DISCIPLINE COMMITTEE OF THE COLLEGE OF NURSES OF ONTARIO
PANEL: Grace Fox, NP Chairperson
Karen Laforet, RN Member
Robert MacKay Public Member
Laura Sanderson, RPN Member Cathy Ward Public Member
BETWEEN:
COLLEGE OF NURSES OF ONTARIO ) NICK COLEMAN for ) College of Nurses of Ontario
- and - )
MELISSA MCLELLAN ) ROBERT STEPHENSON for Registration No. 0001784 ) Melissa McLellan
) LUISA RITACCA
) Independent Legal Counsel
) Heard: April 8, 2016
DECISION AND REASONS
This matter came on for hearing before a panel of the Discipline Committee (the “Panel”) on April 8, 2016, at the College of Nurses of Ontario (the “College”) at Toronto.
The Allegations
The allegations against Melissa McLellan (the “Member”) as stated in the Notice of Hearing dated March 28, 2016 are as follows.
IT IS ALLEGED THAT:
You have committed an act of professional misconduct as provided by subsection 51(1)(c) of the Health Professions Procedural Code of the Nursing Act, 1991, S.O. 1991, c. 32, as amended, and defined in subsection 1(1) of Ontario Regulation 799/93, in that while you were employed as a Registered Nurse at [the Facility] in [ ] Ontario, you contravened a standard of practice of the profession or failed to meet the standard of practice of the profession with respect to accessing personal health information of approximately 5,800 patients without consent or other authorization, when there was no professional purpose for doing so, in or about September 2005 to April 2011.
You have committed an act of professional misconduct as provided by subsection 51(1)(c) of the Health Professions Procedural Code of the Nursing Act, 1991, S.O. 1991, c. 32, as amended, and defined in subsection 1(37) of Ontario Regulation 799/93, in that, you engaged in conduct or performed an act, relevant to the practice of nursing, that, having regard to all the circumstances, would reasonably be regarded by members of the profession as disgraceful, dishonourable or unprofessional with respect to accessing personal health information of approximately 5,800 patients without consent or other authorization, when there was no professional purpose for doing so, in or about 2005 to 2011.
Member’s Plea
The Member admitted the allegations set out in paragraphs 1 and 2 in the Notice of Hearing. The Panel received a written plea inquiry (Exhibit #2) which was signed by the Member. The Panel also conducted an oral plea inquiry and was satisfied that the Member’s admission was voluntary, informed and unequivocal.
Agreed Statement of Facts
Counsel for the College and the Member advised the Panel that agreement had been reached on the facts and introduced an Agreed Statement of Facts (Exhibit #3), which reads as follows.
THE MEMBER
Melissa McLellan (the “Member”) obtained a diploma in nursing [ ] in 1999.
The Member registered with the College of Nurses of Ontario (the “College”) as a Registered Nurse (“RN”) in October 1999.
THE FACILITY
The Member commenced employment as an RN at [the Hospital] in November 1999. The Hospital was amalgamated with [a second facility] to form [the Facility] in April 2011. The Member’s employment with the Facility was terminated in May 2011 as a result of the incidents described below.
During the period of her employment at the Facility, the Member worked on a full-time basis. She worked primarily on [the Unit]. [The Unit] [was an] inpatient medicine unit.
The Facility utilized a hybrid paper and electronic client chart system. Some records were in electronic format, while other records remained in paper format. Nurses were granted access to the electronic file system and had full access to the electronic health records for all clients at the Facility.
To access the electronic records system, each staff member, including the Member, had a unique username and self-selected confidential password.
INCIDENTS RELEVANT TO ALLEGATIONS OF PROFESSIONAL MISCONDUCT
Inappropriate Access of a Staff Member’s Health Record
In or about March 2011, an inpatient of the Acute Inpatient Psychiatric Unit of the Facility, who was also a staff member at the Facility, reported that a number of other staff members of the Facility had visited her in the Psychiatric Unit, even though she had not told them that she had become an inpatient of the Facility. She was concerned that other staff members had determined she was an inpatient by reviewing her electronic health records.
An audit was conducted by the Facility’s Privacy Officer to determine if there had been any inappropriate accesses to the individual’s electronic health records.
The audit revealed that there had been a number of inappropriate accesses to the individual’s electronic health records by staff members of the Facility, including, but not limited to, the Member. With respect to the Member, the audit revealed that the Member had accessed the individual’s electronic health record on March 21, 2011, at 0439 hours for 1 minute and 29 seconds. The audit revealed that the Member reviewed the individual’s visit history, laboratory and clinical records, as well as the dictated notes.
