In early 2013, a patient attended at the Norfolk General Hospital (the “Hospital”). She complained that people in Simcoe knew about her attendances at the Hospital. She identified the grievor, a registered nurse with 12 years of experience working in the ICU, as the source of the privacy breach.

The Hospital began an investigation. They found that the ICU nurse had inappropriately accessed hundreds of patient records, including family members, in the previous 12 months.

In early March, the nurse met with human resources and was asked: if she ever accessed information about patients she was not providing care to; and whether she had shared personal health information outside of the Hospital. She answered “no” to both questions. After being given an opportunity to think about her answers, she reconfirmed them.

The Hospital summarily terminated her on March 7, 2013 on the basis of her violations of Hospital Policies and her lack of remorse for those violations. After her termination, the Hospital continued its investigation and found that she had made inappropriate accesses over the past 8 ½ years. The Hospital sent notice letters to over 1,300 patients informing them that a nurse had inappropriately accessed their medical records and that she had been terminated. The local news media picked up the story.

The Ontario Nurses' Association grieved the nurse's termination. Arbitrator Lyle Kanee heard the grievance and rendered his decision on September 22, 2015. He was required to decide two issues:

  1. Did the Hospital have just cause to discipline the nurse?; and
  2. Was the penalty of termination appropriate?

Throughout the process, the grievor argued that she had professional reasons for accessing all the patient records and denied that any of her accesses were either unnecessary or improper. The Union argued that the Hospital lacked just cause to discipline her for a number of reasons including that the Hospital:

a. Misinterpreted the requirements of the Personal Health Information Protection Act, 2005 (“PHIPA”); and
b. Failed to properly educate staff on the confidentiality of health information.

Access to the Electronic Health Record

The Hospital has used an electronic health records system supplied by Meditech since 2004. All users are required to login using a unique username and password. Each nurse, including the grievor, had to sign a Confidentiality Pledge to access the system. In the Confidentiality Pledge, users were required to agree “to never access information for which I have no professional need” and “to adhere to discipline specific professional standards related to confidentiality in an electronic environment”.1

Did the Hospital have Just Cause to Discipline?

The Union argued that PHIPA, when properly interpreted, allows nurses to access the personal health information of patients for educational purposes. The nurse testified that this was the primary reason she accessed the records of patient she wasn't providing care to. Specifically, the Union argued that as an agent of the Hospital, the grievor was permitted to use personal health information for the same purposes the Hospital is able to under section 37 of PHIPA. Under this section, the Hospital, amongst other uses, is permitted to use personal health information for the purpose of risk management and for educating agents.

Arbitrator Kanee rejected this argument. He found that under PHIPA agents are only permitted to access personal health information for educational purposes if the Hospital explicitly allows them to do so. The Hospital did not: its Manual clearly states that:

Each clinician is professionally accountable for only accessing the records of patients under his/her care.2

Further, the Arbitrator found that the professional standards imposed by the College of Nurses clearly require nurses to limit their access to the records of patients that they are caring for.

The Union also argued that the Hospital failed to adequately educate staff about patient confidentiality and appropriate use of the electronic record. The Arbitrator found that the Hospital had “failed in its responsibility to train and educate nurses.”3

The Hospital and its staff have a joint responsibility to ensure that patient confidentiality is respected. Although, the Hospital had policies addressing this issue and provided training to the grievor when it introduced the electronic records system, the Arbitrator found that “no further training or education was provided on these important concerns in the next nine years of the grievor's employment.”4

At the same time, however, the Arbitrator found nurses are required to be aware of and inform themselves about the requirements of PHIPA, hospital policies, and the standards of their College. While the lack of education may mitigate some of the accesses, “the grievor knew or ought to have known that she was violating the privacy rights of patients” to the extent that she did.5

The Arbitrator concluded that the grievor had accessed a large number of patient records without any professional need or reason and that discipline was appropriate.

Was Termination Appropriate in all the Circumstances?

The Arbitrator was required to consider whether there were “compelling circumstances” that would justify imposing a penalty less than termination. This required the Arbitrator to consider the number of improper accesses, whether the nurse had consent to access the records of friends or family, and whether the nurse showed remorse, and had acknowledged the wrongdoing.

The Arbitrator upheld the termination. He was influenced by the large number of improper access, over 500, which the nurse had made in the year prior to her termination. Her actions also had a negative impact on the Hospital and its reputation and required it to undertake a lengthy and costly audit. Lastly, he found that the grievor did not accept responsibility for the majority of the improper accesses.

The circumstances of this case allowed the arbitrator to uphold the termination even though he had some concerns about the privacy practices within the Hospital and its failure to provide ongoing education to staff. In other cases, a lack of education could be seen as mitigating a small number of improper accesses. As such, Hospitals should ensure that staff receives regular updates and training reminding them of their obligations to patient confidentiality and the appropriate uses of the electronic health record. The decision also highlights the importance of having a policy in respect of patient confidentiality that clearly sets out in what circumstances a hospital staff member may or may not access patient records.

1Norfolk at para. 9.

2Norfolk at para. 11.

3Norfolk at para. 134.

4Norfolk at para. 133.

5Norfolk at para. 138.


Roberto Ghignone


Health Law
Privacy and Data Security
Labour and Employment