College of Nurses of Ontario v. Eurestica Anasarias, 2017 ONCNO 62908

DISCIPLINE COMMITTEE OF THE COLLEGE OF NURSES OF ONTARIO

PANEL: MICHAEL HOGARD, RPN Chairperson TANYA DION, RN Member MARY MACMILLAN-GILKINSON Public Member DEVINDER WALIA Public Member INGRID WILTSHIRE-STOBY, RN Member

BETWEEN:

COLLEGE OF NURSES OF ONTARIO MEGAN SHORTREED for College of Nurses of Ontario

• and -

EURESTICA ANASARIAS Reg. No. 9306689 ROBERT STEPHENSON for Eurestica Anasarias

ANDREA GONSALVES Independent Legal Counsel

Heard: June 1, 2017

DECISION AND REASONS

This matter came on for hearing before a Panel of the Discipline Committee on June 1, 2017 at the College of Nurses of Ontario (“the College”) at Toronto. The Member participated in the hearing through teleconference.

Publication Ban

On request of the College, and unopposed by the Member, the Panel ordered pursuant to s. 47 of the Health Professions Procedural Code of the Nursing Act, 1991 that no person shall publish the identity of the Client or any information that could tend to identify the Client.

The Allegations

The allegations against Eurestica Anasarias (the “Member”) as stated in the Notice of Hearing dated June 1, 2017 are as follows.

IT IS ALLEGED THAT:

1. You have committed an act of professional misconduct as provided by subsection 51(1)(c) of the Health Professions Procedural Code of the Nursing Act, 1991, S.O. 1991, c. 32, as amended, and defined in subsection 1(1) of Ontario Regulation 799/93, in that, while employed as a Registered Nurse at [the Hospital] in [ ], Ontario (the “Hospital”), you contravened a standard of practice of the profession or failed to meet the standard of practice of the profession with respect to accessing a Hospital client’s personal health information in electronic medical records, without consent or other authorization, on or about September 15, 2014, at 7:59 a.m.

2. You have committed an act of professional misconduct as provided by subsection 51(1)(c) of the Health Professions Procedural Code of the Nursing Act, 1991, S.O. 1991, c. 32, as amended, and defined in subsection 1(37) of Ontario Regulation 799/93, in that, while employed as a Registered Nurse at the Hospital, you engaged in conduct or performed an act, relevant to the practice of nursing, that, having regard to all the circumstances, would reasonably be regarded by members of the profession as disgraceful, dishonourable or unprofessional with respect to accessing a Hospital client’s personal health information in electronic medical records, without consent or other authorization, on or about September 15, 2014, at 7:59 a.m.

As to allegation 2, counsel for the College advised the Panel that the College was only requesting a finding that the Member’s conduct would reasonably be regarded by members of the profession as dishonourable and unprofessional.

Member’s Plea

The Member admitted the allegations set out in paragraphs 1 and 2 in the Notice of Hearing. The Member’s admission to allegation 2 was that her conduct would reasonably be regarded by members of the profession as dishonourable and unprofessional. The Panel received a written plea inquiry which was signed by the Member. The Panel also conducted an oral plea inquiry and was satisfied that the Member’s admission was voluntary, informed and unequivocal.

Agreed Statement of Facts

Counsel for the College and the Member advised the Panel that agreement had been reached on the facts and introduced an Agreed Statement of Facts, which reads as follows:

AGREED STATEMENT OF FACTS

THE MEMBER

1. Eurestica Anasarias (the “Member”) obtained a diploma in nursing in the Philippines in 1983.

2. The Member registered with the College of Nurses of Ontario (the “College”) as a Registered Nurse (“RN”) on October 14, 1992.

3. The Member was employed at [the Hospital] as a Registered Nurse from February 8, 2001 to September 16, 2014, when she resigned from her employment as a result of the incident below.

4. The Member was highly regarded by her colleagues. She has never been the subject of workplace concerns or conduct nor has she had any prior complaints filed against her at the College.

THE CLIENT

5. [The Client] was [ ] years old at the time of the incident.

6. The Client was on [the Unit] at the Hospital.

7. At the time of the incident, the Client was [ ] and the fact of [ ] admission to the Hospital and [ ] general diagnosis were widely publicized. Given the Client’s profile, the Hospital took extra measures to protect [ ] privacy.