The Member was questioned by management on April 6, 2011, and May 3, 2011, regarding this incident. On both occasions, the Member admitted openly that, although she did not know the individual personally, she did access her electronic health records without consent or other authorization. She also stated that she routinely reviewed electronic health records for clients who were not under her care. She advised management that she never disclosed or shared any of the personal health information she reviewed with anyone else.
Management was concerned about the Member’s statement that she routinely reviewed electronic health records for clients not under her care. As a result, management conducted further audits regarding the Member’s access to electronic health records at the Facility.
Audit Results
Management produced an audit report in or about August 2011 indicating that the Member had allegedly accessed the personal health information of over 5,000 clients of the Facility who were not under her care, without consent or other authorization, or other professional purpose, between August 2005 and April 2011.
Management claimed that the audit report excluded all potentially legitimate accesses by the Member, but the College and the Member have not been able to determine with certainty what parameters were applied to generate the audit report, or to agree that the correct parameters were applied.
If the Member were to testify, she would state that she could not advise whether or not she accessed a specific client’s electronic health record, as listed on the audit report, and could not verify whether or not each individual access was appropriate or inappropriate. However, the Member acknowledges that it was her practice, between 2005 and 2011, to routinely access electronic client records for clients who were not under her care.
If the Member were to testify, she would also state that she was curious about the medical conditions and treatments for clients, including those who were not under her care. In her view, accessing client records served an on-going self-education purpose as a means of keeping current. However, the Member acknowledges that she was not accessing these records pursuant to any authorized educational program and that she recognizes now that it was inappropriate for her to access and review electronic health records in this manner.
There is no evidence that the Member disclosed the personal health information she reviewed for clients not under her care to any other individual just as she had informed the Facility from the beginning. If the Member were to testify, she would state that she had never disclosed any personal health information for clients not under her care. She would further state that she was not motivated by any malicious intent when she accessed and reviewed the electronic health records for any of the clients who were not under her care.
If the Member were to testify, she would state that she was otherwise viewed as an excellent nurse at the Facility.
The results of the audit report regarding the Member indicate that the Facility did not have an effective system for monitoring access to electronic health records at the Facility.
Notification to Clients of Inappropriate Accesses
Over 5,000 clients were notified by the Facility that their personal health information may have been accessed inappropriately.
Hundreds of clients contacted the Privacy Officer of the Facility and many of them were extremely upset. Several clients indicated they had lost confidence in the Facility and were concerned that the Facility was not protecting their privacy.
The Member and the Facility are defendants in a class action suit brought against them by some of the clients who were notified by the Facility that their health records had been accessed. The Member invokes the protection in s. 14 of the Statutory Powers Procedure Act, s. 9 of the Ontario Evidence Act, and s. 5 of the Canada Evidence Act. Furthermore, she does not waive the protection in s. 36(3) of the Regulated Health Professions Act, 1991.
Provincial Offence Charges
- The Member was charged provincially with breaches of the Personal Health Information Protection Act, 2004 in September 2011. The charges were stayed for delay in January 2015 on the grounds that the Member’s rights under s. 11(b) of the Canadian Charter of Rights and Freedoms had been violated. The delay was primarily a result of the Crown’s extensive, late disclosure relating to the methodology used by the Facility to conduct the audit and the Crown’s change in tactics for the trial.
COLLEGE STANDARDS
The College published a Practice Standard in 2004 titled, Confidentiality and Privacy – Personal Health Information (“Practice Standard”), which was later updated in 2009. It discusses the expectations and obligations of a nurse under PHIPA.
The Practice Standard begins with a general statement about the purpose of practice standards:
Nursing standards are expectations that contribute to public protection. They inform nurses of their accountabilities and the public of what to expect of nurses. Standards apply to all nurses regardless of their role, job description or area of practice.
- The Practice Standard continues:
… PHIPA permits the sharing of personal health information among health care team members to facilitate efficient and effective care. The health care team includes all those providing care to the client…
Personal health information is any identifying information about clients that is in verbal, written or electronic form.
A nurse is responsible for ensuring that she/he uses client information only for the purpose(s) for which it was collected. A nurse should ensure that it remains secure within the healthcare team. …
…Sharing information among members of the healthcare team to provide care is one use of information under PHIPA...
- The Practice Standard contains the following statement of the standard of practice about personal health information:
Nurses share relevant information with the healthcare team, whose members are obliged to maintain confidentiality. Nurses must explain to clients that information will be shared with the healthcare team and identify the general composition of the healthcare team.
