A psychiatrist did not break NWT privacy laws when he disclosed the health information of a nurse and patient in reporting an alleged assault to police, the territory’s privacy commissioner says.
The commissioner, Andrew Fox, recently released his review of the 2021 incident at Yellowknife’s Stanton Territorial Hospital.
Fox’s report contains the allegation that a patient assaulted a nurse at the hospital’s psychiatric unit on the evening of October 3, 2021. According to the report, the nurse received medical attention for physical injuries and told her co-workers she did not want to involve the RCMP. Staff did not report the incident to police.
The following morning, a psychiatrist working at the hospital learned about the incident. According to the report, he pressured an administrative employee into giving him the nurse’s home phone number with the intention of reporting the alleged assault to police.
The psychiatrist called the RCMP to report the incident, identifying the patient and nurse. Police told him the nurse would have to make a report.
Advertisement.
Advertisement.
The psychiatrist then phoned the nurse and urged her to press charges. The report said he also told the nurse RCMP should fingerprint the patient at the hospital as a warning to other patients to “not to cross the line” with hospital staff.
The nurse said she was not interested in pressing charges.
NTHSSA reports three privacy breaches
RCMP later followed up with the psychiatric unit manager and said they had contacted the nurse, who did not wish to pursue legal action. Officers considered the matter closed.
The NWT Health and Social Services Authority reported three possible privacy breaches to the information and privacy commissioner: when the psychiatrist disclosed the patient’s personal health information to police, when he disclosed the nurse’s personal health information to police, and when the administrative employee provided the nurse’s phone number to the psychiatrist.
Advertisement.
Advertisement.
Upon review, Fox said the nurse’s injuries and the knowledge that the patient was receiving services at the hospital qualified as personal health information –but the NWT’s Health Information Act allows disclosure to police for law enforcement purposes.
“There is no evidence that it was done for some other or improper purpose,” he wrote.
Fox added that while the psychiatrist’s report to police may have been at odds with other employees’ approach to the alleged assault, it was not a violation of privacy legislation. He said he would not comment on whether it was the “right” course of action.
Fox said that “perhaps not surprisingly,” the psychiatrist has not since returned to the Yellowknife hospital as a locum.
No ‘real risk of significant harm’
Fox found that disclosure of the nurse’s home phone number was also for law enforcement purposes and did not violate her privacy.
“Even if I am incorrect about the disclosure to the police not breaching the nurse’s privacy, in my view the disclosure did not give rise to a real risk of significant harm,” he said, adding “the probability of past, present or future misuse of the nurse’s name and phone number is low.”
Fox did find fault with the health authority’s handling of the possible privacy breaches.
He said the health authority’s report to his office and notification to affected individuals was “unreasonably delayed.”
Advertisement.
Advertisement.
While the psychiatric unit manager submitted reports for an internal investigation on October 5, 2021, the health authority did not inform the information and privacy commissioner of possible breaches until July 18, 2022 – more than eight months later.
Fox added that the health authority had not collected all available evidence at the time of the breach and the psychiatrist was no longer working at the hospital by the time it reported the incident.
“Evidence not collected at the time of a breach is easily lost: memories fade and the employees involved in a breach can be difficult to locate years after a breach,” he wrote.
Commissioner makes recommendations
The health authority said the delay was due to the psychiatric unit’s regular manager being on leave at the time of breach, staff turnover, and a change in the unit responsible for investigating privacy breaches.
Fox also found that the psychiatrist’s privacy training was outdated. While he had last completed privacy training in July 2019, the NWT’s mandatory training policy requires the health authority to provide annual privacy training to its employees. Fox said the health authority was not able to explain the gap.
“As I have observed in other reviews, privacy training is a key administrative safeguard for health information custodians and public bodies to employ to protect the privacy interest in the personal information they hold,” he wrote. “Again, it is essential to provide privacy training to new employees and to be kept current for all employees.”
Fox recommended that the health authority regularly require managers to confirm that all employees, including locum physicians, have completed privacy training as required.
He also recommended that the hospital review its 2010 policy on communication with RCMP to ensure it complies with current legislation.
