Health Professionals are Responsible for their Employee’s Conduct
Introduction
In a recent case before the Health Professions Appeal and Review Board (“HPARB”), Tuvel v. IR[1], HPARB explored the standard of responsibility and accountability that health professionals have for their staff and employees. In this case, a dentist (the “Dentist”) employed a receptionist (the “Employee”) who used information from a patient’s confidential patient file to send the patient sexually inappropriate text messages and to attend the patient’s residence. The Employee was charged with criminal harassment. The patient complained to the Royal College of Dental Surgeons of Ontario (the “College”).
Committee’s Decision
The College’s Inquiries, Complaints and Reports Committee (the “Committee”) reviewed the complaint and directed the Dentist to complete a specified continuing education or remediation program (“SCERP”) including coursework on privacy and practice monitoring for up to 24 months, and attend for a caution in person. The Dentist sought a review of the Committee’s decision on the grounds that the Committee’s decision was unreasonable. The Dentist argued that 24 months of monitoring and a caution were disproportionate to what took place, and that the Dentist’s conduct did not warrant these penalties.
The patient had alleged that the Dentist should have completed a background check on the Employee prior to hiring them. The Committee took no action on this issue as the Committee found that the Dentist had previously completed a background check of the Employee when the Employee worked in the office previously, before moving to another country, and that it was reasonable for the Dentist to rely on that background check.
The Committee’s decision to order a SCERP and caution in this matter was related to the other allegations raised in the complaint:
(a) the Employee improperly accessed the patient’s contact information and used it for an improper purpose;
(b) the Dentist downplayed the allegations of breach of privacy, harassment and trespassing and instead prioritized the operation of the clinic; and
(c) the Dentist did not terminate the Employee’s contract after the privacy breach, harassment and trespass but permitted the Employee to remain an employee for another month.
The Dentist knew that the Employee accessed a patient’s personal information contained in the patient’s health record without authorization and that the information obtained was used for an improper purpose. The Committee found that it was clear the patient felt unsafe with the Employee continuing to work at the dental office, and that the Dentist should have prioritized patient safety over the operation of the practice.
The Committee found that the Dentist failed to do so in the following ways:
The Dentist had an obligation to notify the Information and Privacy Commissioner of Ontario of the breach of privacy but failed to do so.
The College’s Code of Ethics required the Dentist to protect the confidentiality of personal and health information of patients and that the Dentist failed to protect and prioritize the patient.
The Dentist failed to discipline the Receptionist or put adequate protocols in place to protect patient privacy from being accessed without authorization in the future.
The Dentist should have sought appropriate advice, considered other staffing options, and prioritized patient safety.
The Dentist showed little insight into their legal and ethical obligations particularly when the Dentist became aware of the Employee’s breach of privacy.
HPARB’s Review
HPARB found the Committee’s disposition to be reasonable and that the Committee appropriately applied its knowledge and expertise and appropriately considered the expected standards of the profession in assessing the Dentist’s conduct. HPARB confirmed the Committee’s decision.
Conclusion
This case is an important reminder for all health professionals that they are responsible for the actions of their employees and accountable for their employees’ misconduct. The Committee’s decision (which was upheld by HPARB) makes it clear that if confronted with an employee’s misconduct, health professionals should consider:
Prioritizing patients safety over the operation of their practice once receiving information about employee misconduct;
The concerns raised by patients without reducing or making light of their experience;
The expectations set out in the Personal Health Information Protection Act, 2004, including:
whether the health professional has an obligation to report a breach of privacy to the Privacy Commissioner of Ontario;
having privacy breach protocols in place in the event of a privacy breach (unauthorized collection, use or disclosure of personal health information); and
training staff on policies and procedures that comply with privacy protection provisions as well as ongoing education to staff who act as the agents of health professionals regarding their ongoing obligations with respect to collection, use, disclosure, retention, transfer, and disposal of personal health information;
Maintaining confidentiality of employees’ personal, health and work-related information;
Their College’s regulations, policies, standards of practices and/or codes of ethics, as well as the obligation to protect patient confidentiality and/or whether the expectation is for patients’ health and well-being to be the paramount responsibility of the health professional.
If you require assistance responding to privacy breaches or information on how to set up privacy protocols or policies at your practice, reach out to us.