- The Practice Standard provides key indicators nurses can use to ensure they are meeting the standard, including:
The nurse meets the standard by:
seeking information about issues of privacy and confidentiality of personal health information;
maintaining confidentiality of clients’ personal health information with members of the healthcare team, who are also required to maintain confidentiality, including information that is documented or stored electronically;
maintaining confidentiality after the professional relationship has ended, an obligation that continues indefinitely when the nurse is no longer caring for a client or after a client’s death;
ensuring clients or substitute decision-makers are aware of the general composition of the health care team that has access to confidential information;
collecting only information that is needed to provide care;
not discussing client information with colleagues or the client in public places such as elevators, cafeterias and hallways;
accessing information for her/his clients only and not accessing information for which there is no professional purpose;
safeguarding the security of computerized, printed or electronically displayed or stored information against theft, loss, unauthorized access or use, disclosure, copying, modification or disposal;
not sharing computer passwords; …
ADMISSIONS OF PROFESSIONAL MISCONDUCT
The Member admits that her accesses to the personal health information of clients not under her care, as a matter of course, without consent or other authorization or professional purpose, between 2005 and 2011, and as described in paragraphs 7 to 18 above, constituted a breach of the College’s Practice Standard, Confidentiality and Privacy – Personal Health Information. The Member also admits that this conduct would be regarded by members of the profession as unprofessional.
In particular, the Member admits that she committed the acts of professional misconduct as alleged in the following paragraphs in the Notice of Hearing:
paragraph 1, in that she contravened a standard of practice of the profession or failed to meet the standards of practice of the profession when she accessed the personal health information for clients without consent or other authorization, when there was no professional purpose for doing so, in or about September 2005 to April 2011; and
paragraph 2, in that she engaged in conduct or performed an act, relevant to the practice of nursing, that having regard to all the circumstances, would reasonably be regarded by members of the profession as unprofessional.
Decision
The Panel found that the Member committed acts of professional misconduct as alleged in paragraphs 1 and 2 of the Notice of Hearing.
As to allegation #2, the Notice of Hearing alleges the conduct to be disgraceful, dishonourable and/or unprofessional. The Member only admits to unprofessional conduct in the Agreed Statement of Facts. The College did not ask for a finding that the conduct would also reasonably be regarded by members as disgraceful and/or dishonourable. Accordingly, the Panel found that the Member engaged in conduct that would reasonably be considered by members of the profession to be unprofessional. The Panel finds that this is an appropriate finding in the circumstances, in light of the evidence presented.
Reasons for Decision
The Panel considered and accepted the Agreed Statement of Facts and the Member’s plea. Having done so we found that this evidence supports findings of professional misconduct as alleged in the Notice of Hearing.
Allegation #1 in the Notice of Hearing is supported by paragraphs 3, 5, 9, 10, 11, 12, 14, 15, 16, 23, 24, 25, 26, and 27 in the Agreed Statement of Facts.
Allegation #2 in the Notice of Hearing is supported by paragraphs 3, 5, 9, 10, 11, 12, 14, 15, 16, 23, 24, 25, 26, and 27 in the Agreed Statement of Facts.
With respect to Allegation #2, the panel finds that the Member’s conduct in accessing over 5,800 patient records without consent or authorization was unprofessional as it demonstrated a serious and persistent disregard for her professional obligations.
Penalty
Counsel for the College and the Member advised the Panel that a Joint Submission on Order had been agreed upon. The Joint Submission (Exhibit #4) requests that this Panel make an order as follows.
Requiring the Member to appear before the Panel to be reprimanded within three months of the date that this Order becomes final.
Directing the Executive Director to suspend the Member’s certificate of registration for four months. This suspension shall take effect from the date that this Order becomes final and shall continue to run without interruption as long as the Member remains in the practising class.
