Patient privacy breaches have been hitting the headlines. The infamous ‘eel’ x-ray in Auckland led to staff dismissals, and spying on cricket star Jesse Ryder’s clinical notes resulted in four clinicians facing disciplinary action. Nurse-turned-lawyer ROBIN KAY looks at the legal and ethical issues for nurses around accessing patient records – particularly now that unauthorised reading of a file leaves an ‘electronic fingerprint’.
Nurses’ and other clinicians’ inability to resist the temptation to unlawfully access high-profile patients’ records has been given significant media coverage recently.
According to a recent Official Information Act release reported in The Press in July, district health boards have dealt with 20 reported breaches of privacy already this year. Some of those involved were nurses and were dismissed by their employer.
This behaviour has highlighted a worrying lack of understanding by staff of the regulatory framework surrounding access to clinical notes, and of the serious consequences of breaching that framework.
In the modern era, where most records are in electronic form and are accessed via the employer’s database, there is an electronic fingerprint left when a member of staff opens clinical records. This makes it very easy for an employer to see who has accessed the patient’s clinical records, when they did so, and what they looked at.
WHY MAY HAVING A LOOK AT SOMEONE’S NOTES BE A PROBLEM?
Your contract of employment
Firstly, you and your employer have entered a contract of employment. Most clinicians’ contracts will have a clause that relates to confidentiality and protection of information obtained during your employment. If you access the notes of a patient who you are not providing care to, you are very likely to be in breach of your contract of employment and find yourself subject to disciplinary action taken by your employer.
Your professional code of conduct
Secondly, you are very likely to be in breach of your professional code of conduct. Principle 5 of the Nursing Council of New Zealand’s Code of Conduct for Nurses states that nurses should respect health consumers’ privacy and confidentiality.
As a nurse, you have a professional duty under the code to access an individual’s health records, be they clinical notes, test results, x-ray records, or any other type only for the purpose of providing care. If you are not involved in the individual’s care, you are breaching your professional code of conduct when you access those notes.
The Health Information Privacy Code 1994
Accessing an individual’s notes when you are not involved in their care is also a breach of the Health Information Privacy Code 1994 (HIPC). The HIPC applies to health information relating to identifiable individuals and applies to all agencies providing personal or public health or disability services; an ‘agency’ includes an individual clinician.
The HIPC protects clinical information about the health of the individual, any disabilities that the individual has or has had, any current or historic treatment provided to that person, and information obtained prior to, during or incidental to the provision of health services to that person. Accessing an individual’s clinical notes when you are not involved in their care and do not have their authority to do so could constitute a breach of rule 10 and/or 11 of the HIPC. Rule 10 provides that when an agency collects information for one purpose, it must not use that information for a different purpose. For example, information obtained for clinical purposes should not be accessed for mere curiosity by a clinician not directly involved in that person’s care.
The courts and various tribunals have considered whether “browsing” through information constitutes “use” under this rule, and the legal authorities suggest that one perhaps needs to do something more with the information than merely reading it.
However, this point is not decided, and in light of the current uncertainty about the legal status under this rule of reading notes without authorisation, it would be a foolhardy nurse who decided to take the risk.
Rule 11 provides, in basic terms, that an agency that holds personal information should not disclose it to a person or body or agency unless it is disclosure of information that is:
in a publicly available publication; or to the individual concerned; or authorised by the person concerned; or for maintenance of the law, including safety of others or the conduct of proceedings before a court or tribunal; or in a form that does not identify the individual.
If you access and then disclose that information, by any means, to another party, without any of the justifications listed in a) to e) above, you are likely to be in breach of rule 11.
WHAT CAN HAPPEN IF YOU BREACH YOUR EMPLOYMENT AGREEMENT, OR YOUR PROFESSIONAL CODE OF CONDUCT, OR THE HIPC?
As already mentioned, you will undoubtedly find yourself answering some very tricky questions posed by your employer. Your employer could take disciplinary action against you in the form of a warning, verbal or written, or if sufficiently serious, dismissal. Finding another nursing job with a reference that explains why you lost your previous position or without a reference at all will not be easy.
Furthermore, any person can make a complaint to the Nursing Council about unauthorised access of clinical notes. The council must promptly forward a copy of the complaint to the Health and Disability Commissioner. The commissioner decides whether they have jurisdiction and whether they will investigate the complaint. In any event, the council can refer the complaint to a professional conduct committee (PCC) in situations where there was no health provider/health consumer relationship between the parties. In the case of a nurse accessing an individual’s clinical records without authority where they do not have a health provider/health consumer relationship, it is highly likely that the complaint will be considered by the PCC. If there are sufficient concerns about your practice, your registration can be suspended while the complaint is processed.
The PCC can decide that no further action be taken against you; or that the matter be referred for conciliation; or that the matter be referred to the Health Practitioners Disciplinary Tribunal. For breaches of privacy and confidentiality, it is likely that you will find yourself appearing before the tribunal. If you have any doubt about this, visit http://www.hpdt.org.nz and search using the words ‘confidential’ or ‘privacy’, to find examples where clinicians have inappropriately accessed and used clinical records.
If a nurse is found guilty of professional misconduct by the tribunal, in that the nurse’s conduct amounts to malpractice, negligence, or brings discredit to the profession, the tribunal can cancel the nurse’s registration or suspend it for a period of no more than three years; censure the nurse; order that the nurse pay a fine of up to $30,000; and order the nurse to pay legal and other costs, which can run into thousands of dollars.
SOME REALLY BAD NEWS
As if the outcomes just outlined are not serious enough, the person whose privacy has been breached may decide to sue the nurse in person, on the basis that the nurse has breached the common law (law that is made by judges rather than the legislature) of confidentiality and/or privacy. It is often better for the injured party to sue the nurse’s employer for the actions of the nurse rather than the nurse themselves – because the employer usually has more money. However, it is possible that a nurse’s acts are such that the employer is not responsible for what the nurse did, and in such a case, the injured party may decide to sue the nurse in person. This process is invariably long, very stressful, and can lead to the nurse having to pay damages.
HOW TO AVOID FALLING FOUL OF THE PRIVACY FRAMEWORK
Despite the somewhat alarmist portrayal of what can happen to a nurse who reads records that they have no right to read, avoiding trouble is very easy:
Develop a working knowledge of the HIPC. For further guidance, have a look at the excellent On the Record – A Practical Guide to Health Information, produced by the Privacy Commissioner and available at
If you are not directly involved in an individual’s care, stay away from their clinical records!
If you are involved in that individual’s care, access only those parts of the clinical records that you require in order to provide the care necessary; and
Use the information that you are allowed to access only for the purpose(s) that you need it.
Just be mindful of why you are accessing someone’s notes, and hopefully, you won’t ever need to contact a lawyer to assist you.
The author: Robin Kay RMN, Dip. Health, LL.B (Hons) and LL.M (Health Law) was a mental health nurse for more than 20 years before becoming a Christchurch solicitor. He has a keen interest in the legal aspects of nursing practice, particularly professional conduct and is an associate member of the College of Nurses Aotearoa.