The Employment Court has recently decided an important case where an employee collected and stored confidential patient information for the claimed purpose of demonstrating that she had been bullied and/or harassed. The employer dismissed the employee for collecting and keeping this patient information.
In Shaw v Bay of Plenty District Health Board [2022] NZEmpC 10 the Court found that Ms Shaw was justifiably dismissed by her employer for breaching patient privacy.
Background
Ms Shaw began working as a cardiac physiologist at the Bay of Plenty District Health Board (DHB) in August 2010.
DHB’s Policies
The DHB’s Health Information Privacy Standards Policy provides that patient records are to remain confidential and protected.
The policy provides that only authorised people entitled to view the information in the course of providing and evaluating services to the patient are to have access to individual health records. The policy states that health records may be accessed for resolving complaints/incident investigations and audit requirements.
Under the policy, patients must be notified of the purpose for which the DHB collects information about that person. The policy also provides that data that does not identify the patient may be used for administrative purposes, statistical evaluation, teaching and educational purposes, but that information is also to be explained to the patient.
The DHB also has a policy for dealing with retaining and destroying inactive patient information which states that the information is to be stored in a secure area allowing maximum protection from damage or loss and to be available to be easily retrieved during minimum stipulated retention periods.
Additional to the policy, Ms Shaw signed the DHB’s Code of Confidentiality at the commencement of her employment. The Code restricted Ms Shaw from disclosing confidential information other than for the proper performance of her job or as required by law and prevents disclosure of confidential patient information other than with the prior consent of the patient.
The relevant part of the Code prohibits the use or attempted use of confidential information for the employee’s personal benefit or for the benefit of any person or organisation in any manner whatsoever other than in accordance with the employee’s duties and responsibilities.
The Code states that breaches of confidentiality may be considered serious misconduct.
The Relevant Events
Ms Shaw felt that she had been bullied for a number of years and allegedly raised this with the DHB during her performance appraisals in 2012 and 2013.
In July 2014, Ms Shaw sent an email to all staff in her department that was critical of the way in which records for a patient referral had been dealt with. One of the recipients complained that the email was offensive and the DHB investigated the complaint.
Ms Shaw subsequently raised a personal grievance about the investigation and concerns about her work environment including issues with her managers and others within her department. An investigation into Ms Shaw’s complaint was to be conducted by Mr McKelvie, the Business Leader — Medical Cluster and her ultimate manager. Mr McKelvie asked Ms Shaw to provide evidence of her allegations.
Ms Shaw provided Mr McKelvie over 150 documents which she claimed evidenced multiple examples of bullying and harassment. There was a substantial quantity of confidential patient information including unsigned patient reports with handwritten comments, patient notes from 2011–2012 and some documents related to work performed by other technicians.
Mr McKelvie considered that collecting and holding this information breached the DHB’s Health Information Privacy Standards and reported the alleged breaches to the DHB’s Privacy Officer, Ms Bingham.
On 14 January 2015, Ms Bingham informed Ms Shaw that she was to conduct an investigation about the alleged breaches of patient privacy and that if the breach was substantiated, it would be serious misconduct and could lead to summary dismissal.
Ms Bingham met with Ms Shaw and her representative on 21 January 2015. Ms Shaw stated that she was aware of the privacy rules relating to patient records but felt they were over-ridden by her need to prove she was being bullied.
On the same day, Ms Shaw and her representative met with Mr McKelvie. Ms Shaw explained that she accessed patient records to record people interfering with her work and that she did not seek patient consent prior to collecting and keeping the information. Ms Shaw did not have an explanation for collecting patient records that she had no clinical involvement with.
Ms Bingham provided a report to Mr Chandler, the DHB’s Chief Operating Officer. The report commented that Ms Shaw was focused on her needs and any consequences arising from her actions were irrelevant to her. The report also expressed Ms Bingham’s opinion that the conduct was serious misconduct and Ms Shaw should be summarily dismissed.