Directing the Executive Director to impose the following terms, conditions and limitations on the Member’s certificate of registration:
a) The Member will attend two meetings with a Nursing Expert (the “Expert”), at her own expense and within six months from the date of this Order. To comply, the Member is required to ensure that:
i. The Expert has expertise in nursing regulation and has been approved by the Director of Professional Conduct (the “Director”) in advance of the meetings;
ii. At least seven days before the first meeting, the Member provides the Expert with a copy of:
the Panel’s Order,
the Notice of Hearing,
the Agreed Statement of Facts,
this Joint Submission on Order, and
if available, a copy of the Panel’s Decision and Reasons;
iii. Before the first meeting, the Member reviews the following College publications and completes the associated Reflective Questionnaires, online learning modules and online participation forms (where applicable):
Professional Standards,
Confidentiality and Privacy – Personal Health Information;
iv. Before the first meeting, the Member reviews Circle of Care: Sharing Personal Health Information for Health-Care Purposes, as released by the Information and Privacy Commissioner of Ontario;
v. At least seven days before the first meeting, the Member provides the Expert with a copy of the completed Reflective Questionnaires and online participation forms;
vi. The subject of the sessions with the Expert will include:
the acts or omissions for which the Member was found to have committed professional misconduct,
the potential consequences of the misconduct to the Member’s clients, colleagues, profession and self,
strategies for preventing the misconduct from recurring,
the publications, questionnaires and modules set out above, and
the development of a learning plan in collaboration with the Expert;
vii. Within 30 days after the Member has completed the last session, the Member will confirm that the Expert forwards his/her report to the Director, in which the Expert will confirm:
the dates the Member attended the sessions,
that the Expert received the required documents from the Member,
that the Expert reviewed the required documents and subjects with the Member, and
the Expert’s assessment of the Member’s insight into her behaviour;
viii. If the Member does not comply with any one or more of the requirements above, the Expert may cancel any session scheduled, even if that results in the Member breaching a term, condition or limitation on her certificate of registration;
b) For a period of 18 months from the date the Member returns to the practice of nursing, the Member will notify each current and new employer of the decision. To comply, the Member is required to:
i. Ensure that the Director is notified of the name, address, and telephone number of all employer(s) within 14 days of commencing or resuming employment in any nursing position;
ii. Provide her employer(s) with a copy of:
the Panel’s Order,
the Notice of Hearing,
the Agreed Statement of Facts,
this Joint Submission on Order, and
a copy of the Panel’s Decision and Reasons, once available;
iii. Only practise nursing for an employer who agrees to, and does, forward a report to the Director within 14 days of the commencement or resumption of the Member’s employment in any nursing position, confirming:
that they received a copy of the required documents,
that they agree to notify the Director immediately upon receipt of any information that the Member has breached the standards of practice of the profession, and
that they agree to perform three random audits of the Member’s accesses to electronic health records at the following intervals:
a. the first audit shall take place within six months from the date the Member begins or resumes employment with the employer;
b. the second audit shall take place within 12 months from the date the Member begins or resumes employment with the employer; and
c. the third audit shall take place within 18 months from the date the Member begins or resumes employment with the employer.
- All documents delivered by the Member to the College, the Expert or the employer(s) will be delivered by verifiable method, the proof of which the Member will retain.
Penalty Submissions
Submissions were made by College Counsel and the Member’s Counsel.
The parties agreed that the mitigating factors in this case were:
The Member admitted the misconduct and attended this hearing on a voluntary basis;
The Member submitted a joint submission on order;
The Member has no prior history or misconduct with the College; and
There was no disclosure to other parties of the personal health information that the Member accessed.
The aggravating factors in this case were:
The number of patient records that the Member accessed (approximately 5,800);
The disagreement over the total number of records accessed;
The misconduct occurred over a period of six years; and
The Member’s conduct in accessing patient records was routine and intentional
The proposed penalty provides for general deterrence through the four-month suspension as it conveys to the Member and the profession the serious breach of confidence and trust that unauthorized access of patient records represents.
The proposed penalty provides for specific deterrence through the oral reprimand, the four-month suspension and the 18-month period of employer notification.
The proposed penalty provides for remediation and rehabilitation through the terms, conditions and limitations, including specifically the meetings with a nursing expert.
Overall, the public is protected because the Member will attend meetings with a nursing expert to discuss and reflect on this specific act of professional misconduct. For a period of 18 months after return to practice the Member’s employer(s) will be aware of the Panel’s findings in order to monitor the Member appropriately. Finally, counsel submitted that the public is protected by the requirement that the Member’s employer(s) conduct random audits of the Member’s accesses to electronic health records at specific intervals.
Counsel submitted cases to the Panel to demonstrate that the proposed penalty fell within the range of similar cases from this Discipline Committee.
CNO v Calvano (Discipline Committee, 2015). In this case the member accessed a total of 338 client records without authorization. The case proceeded by way of an Agreed Statement of Facts and Joint Submission on Order and the penalty included a three month suspension.
CNO v Oliveira (Discipline Committee, 2015). In this case the member accessed approximately 1,300 patient records without authorization. The case proceeded by way of an Agreed Statement of Facts and Joint Submission on Order and the penalty included a five month suspension.
Penalty Decision
The Panel accepted the Joint Submission as to Order and accordingly ordered:
The Member is required to appear before the Panel to be reprimanded within three months of the date that this Order becomes final.
The Executive Director is directed to suspend the Member’s certificate of registration for four months. This suspension shall take effect from the date that this Order becomes final and shall continue to run without interruption as long as the Member remains in the practising class.