8. The Hospital used PowerChart as its electronic health record system. When PowerChart is launched, a Privacy Notice appears, which states:

Privacy of our patients and protection of their personal health information is a top priority for [the Hospital]. Access to any aspect of a patient’s record is restricted only to those individuals involved in the circle of care for that patient or other authorized users. [The Hospital] regularly audits access to all health records, and any unauthorized access may lead to disciplinary action up to and including termination of employment…

9. The Client was designated a [ ] client by the Hospital, which meant that a yellow star appeared beside [the Client’s] name when [the Client’s] name or Medical Record Number was entered in PowerChart. When [the Client’s] health record was accessed, by clicking on [the Client’s] name, a Privacy Notice popped up that said:

Please respect the privacy of this patient’s health record. The hospital will be auditing access to this record, and any unauthorized access will be addressed in accordance with [the Hospital’s] privacy policies.

By clicking “ok” I confirm that I am part of the circle of care of this patient, and am accessing this record for the purpose of providing care only.

10. Once the second privacy notice appeared, there was no way to exit other than to shut down the computer or click “OK” and launch the patient’s chart.

11. On September 11, 2014, the Hospital President and CEO sent an email hospital-wide with the subject line: [ ]. The email stated:

As you may be aware, a [ ] patient was admitted here at [the Hospital] earlier today. At this time I ask for your full cooperation and diligence in following our clinical and privacy protocols while this patient remains in our care, as we do for all our patients.

12. The Member was not working on September 11, 2014 and therefore did not see the e-mail from the President and CEO that day. However, she acknowledges that she was responsible for checking her email on her September 15, 2014 shift.

13. The procedures set out in paragraphs 7-9 above were only implemented when the Client was admitted to the Hospital. The Hospital did not provide training on these new procedures.

HOSPITAL POLICIES

14. The Hospital had a policy titled “Confidentiality of Personal Health Information Policy and Procedure.” The purpose of the Policy was to outline the Hospital’s “commitment to the protection of patient health information from theft, loss and unauthorized access, copying, modification, use and disclosure.”

15. The Policy also contained a section called Breaches of Patient Privacy, which stated that a breach “includes any intentional or inadvertent unauthorized access, use or disclosure of confidential information and any inappropriate disposal of confidential information.”

16. The Member completed training respecting this Policy before the incident below.

COLLEGE STANDARDS

17. The College issued a Practice Standard titled Confidentiality and Privacy – Personal Health Information (“Practice Standard”). It was first published in 2004 and updated in 2009. It largely addresses the Personal Health Information Protection Act (“PHIPA”).

18. The Practice Standard begins with a general statement about the purpose of practice standards:

Nursing standards are expectations that contribute to public protection. They inform nurses of their accountabilities and the public of what to expect of nurses. Standards apply to all nurses regardless of their role, job description or area of practice.

19. The Practice Standard provides key indicators nurses can use to ensure they are meeting the standard, including:

The nurse meets the standard by:

• seeking information about issues of privacy and confidentiality of personal health information;

• maintaining confidentiality of clients’ personal health information with members of the healthcare team, who are also required to maintain confidentiality, including information that is documented or stored electronically;

• maintaining confidentiality after the professional relationship has ended, an obligation that continues indefinitely when the nurse is no longer caring for a client or after a client’s death;

• ensuring clients or substitute decision-makers are aware of the general composition of the health care team that has access to confidential information;

• collecting only information that is needed to provide care;

• not discussing client information with colleagues or the client in public places such as elevators, cafeterias and hallways;

• accessing information for her/his clients only and not accessing information for which there is no professional purpose; [emphasis added]

• safeguarding the security of computerized, printed or electronically displayed or stored information against theft, loss, unauthorized access or use, disclosure, copying, modification or disposal;

• not sharing computer passwords; …

20. The Member acknowledges that she was bound by the College’s Practice Standard and that a nurse who breaches those standards and the statutory obligations set out in PHIPA is subject to discipline by the College.

INCIDENT RELEVANT TO ALLEGATIONS OF PROFESSIONAL MISCONDUCT

21. The Member worked the day shift on September 15, 2014.

22. In September 2014, the Hospital conducted an internal audit of its electronic documentation system. The audit revealed that on September 15, 2014 at 07:59, the Member accessed the Client’s personal health record, a client for whom she had not been providing care.

