Lauren Vogel | CMAJ | March 14, 2019
Saskatchewan doctors are calling for changes to restrictive privacy rules after recent breaches.
Is it snooping for doctors to check up on past patients’ health records? A recent case in Saskatchewan shows the answer isn’t straightforward, and confusion about the rules may land doctors in hot water.
The province’s privacy commissioner reported that doctors inappropriately accessed the health records of Humboldt Broncos team members who were involved in a bus crash last April. In one case, a family physician checked the records of a team member who was their patient prior to the crash. Another case involved three doctors who provided emergency care to the team and accessed their records after the patients were transferred to another hospital.
These doctors believed they were still in the “circle of care,” or group of providers treating the team members. But according to the privacy commissioner, they had no right to access the records unless they were currently providing care to the patients. It’s a common misconception among doctors that’s complicated by a lack of clarity and consistency in privacy rules across Canada.
“I would be much happier if I never heard the words ‘circle of care’ again,” says Bryan Salte, associate registrar and legal counsel for the College of Physicians and Surgeons of Saskatchewan. “I think that has produced a significant amount of confusion.”
In Saskatchewan, people may only access health information without express consent if they need it to arrange, assess, provide, continue or support care. Unintentional breaches happen because people focus on the wrong questions, Salte says. “They aren’t asking: Do I need to know this? They’re asking: Am I within the circle of care?”
The college and the Saskatchewan Medical Association say this rule is too restrictive. They’re calling for reforms that would allow physicians to access health records for education and quality improvement. According to Dr. Susan Hayton, director of physician advocacy and leadership at the association, the rules are “not consistent with the way that most physicians provide care, and I don’t think that this is what most patients would want.”
For example, Salte says, “if a physician provides care to a patient and wants to see what the outcome was, it seems reasonable that they ought to be allowed to do that.”
Current privacy rules also pose barriers to regulators sharing information about physician misconduct or patients who are misusing opioids, Salte says. “Information stops at the provincial borders, but patients don’t.”
Adding to the confusion, privacy legislation varies across the country. Although these laws generally allow access to health information to support medical care, the specifics of who accesses what and how may be set by the custodian of the record in question. That may be a clinic, hospital or ministry. “Greater clarity in the legislation would be ideal,” says Dr. Dennis Desai, a senior physician advisor at the Canadian Medical Protective Association. “If the custodian doesn’t clear it up there can be a lot of confusion for everybody.”
Although most privacy breaches are unintentional, the consequences can be severe. Doctors who run afoul of the rules may face complaints, legal action, dismissal and damage to their reputations.
Several Ontario arbitrators have upheld hospitals taking a zero tolerance approach to privacy breaches, holding that dismissal is the appropriate remedy for snooping in patient records. Health organizations may feel pressure to take a tough stance to mitigate their own liability for damages resulting from a breach.
Medical regulators tend only to discipline the most egregious cases, says Salte. For example, it’s clearly unacceptable to check the health records of a neighbor or your daughter’s boyfriend out of curiosity. But in cases where the breach is less clear, “at some point you have to rely upon the professional judgement of the physicians involved,” he says.
Photo credit: Wavebreakmedia/iStock
Connect with CMAJ