The Executive Director is directed to impose the following terms, conditions and limitations on the Member’s certificate of registration:
a) The Member will attend two meetings with a Nursing Expert (the “Expert”), at her own expense and within six months from the date of this Order. To comply, the Member is required to ensure that:
i. The Expert has expertise in nursing regulation and has been approved by the Director of Professional Conduct (the “Director”) in advance of the meetings;
ii. At least seven days before the first meeting, the Member provides the Expert with a copy of:
the Panel’s Order,
the Notice of Hearing,
the Agreed Statement of Facts,
this Joint Submission on Order, and
if available, a copy of the Panel’s Decision and Reasons;
iii. Before the first meeting, the Member reviews the following College publications and completes the associated Reflective Questionnaires, online learning modules and online participation forms (where applicable):
Professional Standards,
Confidentiality and Privacy – Personal Health Information;
iv. Before the first meeting, the Member reviews Circle of Care: Sharing Personal Health Information for Health-Care Purposes, as released by the Information and Privacy Commissioner of Ontario;
v. At least seven days before the first meeting, the Member provides the Expert with a copy of the completed Reflective Questionnaires and online participation forms;
vi. The subject of the sessions with the Expert will include:
the acts or omissions for which the Member was found to have committed professional misconduct,
the potential consequences of the misconduct to the Member’s clients, colleagues, profession and self,
strategies for preventing the misconduct from recurring,
the publications, questionnaires and modules set out above, and
the development of a learning plan in collaboration with the Expert;
vii. Within 30 days after the Member has completed the last session, the Member will confirm that the Expert forwards his/her report to the Director, in which the Expert will confirm:
the dates the Member attended the sessions,
that the Expert received the required documents from the Member,
that the Expert reviewed the required documents and subjects with the Member, and
the Expert’s assessment of the Member’s insight into her behaviour;
viii. If the Member does not comply with any one or more of the requirements above, the Expert may cancel any session scheduled, even if that results in the Member breaching a term, condition or limitation on her certificate of registration;
b) For a period of 18 months from the date the Member returns to the practice of nursing, the Member will notify each current and new employer of the decision. To comply, the Member is required to:
i. Ensure that the Director is notified of the name, address, and telephone number of all employer(s) within 14 days of commencing or resuming employment in any nursing position;
ii. Provide her employer(s) with a copy of:
the Panel’s Order,
the Notice of Hearing,
the Agreed Statement of Facts,
this Joint Submission on Order, and
a copy of the Panel’s Decision and Reasons, once available;
iii. Only practise nursing for an employer who agrees to, and does, forward a report to the Director within 14 days of the commencement or resumption of the Member’s employment in any nursing position, confirming:
that they received a copy of the required documents,
that they agree to notify the Director immediately upon receipt of any information that the Member has breached the standards of practice of the profession, and
that they agree to perform three random audits of the Member’s accesses to electronic health records at the following intervals:
a. the first audit shall take place within six months from the date the Member begins or resumes employment with the employer;
b. the second audit shall take place within 12 months from the date the Member begins or resumes employment with the employer; and
c. the third audit shall take place within 18 months from the date the Member begins or resumes employment with the employer.
- All documents delivered by the Member to the College, the Expert or the employer(s) will be delivered by verifiable method, the proof of which the Member will retain.
Reasons for Penalty Decision
The Panel understands that the penalty ordered should protect the public and enhance public confidence in the ability of the College to regulate nurses. This is achieved through a penalty that addresses specific deterrence, general deterrence and, where appropriate, rehabilitation and remediation. The Panel also considered the penalty in light of the principle that joint submissions should not be interfered with lightly.
The Panel concluded that the proposed penalty is reasonable and in the public interest. The Member has co-operated with the College and, by agreeing to the facts and a proposed penalty, has accepted responsibility. The Panel found that the penalty satisfies the principles of specific and general deterrence, rehabilitation and remediation, and public protection. In particular, the order of a four-month suspension provides a clear message to the profession that unauthorized access to patient information is an act that will not be dealt with lightly. It is the obligation of each nurse to protect patients’ right to privacy and when this responsibility is disregarded it damages the public’s trust in the nursing profession.
The penalty is in line with what has been ordered in previous cases.
I, Grace Fox, NP, sign this decision and reasons for the decision as Chairperson of this Discipline panel and on behalf of the members of the Discipline panel as listed below:
Chairperson Date
Panel Members:
Karen Laforet, RN
Robert MacKay, Public Member
Laura Sanderson, RPN
Cathy Ward, Public Member