Health advisor in the UK fined for unlawfully accessing patient records. And in NSW such conduct resulted in a nurse having her registration cancelled.
August 18, 2022 |
The UK Information Commissioner has highlighted the case of Christopher O’Brien who was prosecuted for unlawfully accessing patient records of 14 patients of the South Warwickshire NHS Foundation Trust, all of whom were known to him. The media release provides:
A former Health Advisor has been prosecuted for obtaining the personal data of service users, namely patients of South Warwickshire NHS Foundation Trust.
Mr O’Brien unlawfully accessed patient’s medical records in the course of his employment without any business need to do so. Mr O’Brien had viewed the records of 14 patients, who were known personally to him, between June and December 2019 without the consent of his employer.
Christopher O’Brien appeared before Coventry Magistrates’ Court and pleaded guilty to 6 counts of unlawfully obtaining personal data, in breach of s170 of the Data Protection Act 2018. He was ordered to pay £250 compensation to each data subject, totalling £3,000.
A former health adviser has been found guilty of accessing medical records of patients without a valid legal reason.
Christopher O’Brien, 36, was working at the South Warwickshire NHS Foundation Trust when he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust.
One of the victims said the breach left them worried and anxious about Mr O’Brien having access to their health records, with another victim saying the breach put them off from going to their doctor.
Mr O’Brien pleaded guilty to unlawfully obtaining personal data in breach of section 170 of the Data Protection Act 2018 when he appeared at Coventry Magistrates’ Court on 3 August 2022. He was ordered to pay £250 compensation to 12 patients, totalling £3,000.
Stephen Eckersley, ICO Director of Investigations, said:
“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.
“Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.
“I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.”
This sort of misbehaviour is not confined to the United Kingdom. The National Public Radio in 2015 did a piece on hospital workers snooping on celebrities medical records, including George Clooney, Kim Kardashian and Michael Jackson, to name a few. It is a chronic problem in Australia within the health sector. Last year the Health Care Complaints Commission prosecuted a complaint against registered nurse Ms Cody Rae Payne at the NSW Civil and Administrative Tribunal (‘the Tribunal’). Between January and August 2019 Payne accessed her own medical records as well as those of 34 other persons, including family members involved in family court legal proceedings without lawful authority. She provided information to her husband that she acquired as a result of that unauthorised access.
The hearing before the NSWCAT occurred after Payne had been criminally prosecuted for accessing the records.
To compound matter Payne failed to notify the Nursing and Midwifery Board of Australia of the finding of guilt in the criminal case.
On 23 September 2021, NSWCAT found Payne guilty of unsatisfactory professional conduct and professional misconduct. It cancelled Ms Payne’s registration with a non-review period of six months.
The Victorian AMA has prepared a release on the dangers of accessing health records without consent stating:
Introduction
Electronic medical records are now the norm in most hospitals and medical practices. There are undoubtedly many benefits, enabling health practitioners to work more efficiently and provide care to patients with less delay.
However, with this ease of access to sensitive health information, medical practitioners must ensure that they have obtained the relevant consent and/or authority to access an individual’s health records who are not under their care. There can be serious ramifications if records are accessed without such consent or authority in place and such conduct is likely to be viewed by the Medical Board and/or a responsible Tribunal as serious conduct falling below the standard expected of a medical practitioner and a breach of their ethical obligations.
The case of Health Care Complaints Commissioner v Payne [2021] NSWCATOD 145 (Payne) demonstrates the serious risks health practitioners face if they access patient health records without authority. In that case, a nurse’s registration was cancelled and a non-review period of six months was imposed.
Whilst this case is on the extreme end in terms of conduct and the health practitioner clearly accessed records without the patients’ consent or authority and for her own personal gain, the case is a timely reminder for medical practitioners to ensure they have the appropriate authority in place before they access health records of any individual and that such access or disclosure is for a proper purpose.
What happened?
Between January and August 2019, whilst working in the intensive care unit of a hospital, a nurse accessed her own health records as well as the health records of:
-
-
- her husband;
- two former partners of the husband;
- three children of the husband; and
- 27 people who had no apparent association with her.
-
These records were held on an electronic database maintained by the hospital and access was password protected. None of the patients she accessed the health records of were ICU patients or in her care.
In her employment at the hospital, the nurse had received training about restrictions on access to health records and the obligation to maintain confidentiality. She admitted she understood that access to health records was only permitted for the purpose of providing care to patients. She also admitted when she accessed the records of her husband’s family members she understood she lacked the authority to do so.
The hospital terminated her employment and notified NSW Police and the Independent Commission Against Corruption (ICAC). The nurse was charged under section 308H(1) of the Crimes Act 1900 (NSW), which makes it an offence for a person to cause unauthorised access to restricted data held in a computer. The nurse pleaded guilty and a conditional release order was made for a period of 12 months.
In separate disciplinary proceedings, the Tribunal found the nurse accessed the health records of family members for the purpose of providing information contained in those records to her husband, to be used by him in family law proceedings. In addition, she admitted accessing information contained in her husband’s health records for use by him in a compensation claim. In relation to the other health records, the Tribunal noted there were a number of reasons which could have explained the nurse’s actions, including idle curiosity.
The Tribunal noted that while her conduct could not be described as ‘falling at the high end of the scale in terms of criminality’, it was a very serious breach of her ethical obligations with respect to the use of health records. The Tribunal warned:
“It goes without saying that unauthorised access by a health practitioner of health records is conduct of a most serious nature.”
The Tribunal found that because the nurse could not offer any plausible explanation as to why she accessed the health records in many instances, there was an appreciable risk she would again abuse her position and access health records without authorisation.
Ultimately, her registration was cancelled and a non-review period of six months was imposed.