Providing Healthcare in a Public Health Emergency Part 3: Avoiding Missteps and Professional Consequences in Patient Privacy

Part 3: Patient Privacy

Welcome to part three of our ongoing blog series exploring how health care providers (HCPs) can avoid missteps and professional consequences in the face of shifting professional responsibilities and challenging work environments caused by the COVID-19 pandemic. In this installment, we will discuss the potential consequences of “snooping” by HCPs during a public health emergency.

Patient Privacy

Protecting patient privacy is a core professional responsibility for HCPs as well as a legal requirement under the Personal Health Information and Protection Act, 2004 (PHIPA). Unless there are explicit emergency measures in place that alter the application of privacy legislation, HCPs are expected to continue to safeguard patient privacy and follow privacy laws and institutional policies to the best of their abilities under the circumstances.

For example, on April 6, 2020, the Ontario government made an order under the Emergency Management and Civil Protection Act, which permits first responders such as police, firefighters and paramedics to access information regarding an individual’s COVID-19 status upon request (the Order). This information includes an individual’s name, address, date of birth and whether they have had a positive test for COVID-19.

Aside from limited exceptions, like the Order, patients with COVID-19 are equally entitled to the privacy protections afforded to those who are not infected. Concern for one’s own health, the health of clients or patients, or even curiosity, can make it tempting for those with the ability to access to medical records to “snoop” and seek information regarding infections in one’s workplace or beyond by improperly accessing personal health information. Accessing records of patients to whom a HCP is not directly providing care, without express permission of the individual or other authorization is a breach of the patient’s privacy and is generally considered an act of professional misconduct for regulated HCPs which could lead to serious consequences.

This very scenario occurred during the outbreak of Severe Acute Respiratory Syndrome (SARS) in 2003, in the case of College of Nurses of Ontario v Hooker, 2006 CanLII 81736 (ON CNO). A nurse was found to have accessed records of patients not under her care, to check whether patients in her hospital had been diagnosed with SARS. The nurse claimed that this was because she and other nursing staff were concerned about patient admissions during the SARS crisis and whether appropriate precautions were being taken by the hospital. The nurse also had a history of inappropriately accessing patient records for “curiosity”.

The nurse was fired by the hospital and was punished by her college, receiving the penalty of an in-person caution and a 30-day suspension with terms and conditions. She was also required to pay $3500 in costs. Today, this action would likely attract a greater penalty due to the implementation of PHIPA and the growth of jurisprudence regarding privacy breaches.

This is one example of how acts of professional misconduct may arise in the context of a public health emergency, and why, now more than ever, HCPs should ensure that they are up-to-date and familiar with professional standards. These include public health directives, emergency orders, and other policies that affect how HCPs deliver health services during the current public health emergency.

If you or your organization have questions regarding how to implement public health directives and other COVID-19 related policy changes, please contact us.

Additional resources for HCPs:

• Ministry of Health and Long-Term Care “COVID-19: Guidance for the Health Sector”

• College of Physicians and Surgeons “Covid-19: Information for Physicians”

• College of Nurses of Ontario “Covid-19: Information for nurses”

• Ontario College of Pharmacists “Novel Coronavirus (COVID-19) for Pharmacy Professionals”