23. The Member was working on [Unit 1], when the access was made. The Client was in the [Unit 2]. The two units are separate – staff in [Unit 1] are not within the circle of care for patients in [Unit 2].

24. The audit revealed that the Member’s unique login credentials were used to access the Client’s “Inpatient Summary,” which contains personal health information within the meaning of PHIPA. The Inpatient Summary contains the following personal health information within the meaning of PHIPA: patient's name, age, date of birth, reason for visit, vital signs, emergency contact (next of kin), attending physician, diagnosis, links to medications, list of and links to pathology tests, list of and links to microbiology tests, list of and links to diagnostic tests, and links to more detailed heath information.

25. The Member admitted her actions when questioned by the Hospital later that same day. She has not denied her actions at any point. Specifically, the Member admitted to the Hospital that she accessed the Client’s personal health records without consent or proper authorization because she was curious about the Client’s age, having read about [ ] family history of [ ] in the newspaper. However, she stated that she exited the record quickly and without reading anything other than the Client’s age and treating physician. If the Member were to testify she would say that as a result of the configuration of the warning pop-up, she panicked and clicked “OK”. The Member had no intention of accessing the Client’s chart.

ADMISSIONS OF PROFESSIONAL MISCONDUCT

26. The Member admits that her unauthorized accesses to the Client’s personal health information set out in paragraphs 21 to 25 above constitutes a breach of the College’s standard on Confidentiality and Privacy – Personal Health Information.

27. The Member admits that she committed the acts of professional misconduct as alleged in the following paragraphs of the Notice of Hearing:

• 1, in that she contravened a standard of practice of the profession or failed to meet the standards of practice of the profession ; and

• 2, in that she engaged in conduct or performed an act, relevant to the practice of nursing, that having regard to all the circumstances, would reasonably be regarded by members of the profession as dishonourable and unprofessional.

Decision

The Panel finds that the Member committed acts of professional misconduct as alleged in paragraphs 1 and 2 of the Notice of Hearing. As to allegation # 2, the Panel finds that the Member engaged in conduct that would reasonably be regarded by members of the profession to be dishonourable and unprofessional.

Reasons for Decision

The Panel considered the Agreed Statement of Facts and the Member’s plea and finds that this evidence supports findings of professional misconduct as alleged in the Notice of Hearing.

Allegation #1 in the Notice of Hearing is supported by paragraphs 17, 18, 19, 20 21, 22, 23, 24, 25, 26 & 27 in the Agreed Statement of Facts. The Member, without authorization, accessed a Client’s electronic health records when there was no professional purpose. The Member was not in the Client’s circle of care and, in fact, worked in a separate unit. The Member clearly breached the College’s Practice Standard, Confidentiality and Privacy- Personal Health Information.

With respect to Allegation # 2, the Panel finds that the Member’s conduct was unprofessional and lacked good judgement, as she allowed her curiosity to supersede her professional obligations.

The Panel also finds that the Member’s conduct was dishonourable and falls well below the conduct that is expected of a nursing professional. The Member ignored her Hospital’s protocols and warnings, as well as College’s standards. She appeared to have done so in the hopes of gaining information related to the Client’s age and family health history. The Member ought to have known that breaching a Client’s privacy is very serious misconduct.

Penalty

Counsel for the College and the Member advised the Panel that a Joint Submission on Order had been agreed upon. The Joint Submission requests that this Panel make an order as follows:

1. Requiring the Member to appear before the Panel to be reprimanded within three months of the date that this Order becomes final.

2. Directing the Executive Director to suspend the Member’s certificate of registration for one month. This suspension shall take effect from the date that this Order becomes final and shall continue to run without interruption as long as the Member remains in the practising class.