Mr Chandler forwarded the report to Ms Shaw stating that it was his preliminary view that she had breached patient privacy and provided her an opportunity to comment on the report before any further action was taken.
On 18 February 2015, Ms Shaw and her representative met with Mr Chandler. Ms Shaw provided the same explanations and argued that she had not removed the documents from the premises and there was no breach because the records had not gone beyond other DHB employees.
Mr Chandler decided Ms Shaw understood patient privacy however she maintained she was justified in taking and retaining the records for her own purposes. He concluded that her actions constituted a serious breach and informed Ms Shaw of his findings; he advised her that he would support the recommendation to dismiss her.
Mr Chandler provided a report to the DHB’s Chief Executive, Mr Cammish who would be the final decision maker. He was also sent Ms Bingham’s report.
Mr Cammish informed Ms Shaw that he did not intend to re-litigate the matter but wanted to meet with her to hear her views on the information he had been provided. Mr Cammish met with Ms Shaw and her representative on 19 March 2015.
Following the meeting, Ms Shaw received a letter from Mr Cammish which concluded that Ms Shaw had collected and kept patient information in breach of its policies and her employment would be terminated for serious misconduct on 27 March 2015.
The Court’s Findings
The Court considered whether the collection and retention of patient records was a breach of the DHB’s policies. The Court was satisfied that:
- The DHB was entitled to conclude Ms Shaw had breached the DHB’s policy by collecting and retaining patient information where there was no clinical reason to do so, and because a lot of the information she held was for patients she was not involved with.
- The evidence pointed towards a systematic collection of documents over time.
- Ms Shaw’s actions were not excused because the DHB’s policy allowed patient records to be accessed for “resolution of a complaint/incident”. The Court considered the reference to a complaint in the policy is to one raised by a patient, not where a staff member wishes to advance personal grievance claims with their employer.
- The Code of Confidentiality clearly prohibited the use or attempted use of confidential information for an employee’s personal benefit.
- Ms Shaw’s reliance on accessing the documents to resolve a complaint was undermined by the fact that the documents she supplied to Mr McKelvie were mostly old and had been retained by her for some time.
The Court considered whether the DHB adequately investigated and found that there were some minor errors in the process that could be put aside. The Court noted that it was problematic that Mr Cammish, as the decision maker, did not undertake a review of the work of Ms Bingham or entertain Ms Shaw’s argument that she collected the information in response to bullying and/or harassment.
However, Ms Shaw had given evidence to the Court that she provided the same explanations to Mr Cammish as she had done previously: she was entitled to access the information because of the situation she found herself in so that her interests took priority. Mr Cammish’s decision to dismiss relied on this factor.
The Court held that a reasonable employer in the DHB’s position could have reached the conclusion that her breach of patient privacy outweighed other considerations. Ms Shaw was not unjustifiably dismissed.
Consideration of Remedies
The Court considered what remedies Ms Shaw would be entitled to if its conclusion her dismissal was justified was wrong. The Court noted that outrageous or egregious behaviour by the employee may mean that no compensation is awarded to the employee even where the employer’s actions were unjustified.
The Court looked at Ms Shaw’s conduct “through the lens of the significance of patient privacy”. The Court concluded that while Ms Shaw may have thought there was a bona fide reason to collect and hold information, she only reached that conclusion by putting her interests ahead of those of the patients whose records she collected and kept.
On this basis the Court held that the employee’s conduct was so egregious that if she had established a personal grievance, the Court would not have awarded her any remedies.
Comment
This decision is fact specific but provides helpful guidance about what an employee may do in gathering information to support their employment claims. In this case, the information gathered affected the privacy of patients. Keeping that information or using it for the employee’s benefit was not permitted by employer policy.
However, in the end, what the DHB relied on was the employee’s claim that her interests in gathering information to support her claim took priority over the interests of patients. The Court accepted it was reasonable for the DHB to reject that point of view and it was reasonable for Ms Shaw to be dismissed.