Receptionist’s patient privacy breach a ‘red flag’
Sonya Black, LLB (Hons), B.Com, Special Counsel – Employment Law, Avant Law, QLD
Thursday, 30 November 2023
Privacy breaches are a risk in any practice but knowing how to minimise the risk of breaches and deal with them effectively if they do arise, is important.
In this case, a receptionist worked at a rural practice where her teenage son was a patient. He had recently consulted a GP at the practice and told his mother the consultation was about a urinary tract infection.
The next day, while working at the practice, the receptionist accessed her son’s medical record and discovered the consultation was about a sexually transmitted infection (STI). That night, she told her son how disappointed she was about the diagnosis. The son expressed his anger at his mother for breaching his privacy.
While he didn’t make a formal complaint to the practice, he informed his GP about the privacy breach. The GP told the practice owner of the breach, who called Avant’s Medico-legal Advisory Service for advice on how to deal with the situation. As the receptionist had been an exemplary employee, the practice owner did not wish to dismiss the receptionist but was keen to send a clear message to practice staff about the importance of patient privacy.
As a condition of her employment, the receptionist had conditions in her contract regarding privacy and confidentiality. If she accessed her son’s records, her conduct was in breach of her contract and privacy legislation.
Managing the situation
When concerns are raised about a staff member’s breach of patient privacy or confidentiality, it’s important for the practice to deal with the situation quickly. This can be managed as either a performance issue or a misconduct issue.
Generally, performance issues would include minor breaches of practice policy such as failing to shred documents after scanning them. While many performance issues can be resolved through communication and guidance about the practice’s policies and processes, ongoing performance issues may result in disciplinary action.
On the other hand, a concern should be dealt with as a potential misconduct issue when a specific breach of practice policies and procedures has occurred. For example, discussing confidential patient information outside the practice or accessing patient records for a ‘sticky-beak’.
In this case, Avant’s medico-legal expert advised the practice to treat the breach as a misconduct issue. The practice owner was advised to conduct an initial investigation into the complaint (in this case, by reviewing the receptionist’s access to patient medical records) before raising the issue with the receptionist. Some practice software can identify which records a staff member has accessed, when and for how long. Unfortunately, the practice software was unable to provide this information, so the practice had no independent evidence the receptionist had accessed her son’s medical record.
Avant recommended the practice take the following steps:
1. Advise the receptionist you would like to meet with her to discuss a privacy breach and suggest she brings a support person.
2. Ensure a note-taker is present at the meeting and explain the role of the support person (i.e. they are there to support the receptionist but not to represent her or speak on her behalf).
3. Inform the receptionist her son advised his GP that she had accessed his medical record and discussed the results of the consultation with him. Advise that if proven, this conduct would constitute a breach of her contract and confidentiality agreement and could result in disciplinary action. Give her an opportunity to respond to the complaint.
4. If the receptionist confirms she did access the record, ask her to explain her reason for doing so. Tell her you will consider the next steps and advise her in due course. If you are not satisfied with her explanation, you can take disciplinary action. This might be dismissal or a written warning, depending on all the circumstances.
5. If the receptionist says she did not access the record, you will need to determine whether you think she is telling the truth. For example, by asking her how she became aware of her son’s diagnosis. If you are not satisfied with her explanation, you can still take disciplinary action, but it may be difficult to justify dismissal.
6. It’s important to conduct the meeting appropriately to minimise the risk of the receptionist making a stress claim. Ensure the receptionist is safe to return to work after the meeting or, alternatively, allow her to go home. It’s important to make sure she can get home safely if she is upset.
In this case, there is no need to notify the privacy breach to the Office of the Australian Information Commissioner under the privacy laws. A notification only applies if there is a risk of serious harm to an individual that cannot be remediated. In this case, the son already knows about the privacy breach and steps were taken to remediate the risk of harm.
Treating people you know
Your practice has an obligation under the Privacy Act 1988 to take all reasonable steps to protect the personal information you hold from misuse, interference and loss, and from unauthorised access, modification, or disclosure.
As this case demonstrates, practices should avoid treating staff or their families, given the risks of privacy breaches and other risks as outlined in our factsheet.
A staff member accessing another employee’s medical record, or in this case, their child’s record, whether on purpose or inadvertently, is a privacy breach and may also be a notifiable data breach.
Preventing privacy breaches
It may not be practicable for your practice to avoid treating staff and their families in rural locations where another doctor is some distance away. In these situations, having measures in place can minimise any risks:
- Train your staff and regularly update them about their privacy obligations.
- Appoint a senior staff member to be responsible for privacy compliance.
- Document processes for managing staff authorisation, authentication and access to records. Where possible, limit access to the clinical aspect of records to clinicians.
- Place hardcopy referrals and scripts etc into envelopes for collection by patients.
- Have a process for proactively detecting data breaches.
- Have a data breach response plan if a privacy breach is discovered.
View our resources developed to help practices minimise the risk of data breaches and if they do arise, how to respond.
Ensuring the privacy and confidentiality of patient information is fundamental to the doctor-patient relationship. Treating staff, practice colleagues and their families heightens the risk of a privacy breach. The simplest answer is to not treat them if you can avoid it.
If you do choose to treat staff, practice colleagues and their families or it is unavoidable in a rare urgent or acute situation:
- Discuss the issue with new staff and set boundaries and expectations.
- Ensure you have appropriate systems in place to guard against privacy breaches.
- Train your staff and regularly update them about their privacy obligations.
- Document processes for managing staff authorisation, authentication and access to records.
Read section 3.14 on personal relationships in the Medical Board of Australia’s Good medical practice: A code of conduct for doctors in Australia.
Important: Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme.
The information in this article is current to 31 October 2023.
The case discussed in this publication is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality. The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of its content.