3. Directing the Executive Director to impose the following terms, conditions and limitations on the Member’s certificate of registration:

a) The Member will attend two meetings with a Nursing Expert (the “Expert”), at her own expense and within six months from the date of this Order. To comply, the Member is required to ensure that:

i. The Expert has expertise in nursing regulation and has been approved by the Director of Professional Conduct (the “Director”) in advance of the meetings;

ii. At least seven days before the first meeting, the Member provides the Expert with a copy of:

1. the Panel’s Order,
2. the Notice of Hearing,
3. the Agreed Statement of Facts,
4. this Joint Submission on Order, and
5. if available, a copy of the Panel’s Decision and Reasons;

iii. Before the first meeting, the Member reviews the following College publications and completes the associated Reflective Questionnaires, online learning modules and online participation forms (where applicable):

1. Professional Standards,
2. Confidentiality and Privacy - Personal Health Information

iv. Before the first meeting, the Member reviews Circle of Care: Sharing Personal Health Information for Health-Care Purposes, as released by the Information and Privacy Commissioner of Ontario;

v. At least seven days before the first meeting, the Member provides the Expert with a copy of the completed Reflective Questionnaires, and online participation forms;

vi. The subject of the sessions with the Expert will include:

1. the acts or omissions for which the Member was found to have committed professional misconduct,
2. the potential consequences of the misconduct to the Member’s clients, colleagues, profession and self,
3. strategies for preventing the misconduct from recurring,
4. the publications, questionnaires and modules set out above, and
5. the development of a learning plan in collaboration with the Expert;

vii. Within 30 days after the Member has completed the last session, the Member will confirm that the Expert forwards his/her report to the Director, in which the Expert will confirm:

1. the dates the Member attended the sessions,
2. that the Expert received the required documents from the Member,
3. that the Expert reviewed the required documents and subjects with the Member, and
4. the Expert’s assessment of the Member’s insight into her behaviour;

viii. If the Member does not comply with any one or more of the requirements above, the Expert may cancel any session scheduled, even if that results in the Member breaching a term, condition or limitation on her certificate of registration;

b) For a period of 12 months from the date the Member returns to the practice of nursing, the Member will notify her employers of the decision. To comply, the Member is required to:

i. Ensure that the Director is notified of the name, address, and telephone number of all employer(s) within 14 days of commencing or resuming employment in any nursing position;

Provide her employer(s) with a copy of:

1. the Panel’s Order,
2. the Notice of Hearing,
3. the Agreed Statement of Facts,
4. this Joint Submission on Order, and
5. a copy of the Panel’s Decision and Reasons, once available;

ii. Ensure that within 14 days of the commencement or resumption of the Member’s employment in any nursing position, the employer(s) forward(s) a report to the Director, in which it will confirm:

1. that they received a copy of the required documents, and

2. that they agree to notify the Director immediately upon receipt of any information that the Member has breached the standards of practice of the profession; and

3. All documents delivered by the Member to the College, the Expert or the employer(s) will be delivered by verifiable method, the proof of which the Member will retain.

Penalty Submissions

Submissions were made by College Counsel. The Member’s Counsel indicated that he agreed with those submissions.

The parties agreed that the mitigating factors in this case were:

• This was the Member’s first offence.
• It was a single incident with a single Client.
• The Member admitted her conduct to the Hospital and the College.
• The Member cooperated with the College thus avoiding a long, costly hearing.
• The Member is remorseful.

The aggravating factors in this case were:

• The Client, whose files were accessed, was not in the Member’s circle of care.
• The Member used her position as a nurse to relieve her curiosity regarding the Client’s personal health information.
• The Member acknowledged that she received training on the Breaches of Patient Privacy embedded within the Hospital’s policy entitled “Confidentiality of Personal Health Information Policy and Procedure”.
• The Member ignored the yellow star beside the Client’s name and the privacy warning which popped up.

The proposed penalty provides for general deterrence through the one month suspension and the terms, conditions and limitations.

The proposed penalty provides for specific deterrence through the reprimand and the terms, conditions and limitations.

The proposed penalty provides for remediation and rehabilitation through the reprimand and the two meetings with a Nursing Expert.

Overall, the public is protected because the Member will improve her practice and develop greater insight into her professional obligations.

Counsel submitted one case to the Panel to demonstrate that the proposed penalty fell within the range of similar cases from this Discipline Committee. CNO v. Ann H.A. Raeburn-Lewis (Discipline Committee 2016) has almost identical facts. It involved one serious breach of access to medical health records. The breach was also precipitated by curiosity. The member’s conduct was deemed to be both unprofessional and dishonourable. The member was given a one month suspension and an 18 month employer notification.

Penalty Decision

The Panel accepts the Joint Submission as to Order and accordingly makes the following order:

1. The Member shall appear before the Panel to be reprimanded within three months of the date that this Order becomes final.

