Data protection: access denied

Cases of staff breaching patient confidentiality by accessing their records appear to be rising. Even if it’s done with good intentions, the penalties can be devastating, as Andrew Cole discovered.

Professionals sometimes dismiss data protection as little more than red tape and political correctness. We all have the patient’s interests at heart, don’t we? So why all these rules and regulations that just make our job more difficult? But the fundamental purpose of data protection in health care is to protect privacy and patient confidentiality. And when it’s breached – whether intentionally or unwittingly – the consequences can be devastating.
Julie Collins, a CSP senior negotiating officer in the employment relations and union services unit, outlines the case of a CSP member who works in the same hospital where the member’s father was a patient. Concerned that staff had not picked up the dementia she was noticing at home, she decided to check out his electronic medical record several times. In time, the member’s colleagues at the hospital spotted the unauthorised access. 
And when it became clear the member had also been accessing her ex-husband’s notes, she was dismissed from her post and now faces a Health and Care Professions Council (HCPC) fitness to practise hearing. 

Concerns over rise in cases

Ms Collins and other CSP staff members have noticed that incidents of improper use of patient information seem to be on the rise. The main reason, she believes, is the shift from paper-based to electronic patient records. That means it’s now much easier to spot when an unauthorised individual accesses case notes – as well as the identity of who’s responsible. As she notes: ‘Evidence of this nature is impossible to counter; it offers an audit trail that is incontrovertible.’
At the same time the opportunity – and temptation – to delve into patients’ notes is greater. ‘With electronic records you don’t even have to go on to the ward to access them – you can do it from the physio department, for example.’
In most cases, Ms Collins says, the staff member knows the individual whose records they are accessing illegally. ‘Usually they are a friend or relative. And usually it’s because they are worried that the care is not up to scratch. 
‘It’s generally motivated by good intentions. Often they will be facing pressures in their own lives which can serve to unbalance their judgement. Sometimes it’s a series of things that simply overwhelms them.’
In other cases a physiotherapist fails to log out of their computer, allowing someone else to make use of that physio’s account for their own purposes. But that is not an excuse if an incident comes to light, Ms Collins points out. ‘If the member allows someone else to access their computer, by negligence or design, then that’s still going to get them into difficulty because they have left sensitive data unsecured. 
‘Even if the patient asks the staff member to check their notes this will not necessarily prove a defence since patients themselves have to go through approved procedures to see their notes. Nor is it acceptable for union representatives to view the notes of someone they are representing without proper authorisation.’ 

Career-ending potential

The bottom line, says Ms Collins, is that no physiotherapist can access any patient’s confidential data unless they are treating that patient or have a legitimate work reason for doing so. ‘These questions need to be in members’ minds all the time: is this one of my patients? Am I entitled to look at this person’s notes as part of the therapeutic relationship? If the answer is no, don’t do it!’
Although the act may be impulsive the consequences can be long-lasting, says Ms Collins. ‘This can be career-ending for the person involved. However well intentioned the act was, if they get caught they could lose their job and they could lose their livelihood.’  Many cases end with disciplinary action, dismissal and even professionals being struck off.
It can also have serious consequences for patients. Ms Collins recalls the case of one patient with significant mental health problems whose notes were read by a physiotherapist who wasn’t treating her. Employers are obliged to inform a patient that their personal data has been breached. But it was decided, in this case, that the patient’s mental state was too fragile for her to be told of the breach – the physio was understandably devastated by the potential effects of her action.
It’s also worth thinking about the ethical conundrums that can ensue. ‘Even in the case of relatives, if you have read something without their consent and then discover information they wouldn’t have wanted you to know, what do you do? You can’t “unknow” that information,’ says Ms Collins.  

Under pressure

Some employers have introduced screen savers on their computers to remind staff what they can and can’t do with patient information. Others have introduced screen locks, PINs [personal identification numbers] or dialogue box warnings whenever a staff member is about to access sensitive data. 
A number of NHS trusts and boards also do mandatory information governance training. Ms Collins and her colleagues have been running training sessions for stewards on this topic, which are proving to be very popular – and, she says, they seem to be hitting home. 
One common message is that some of this is happening because physios are so pressurised. Computers are left unattended, for instance, because the process of logging on and off is cumbersome and staff are frantically busy. 
Ms Collins accepts that doing things correctly might take a bit more time. But, she points out: ‘It doesn’t take up anything like the amount of time that going through disciplinary proceedings or appearing at an HCPC hearing will.’ fl 

Cautionary tales

CSP member Amanda (not her real name) was in an acrimonious marital breakdown.  Her partner had denied a relationship with another woman but Amanda had been told the woman was pregnant by him. She accessed the woman’s medical records to confirm the pregnancy.
The only legitimate way Amanda could find out what she wanted to know was if it was disclosed by one of the parties directly involved. She escaped with a final written warning because of her previously spotless record and because she had been affected by stress and depression linked to her personal circumstances.
Owen’s (not his real name) father was admitted to the same hospital where CSP member Owen worked in the outpatient physiotherapy service.  His father didn’t seem to be getting better despite a three-week stay and numerous tests.  When visiting his father one day Owen noticed his notes had been left on the bed. With his father’s agreement he looked at the notes to see if they revealed what the doctors thought the problem was. 
The notes indicated they were confidential and should only be accessed by health professionals directly involved in the patient’s care. The case came to light after a nurse reported seeing Owen reading the confidential notes. 
The organisation bears the responsibility for keeping sensitive personal data secure and it is arguable that the system in place did not fulfil that obligation. The case ended in a final written warning.
Andrew Cole

Number of subscribers: 2

Log in to comment and read comments that have been added