These St. Joe’s staff accessed the health records of ex-relatives, former in-laws, colleagues and friends — and they weren’t fired

by
Sebastian Bron - Spectator Reporter
from on (#62N47)
hospitals16.jpg

One snooped into the health records of a former sister-in-law 18 times.

A second inappropriately accessed the records of a family member after seeing them at a COVID-19 testing centre.

A third peered into the records of three ex-relatives, two colleagues and a colleague's relative.

A fourth pried into the records of a relative, two colleagues and a friend.

They're all workers at St. Joseph's Healthcare Hamilton, who, in the past year, collectively breached the health records of a dozen patients, gaining access to private and sensitive information like demographic details, appointment histories and clinical doctor notes.

And they all remain on the job.

Documents shared with The Hamilton Spectator this week shed new light on the extent of the privacy breaches that have recently embroiled St. Joe's in controversy, and raise pertinent questions about the hospital's transparency record and how they handle insubordinate staff.

In March - after a Spectator story revealed a separate worker had been fired for snooping into the files of 49 patients - the hospital said in a statement the four aforementioned staff members accessed the records of between one and six patient(s)."

But documents now reveal that number to be 12, and the affected patients to range from ex-relatives and family members to friends and coworkers.

In the wake of the breaches - which one privacy expert likened in an interview to a blatant abuse of health-care ethics" - the workers were subject to internal hospital investigations as well as probes from Ontario's privacy watchdog.

The result?

A slap on the wrist," as the privacy expert puts it.

In determining the level of discipline, the scope of the breach, the circumstances and explanation for the staff's actions, as well as the staff's prior employment record, are factors that are considered," St. Joe's said in a statement Tuesday when asked why the staff weren't terminated.

These accesses are all privacy breaches and St. Joe's has taken steps, including enhanced mandatory privacy training, to clarify standards and expectations for all staff," the hospital added, noting in a followup statement that they have also created an executive position responsible for privacy.

It's unclear what type of discipline the snooping workers received, or whether they still have access to the electronic database where patient files can be accessed.

For privacy expert Arthur Schafer, these types of breaches alone threaten the sanctity of doctor-patient relationships and violate one of the most profound obligations of the health-care system, which is to protect, guard and respect patient privacy."

But throw in a hospital's response and Schafer says the optics get a whole lot murkier.

The disciplinary action being a mere slap on the wrist ... it sends the wrong message," said Schafer, founding director of the Centre of Professional Applied Ethics at the University of Manitoba. You want to send a message to your staff and patients about how seriously you take this, and I think most people in the general community will infer that St. Joseph's didn't treat these breaches as very serious offences."

He added: This behaviour is abusive and profoundly violates health care ethics. And it makes you wonder, what would it take for an employee who violates patient confidentiality to be fired?"

One clue rests with the number 49.

That's how many patient records a since-terminated St. Joe's staffer inappropriately accessed between February 2020 and March 2021. More than half of the breached files, 26, included sensitive physician notes.

But stern action from the hospital didn't come swiftly.

The responsible employee stayed on the job for a full year before being fired. They were disciplined in January 2022 - more than nine months after St. Joe's first identified the breaches - and ordered to undergo additional privacy training.

That action came to light after a Spectator story in late February revealed the worker snooped into the files of two patients - a dead mother and a baby boy - who were unrelated but shared a last name.

At the time, the hospital said they had uncovered five instances in the past year where staff have accessed health records for reasons other than their hospital duties."

It would take a subsequent probe by the Information and Privacy Commissioner of Ontario (IPC) to reveal in a March 24 Spectator story that the employee accessed 49 patient records - not the five St. Joe's cited - over a 13-month span and was subsequently fired.

But internal communication documents now reveal that St. Joseph's knew the true number of affected patients at least three weeks earlier and deliberately withheld the information from The Spectator.

A March 3 media briefing memo shared among St. Joe's senior staff noted the responsible employee accessed 49 patient files. More than two-dozen of them, it noted, included sensitive physician notes - but it would take until late June for that information to come out in the media.

The memo also highlighted a question from a Spectator reporter who on Feb. 9 asked how many patient records the employee accessed.

Public Affairs shared a response with the reporter but did not answer the above question," the memo said.

A month later, on March 3, the reporter again asked for the full number of affected patients after another breach victim contacted the paper.

Shared a response but did not disclose the total number of breaches associated with this case," the memo said.

The memo didn't mention why the true number was withheld. On Wednesday, St. Joe's said in a statement the extent of the breaches wasn't provided at the time because of an ongoing HR investigation.

In hindsight, we could have provided the reporter with an update when this HR process had concluded," they said.

While St. Joe's repeatedly said the responsible worker was snooping out of curiosity," the memo noted the staff member admitted their access was due to a desire to look up the health information of family members, friends and high-profile patients of the hospital."

That brings some sort of closure for Arthur Gallant, whose late mother, Marilyn, had her records accessed by the employee in March 2021.

He filed a freedom of information request for documents containing St. Joe's handling of the privacy scandal because I felt like the hospital wasn't being truthful to me and the media.

And now seeing it on paper - that they knew the true number of affected patients but didn't share it, that they knew clinical notes were accessed but didn't share it - it brings some vindication," said Gallant, who provided the documents to The Spec.

But Gallant remains disappointed it took this much effort" to get the truth out. He was the first person to contact The Spec about the breaches in February.

If I didn't do that, would this information ever get out?" he said. That's what scares me. That they're only being held accountable because of someone else's actions."

Sebastian Bron is a reporter at The Spectator. sbron@thespec.com

External Content
Source RSS or Atom Feed
Feed Location https://www.thespec.com/rss/article?category=news&subcategory=local
Feed Title
Feed Link https://www.thespec.com/
Reply 0 comments