Unauthorised access to medical records: just don’t do it

An increasing number of hospital and health services are collating, storing and utilising medical and nursing records in electronic databases. These databases are usually protected with individualised passwords which can be monitored and checked to preserve patients’ privacy and ensure that confidential medical information is accessed on a ‘need to know’ basis. Like any system, nothing is fool proof or guaranteed. Unauthorised access, whether for personal gain or just idle curiosity is no excuse. A recent nurse’s disciplinary tribunal hearing is an example for all nurses to heed.

Nurse A was an experienced nurse who had been registered since 2007 and held postgraduate qualifications in public health and health management. On 14 August 2014, Nurse A while working on a casual basis in Hospital B, accessed a Hospital B computer in the early hours of the morning (during night shift) which had been logged on and left unattended by another permanent nurse employee.

Nurse A took this opportunity to access district-wide electronic health records concerning himself and six other patients (A–F) whom Nurse A had previously cared for. Nurse A did not have authorised log-in credentials that would have allowed him to access those patient records by himself, nor did he have any legitimate reason to access them. The access to all seven records involved multiple pages of each patient’s record being opened and viewed.

At the time of the incident, Nurse A was engaged in longstanding disputes with patients A–F and was at a critical juncture in acrimonious legal and administrative proceedings with Patient A. The details of those relationships and proceedings are deliberately omitted from the judgement for all patients to remain unidentified. Needless to say, it appears that all the disputes and disagreement proceedings were bitter and protracted.

The alarm and/or suspicion was raised when Patient A suspected Nurse A of using his professional position to access Patient A’s health records, based on some information contained in court and administrative documents that Nurse A filed in late 2014.

One other particular piece of confidential information related to a specific incident involving Patient B, which was not general knowledge in the proceedings and only contained in Patient B’s medical records. Knowledge and disclosure of this (and other information) was of ‘benefit’ to Nurse A in advancing his position in his various litigious proceedings.

Suspicions widened concerning Nurse A’s access to confidential medical records in late 2014 and early 2015 concerning patients A, D and C to such a level that they requested a privacy internal review from the relevant Local Health District under the Privacy and Personal Information Protection Act 1998 (NSW) and Health Records and Information and Privacy (HRIP) Act 2002 (NSW).

The HRIP Act regulates health information through the 15 Health Privacy Principles, something all nurses should have knowledge about.

The investigation

On 9 March 2015 Nurse A was interviewed by a panel comprising of Hospital B’s human resources manager, privacy information compliance manager and director of nursing. During that interview, Nurse A acknowledged accessing the relevant records but denied using or disclosing their contents. Nurse A stated in the interview that all of the information he had relayed in court documents was information that he was already aware of.

Nurse A stated that he knew much of the health information by his previous personal interactions with Patients A–E and because of a phone call from a friend over a year earlier reporting the incident in detail related to Patient B.

To Nurse A’s credit, in oral evidence, Nurse A readily acknowledged that his access to the health records was improper and in breach of the relevant policies and codes as particularised in the complaint. He conceded that this amounted to unsatisfactory professional conduct.

The tribunal’s peer expert, CM, was strongly critical of the practitioner’s conduct. CM noted that all staff working in the public health system are bound by law, by policies and by a strict code of conduct, to maintain confidentiality of patient information. CM characterised Nurse A’s conduct as an improper use of their professional position and a violation of patient privacy, which evinced a disregard for the potential harm to the professional reputation and career of the actual staff member whose log-in was used.

Novel defence

Interestingly during the hearing, Nurse A initially sought to dispute the allegation that he had used another staff member’s log-in to access the records. This dispute rested upon a characterisation of what it means to ‘log on’. Nurse A contended that he had not ‘logged in/on’ because he did not actually type in the other staff member’s credentials. Rather, when Nurse A accessed the computer, the system had already been logged in and active for some period under the other staff member’s credentials. This novel submission was rejected as it was uncontested that Nurse A’s access to the relevant records was unauthorised and involved the use of a database which was accessible only because of the other staff member’s credentials. Accordingly, the tribunal found that this aspect of the complaint was established. Nurse A ultimately conceded this and abandoned this submission.

The only real issue in dispute was Nurse A’s motivation in accessing the relevant records.

The verdict

The tribunal found that Nurse A opportunistically sought access to the health records to seek information which he could use to his advantage in his disputes with the patients and to damage some of the patients’ reputations, whose privacy he breached. The tribunal found that this was a most serious abuse of Nurse A’s professional position and thereby was characterised as professional misconduct. Nurse A was reprimanded and his registration suspended for six months.

No matter what the intent or purpose, if nurses in an unauthorised manner access patient medical records – they need to remember: curiosity may kill the cat, but it will most certainly kill your career. Just don’t do it!

Scott Trueman is a senior lecturer in the School of Health at the University of New England.