Hands-on experience is critical training for medical professionals. For instance, an emergency room doctor involving a resident in direct patient care is imperative for young medical professionals to develop their skills. However, from a legal perspective, the trainer/mentor is required to obtain their patient’s consent prior to disclosing personal health information to a third party. In some cases, it is difficult to obtain prior consent from a patient, in which case the medical professional must user their judgment in light of their contratual obligations and rules of professional conduct. Such a scenario occurred in Saskatchewan when a complaint was investigated by Information and Privacy Commissioner.
The facts of the case are straightforward. A St. John’s Ambulance instructor, and volunteer medical first responder with the Saskatchewan Health Authority (SHA), was teaching a CPR re-certification class to three adult students. The instructor was registered as a non-practicing Emergency Medical Responder with the Saskatchewan College of Paramedics (SCoP).
During the class, the SHA issued an alert notifying first responders of a patient suffering cardiac arrest in a private home. The instructor decided to bring the students from the class to respond to the call. Apparently, the first responder reported that her “immediate reaction was to take the students with her so they could experience the call and perhaps undertake CPR. She grabbed the [automated external defibrillator] and they left immediately”. When they arrived at the private home, the instructor, with the assistance of a student, moved the patient from the bed to the floor. It was determined that resucitation was not possible and after the arrival of paramedic staff, the individual was pronounced dead.
A complaint was made to the SCoP, who subsequently reported the matter to the Information and Privacy Commissioner. The Commissioner considered provisions of the Saskatchewan The Health Information Protection Act (SS 1999, c H-0.021) and found that a privacy breach had occurred. The Commissioner explained that when the instructor and her students attended the private residence, the students saw and heard the patient’s personal health information. As there was no authority for the instructor, or the SHA, to have disclosed the patient’s personal information, it amounted to a privacy breach.
The Commissioner then considered whether the SHA responded appropriately. It was noted that generally, an organization must take five main steps when a privacy breach occurs – (1) contain the breach; (2) notify the affected individuals; (3) investigate the breach; (4) plan for prevention; and, (5) write an investigation report. The Commissioner found that the SHA properly contained the breach and since the affected individual was deceased, notified the affected individual’s family members.
The root cause of the breach was identified as the first responder’s disregard for the expectations set out in the Memorandum of Understanding and Confidentiality Pledge that she signed with the SHA, which required medical first responders to maintain strict patient confidentiality. She had also disregarded her professional responsibilities under the Code of Professional Conduct that applies to licenced members of the SCoP.
Although the privacy breach could not be undone, the Commissioner explained that one of the most important steps was what was commonly referred to as the “lessons learned” in order to prevent a further breach. In this case, the SHA indicated that they would not reinstate the instructor, which the Commissioner found was an appropriate decision considering the root cause of the breach. The SHA also noted that they would be improving training for staff and volunteers. The Commissioner found that this was also appropriate and suggested that volunteers should be treated like staff and be required to undergo the same mandatory privacy course.
Takeaway
It is important for medical professionals to understand that from a privacy perspective, patient’s records can only be used for the purpose that they were obtained – typically, treating the patient. Using their patient’s information for other purposes, like teaching a new doctor, does not fall into an appropriate use, unless consented to by the patient. Similarly, taking students on a field trip to treat an individual without obtaining consent also has a high liklihood of infringing on a person’s privacy.
From an management perspective, organizations must follow a clear plan when responding to a breach namely, the National Institute of Standards and Technology (NIST), a seminal risk management system originating in the U.S., created a five-step system for ogranizations to improve their cybersecurity and manage risk: (1) identify; (2) protect; (3) detect; (4) respond; and, (5) recover. Although the Commissioner in this case identified a slightly different set of five steps (noted above), both systems recommend organizations be prepared for a breach and learn from mistakes after a brech to improve risk management strategies. This case highlights the need for organizations to treat their volunteers as staff and require formalized privacy training for all of its members.
Although many organizations may think they can handle their own risk management and cyber security controls, its likely not the best idea considering their lack of knowledge in the area. Remember, anyone can try to paint a Mona Lisa, but only true painters can paint it well.
See Saskatchewan Health Authority (Re), 2019 CanLII 84579 (SK IPC)