Although privacy issues have been taking over the headlines in recent months, healthcare organizations have been subject to stringent privacy regulations for a number of years. Organizations providing healthcare services are particularly susceptible to issues of unauthorized access and public disclosure of personal health information (“PHI”). More specifically, professionals working in healthcare are required to maintain a high level of confidentiality with respect to their patient’s PHI.

Facts

Early this year, Ms. Hamilton, a registered practical nurse (RPN), was involved in a professional disciplines hearing with the College of Nurses of Ontario. The allegations made by the College revolved around comments Ms. Hamilton made with respect to an elderly client at the facility she worked at who suffered from Alzheimer’s disease and dementia. The allegations stemmed from an incident that occurred in December 2016.

On December 2, 2016, the client’s child (Child A) posted a publicly available message on Facebook expressing concerns about the client’s Power of Attorney (“POA”), who was also the client’s child (Child B). The same post also expressed concern about the care that the client was receiving at the facility. Numerous family members commented on this post.

The following day, on December 3, Ms. Hamilton published several comments as direct responses to Child A’s Facebook post. The comments were public and disclosed the client’s PHI including her name, identifying her as a resident at the facility, identifying herself as an RPN and employee of the facility, referring to the client’s POA, and referring to her experiences dealing with the client’s medical conditions.

More specifically, Ms. Hamilton posted:

I’m sorry but there are 2 sides to every story. I happen to work at this facility and there is no way [the Client] or any of our residents are treated as these people speak of. How dare you imply that she is neglected in any way. Our residents receive more care hours than the provincial average in Ontario long term care home. Our staff are the hardest working I’ve seen in any LTC facility I know. I’m disgusted that you would even post this filth and lies on social media. Shame on you!

And:

We don’t have a problem with the POA [Child B]. This is your personal business which you have chosen to hang out to dry on Facebook. I will gladly call you a liar because I spend more time with your mother than you do.

When Child A’s children (the client’s grandchildren) made posts defending Child A, Ms. Hamilton was noted to have made inappropriate and unprofessional comments such as one of the grandchildren having a “bad mouth” and that the client “would be disappointed” in the grandchild for their language. Ms. Hamilton also implied that the grandchild was uneducated regarding her medical condition and had no understanding of their grandmother’s health. She also told the grandchild to “shut up” or “grow up”.

Ms. Hamilton also posted “Oh [grandchild A] I look forward to meeting you the next time you visit your grandmother – I see we have much to discuss”, which the grandchild interpreted to be a threat.

The comments were deleted, but the family members captured them.

In the course of the disciplinary hearing, Ms. Hamilton admitted that it was inappropriate to engage in such dialogue with the client’s family, especially given such a public forum like Facebook. She further acknowledged that she breached the client’s privacy and disclosed her PHI without her consent or authorization.

Professional Standard and the Allegations

In 2004, the College issued a Practice Standard titled Confidentiality and Privacy – Personal Health Information, which was updated in 2009. The standards issued by the College represent the standard of care that is expected of all member of the organization. This particular standard largely reflected the personal health information protections codified in the Personal Health Information Protection Act (“PHIPA”). Some of the standards noted in the Practice Standard included the following provisions:

Maintaining confidentiality of clients’ personal health information with members of the healthcare team, who are also required to maintain confidentiality, including information that is documented or stored electronically…

Not discussing client information with colleagues or the client in public places such as elevators, cafeterias and hallways…

In the Notice of Hearing, dated December 7, 2018, the College made allegations against Ms. Hamilton that she: (1) engaged in an act of professional misconduct; (2) gave information about a patient to a person other than the patient or her authorized representative without the consent of the patient and without being required or allowed to do so by law; and, (3) that she engaged in conduct that would reasonably be regarded by members of the profession as disgraceful, dishonourable, or unprofessional.

Decision and Reasoning

The committee noted that the College bore the onus of proving the allegations on a balance of probabilities based upon clear, cogent, and convincing evidence. The College found that Ms. Hamilton committed the acts of professional misconduct.

The College found that Ms. Hamilton’s conduct showed disregard for private information of clients and inappropriate use of social media. The College further noted that Ms. Hamilton’s conduct was unprofessional as it fell below the standards of nursing with respect to confidentiality and trust. In short, she showed a persistent disregard for her professional obligations. The College further noted that disclosing PHI and breaching the client’s privacy in an open public forum was unacceptable and fell well below the standards of the profession.

The College ordered several penalties including a suspension for three months and further privacy training with a regulatory expert. Training was to focus on a review of professional standards, confidentiality, and privacy regarding PHI. The College found that these penalties achieved the purpose of specific deterrence, general deterrence, and rehabilitation and remediation.

Lessons from this Case

Organizations providing healthcare services to patient are required, by law, to maintain their patient’s PHI confidential. This includes proper cyber security safeguards, physical security safeguards, and policies aimed at ensuring staff are aware of their professional obligations. Organizations should develop policies that can be monitored and, more importantly, enforced on a regular basis. Ongoing staff training aimed at ensuring that staff and healthcare professionals are aware of their legal obligations to their patients are critical in meeting the appropriate standard of care.

This case is a perfect example of the impact social media has on an industry that traditionally does not have any connection to social media. Organizations should consider implementing social media policies to outline the obligations and expectations of their staff, which should be continually reinforced in the workplace. Failure to do so may result in disclosure of patients’ PHI and expose the professional and the organization to regulatory penalties and civil claims.

See College of Nurses of Ontario v Hamilton, 2019 CanLII 54732 (ON CNO)

Author

  • Stas Bodrov

    Once the target of an unsuccessful phishing scam, Stas is a key part of SBA’s cyber liability and privacy group providing services ranging from assessments and prevention to crisis response.