2. The Executive Director is directed to suspend the Member’s certificate of registration for one month. This suspension shall take effect from the date that this Order becomes final and shall continue to run without interruption as long as the Member remains in the practising class.

3. The Executive Director is directed to impose the following terms, conditions and limitations on the Member’s certificate of registration:

(a) The Member will attend two meetings with a Nursing Expert (the “Expert”), at her own expense and within six months from the date of this Order. To comply, the Member is required to ensure that:

i. The Expert has expertise in nursing regulation and has been approved by the Director of Professional Conduct (the “Director”) in advance of the meetings;

ii. At least seven days before the first meeting, the Member provides the Expert with a copy of:

1. the Panel’s Order,
2. the Notice of Hearing,
3. the Agreed Statement of Facts,
4. this Joint Submission on Order, and
5. if available, a copy of the Panel’s Decision and Reasons;

iii. Before the first meeting, the Member reviews the following College publications and completes the associated Reflective Questionnaires, online learning modules and online participation forms (where applicable):

1. Professional Standards,
2. Confidentiality and Privacy - Personal Health Information

iv. Before the first meeting, the Member reviews Circle of Care: Sharing Personal Health Information for Health-Care Purposes, as released by the Information and Privacy Commissioner of Ontario;

v. At least seven days before the first meeting, the Member provides the Expert with a copy of the completed Reflective Questionnaires, and online participation forms;

vi. The subject of the sessions with the Expert will include:

1. the acts or omissions for which the Member was found to have committed professional misconduct,
2. the potential consequences of the misconduct to the Member’s clients, colleagues, profession and self,
3. strategies for preventing the misconduct from recurring,
4. the publications, questionnaires and modules set out above, and
5. the development of a learning plan in collaboration with the Expert;

vii. Within 30 days after the Member has completed the last session, the Member will confirm that the Expert forwards his/her report to the Director, in which the Expert will confirm:

1. the dates the Member attended the sessions,
2. that the Expert received the required documents from the Member,
3. that the Expert reviewed the required documents and subjects with the Member, and
4. the Expert’s assessment of the Member’s insight into her behaviour;

viii. If the Member does not comply with any one or more of the requirements above, the Expert may cancel any session scheduled, even if that results in the Member breaching a term, condition or limitation on her certificate of registration;

c) For a period of 12 months from the date the Member returns to the practice of nursing, the Member will notify her employers of the decision. To comply, the Member is required to:

i. Ensure that the Director is notified of the name, address, and telephone number of all employer(s) within 14 days of commencing or resuming employment in any nursing position;

ii. Provide her employer(s) with a copy of:

1. the Panel’s Order,
2. the Notice of Hearing,
3. the Agreed Statement of Facts,
4. this Joint Submission on Order, and
5. a copy of the Panel’s Decision and Reasons, once available;

iii. Ensure that within 14 days of the commencement or resumption of the Member’s employment in any nursing position, the employer(s) forward(s) a report to the Director, in which it will confirm:

1. that they received a copy of the required documents, and

2. that they agree to notify the Director immediately upon receipt of any information that the Member has breached the standards of practice of the profession; and

3. All documents delivered by the Member to the College, the Expert or the employer(s) will be delivered by verifiable method, the proof of which the Member will retain.

Reasons for Penalty Decision

The Panel understands that the penalty ordered should protect the public and enhance public confidence in the ability of the College to regulate nurses. This is achieved through a penalty that addresses specific deterrence, general deterrence and, where appropriate, rehabilitation and remediation. The Panel also considered the penalty in light of the principle that joint submissions should not be interfered with lightly.

The Panel concluded that the proposed penalty is reasonable and in the public interest. The Member has co-operated with the College and, by agreeing to the facts and the proposed penalty, has accepted responsibility. She has avoided the need for a contested hearing.

The Panel finds that the penalty satisfies the principles of specific and general deterrence, rehabilitation and remediation, and public protection. It sends a strong message to the Member, and to the membership as a whole. A breach of confidential personal health information will not be tolerated.

The only case submitted to the Panel was CNO v. Ann H.A. Raeburn-Lewis. This case presented with similar facts and penalty. The Panel finds that the joint submission represents a fair and reasonable outcome based on the evidence presented.

I, Michael Hogard, sign this decision and reasons for the decision as Chairperson of this Discipline panel and on behalf of the members of the Discipline panel.

Chairperson Date