Over a period of several months in 2019, whilst working in the intensive care unit of a hospital, the nurse accessed the medical records of:
- her husband;
- two former partners of the husband;
- three children of the husband; and
- 27 people who had no apparent connection to her.
The records were held on an electronic database maintained by the hospital and access to the records was password protected.
In her employment at the hospital, the nurse had received training about the restrictions on access to health records and the obligation to maintain confidentiality. She admitted in the proceedings that she understood that access to health records was only permitted for the purpose of providing care to patients. She also admitted that when she accessed the patient records of her husband’s family members, she understood that she lacked the authority to do so.
In March 2020, the nurse pleaded guilty in criminal proceedings brought against her pursuant to s.308H(1) of the Crimes Act 1900 (NSW) which makes it an offence for a person to cause unauthorised access to restricted data held in a computer. When considering the vocational disciplinary proceedings before it, the Tribunal noted that whilst her conduct could not be described as falling at the high end of the scale in terms of criminality, it was a very serious breach of her ethical obligations with respect to the use of health records.
The Tribunal found that the nurse accessed the health records of family members for the purpose of providing information contained in those records to her husband, to be used by him in Family Law proceedings. In addition, she admitted accessing information contained in her husband’s health records for use by him in a compensation claim. In relation to the other records accessed, the Tribunal noted that there were any number of reasons which may explain the nurse’s actions, including idle curiosity. However, on the available material it could not know why those records were accessed and therefore there was an appreciable risk that the nurse may re-offend.
The Tribunal stated that on the available evidence it was not satisfied that the risk posed could be reduced to one addressed by the imposition of conditions. For that reason, cancellation of the nurse’s registration was necessary.
Of note, the Tribunal ordered that its decision not take effect for 60 days, to minimise the impact of the decision on the nurse’s current employer in circumstances where the demand for intensive care nursing services has increased due to the Covid-19 pandemic.
Take Away
With electronic medical records now the norm in most hospitals and medical practices, practitioners must be aware of the policies in place at their workplace which govern the use of and access to health records. A standard clause in most policies of this nature is a prohibition on using the database to look up information regarding a relative, friend or person which is not associated with purposes required in the course of their employment.
Registered health practitioners are also required to comply with the terms of the codes of conduct published by their registration boards which make clear the requirements for ethical conduct and maintaining confidentiality over health records.
As demonstrated in the present case, breaches of these policies and codes may result in termination of employment, criminal proceedings and disciplinary proceedings, leading to the possible loss of registration in the profession.
To read the full decision in Health Care Complaints Commission v Payne [2021] NSWCATOD 145, click here.