Using Patient Health Information in Human Resources Investigation

The Alberta Information and Privacy Commissioner recently confirmed that Alberta Health Services (AHS) breached the rights of one of its employees by intentionally using information from his addiction counselling against him during a human resources investigation. The breach of the employee’s personal health information clearly contravened the Health Information Act (HIA).

So what happened?

After receiving a referral from his psychiatrist, the complainant attended addiction counselling with AHS, which also happens to be his employer. He signed a consent form agreeing that the counsellor could contact the employee’s treating physician and collect information aimed at his treatment. Specifically, the consent stipulated that the information disclosed and collected was to allow AHS to provide him with continuous care, treatment planning and treatment services.

However, instead of treating the complainant as a patient, the counsellor treated him as an employee. The counsellor, worried about Alberta Health Services Code of Conduct, gave all of the employee’s personal health information collected during the counselling sessions to the AHS human resources department. Based on the employee’s addiction and the health information provided, the human resources department conducted an investigation to ensure the fitness of the employee to continue his duties.

This investigation came after the AHS had made repeated requests for the employee to self-report. So before they had proof of his addiction they suspected as much.

As a result of the HR investigation, the employer suspended the employee. Then, the employer gave the information to the employee’s professional body. The decision doesn’t state what happened to the employee after the suspension period ended. I am presuming the employee is still working for AHS and the professional body did not use the information. Well, we hope!

The point is, and this was confirmed in the decision, the complainant did not authorize his treating counsellor to collect or use his personal health information for any other purpose but treatment of his addiction. However, the employer used the information for a human resources investigation to discipline the employee based on a violation of the code of conduct, not to provide treatment or health services as stated in the consent form.

The counsellor misunderstood the meaning of section 27 (1) (c) of the Health Information Act, which allows the use of a patient’s health information from a health service provider for the purpose of investigating the health service provider’s conduct, but does not authorize use of the health service provider’s own health information for that purpose.

The complainant provided this health information to AHS as a patient, and AHS was a custodian of the health information. Therefore, AHS could not use this personal information to manage personnel. AHS could only use the health information that is in its custody and control by virtue of its role as a custodian, and only for the purposes specified in the HIA. The HIA and Freedom of Information and Protection of Privacy Act do not authorize a public body that is a custodian to collect or use such information for personnel management. Based on the Information and Privacy Commissioner’s analysis of the law, this purpose is clearly excluded under both Acts.

In addition, when the employer disclosed the findings of the disciplinary investigation and the addiction to the employee’s professional body, the employer violated the Act again because the information was personal health information that should never have been disclosed.

Saskatchewan, Manitoba, Alberta, British Columbia, New Brunswick, Newfoundland and Labrador, Quebec and Ontario have passed legislation to deal specifically with personal health information by public and private sector health care providers and other health care organizations. These health information privacy statutes apply, directly or indirectly, to agents who act for health care custodians, as well as to service providers that manage information, such as data storage and system management providers. The statutes generally require custodians to notify and obtain express consent from patients for all collection, use or disclosure of personal health information.

Each statute contains provisions entitling patients to access their personal health information in the custody or control of a custodian (subject to limited exceptions), and limits access to (and the use of) health information within a custodian’s organization. With detailed, limited exceptions, each statute prohibits disclosure for purposes other than those to which a patient has consented.

Moreover, maintaining patient confidentiality is a very important legal duty with very few exceptions.

Misunderstanding or not, the counsellor in this case made a grave error, and both the counsellor and the HR department at AHS should have thought twice before using the employee’s personal health information, especially given that the employee in question was employed by the service providing him with the counselling.