosure of the Complainant’s health information. I repeat that I have no jurisdiction over Dr. A as a private sector businessman. This does not mean that Dr. A is not accountable for his actions. I would recommend to the Complainant that he address his complaint to the Federal Privacy Commissioner’s Office at the following address: 112 Kent Street Place de Ville Tower B, 3rd Floor Ottawa, Ontario K1A 1H3 Dr. A also has responsibilities to his professional association and must abide by their code of conduct. This may be another avenue through which the Complainant may have his concerns with respect to the use of his health information addressed. Elaine Keenan Bengts Northwest Territories Information and Privacy Commissioner