College of Nurses of Ontario v. Lauri Harvey, 2020 ONCNO 125222

DISCIPLINE COMMITTEE OF THE COLLEGE OF NURSES OF ONTARIO

PANEL: Terry Holland, RPN Chairperson Karen Laforet, RN Member Ian McKinnon Public Member Honey Palalon, RN Member Lalitha Poonasamy Public Member

BETWEEN:

COLLEGE OF NURSES OF ONTARIO JEAN-CLAUDE KILLEY for College of Nurses of Ontario

• and -

LAURI HARVEY Registration No. 9632209 MICHELLE GIBBS for Lauri Harvey

PATRICIA HARPER Independent Legal Counsel

Heard: October 26, 2020

DECISION AND REASONS

This matter came on for hearing before a panel of the Discipline Committee (the “Panel”) of the College of Nurses of Ontario (the “College”) on October 26, 2020, via videoconference.

Publication Ban

College Counsel brought a motion pursuant to s.45(3) of the Health Professions Procedural Code of the Nursing Act, 1991, for an order preventing public disclosure and banning publication or broadcasting of the identities of the patients, or any information that could disclose the identities of the patients, referred to orally or in any documents presented in the Discipline hearing of Lauri Harvey (the “Member”).

The Panel considered the submissions of the parties and decided that there be an order preventing public disclosure and banning publication or broadcasting of the identities of the patients, or any information that could disclose the identities of the patients, referred to orally or in any documents presented in the Discipline hearing of the Member.

The Allegations

The allegations against the Member as stated in the Notice of Hearing dated September 23, 2020 are as follows:

IT IS ALLEGED THAT:

1. You have committed an act of professional misconduct as provided by subsection 51(1)(c) of the Health Professions Procedural Code of the Nursing Act, 1991, S.O. 1991 c. 32, as amended, and defined in subsection 1(1) of Ontario Regulation 799/93, in that you contravened a standard of practice of the profession or failed to meet the standard of practice of the profession, and in particular, while practising as a Registered Nurse at Albright Manor in Beamsville, Ontario:

(a) on or about October 27, 2015, you sent personal health information relating to [Patient A] via standard email;

(b) in or around April 2016, without authority or approval you:

(i) authored and posted a memo that contained inconsistent information from what management had provided to employees in a prior memo relating to the duration of a declared outbreak at the facility and the requirement for staff to provide Tamiflu prescriptions to their managers;

(ii) posted the memo in a manner that obscured management’s prior memo;

(c) on or about October 11, 2016, you sent personal health information relating to [Patient B] via standard email;

(d) on or about October 23, 2016, you sent personal health information relating to a [patient] via standard email;

(e) on or about November 28, 2016, you sent personal health information relating to a [patient] and/or several [patients] via standard email to your union representative; without the [patients’] consent or other authorization, and/or for no clinical purpose;

(f) on or about November 28, 2016, you sent personal health information relating to a [patient] via standard email;

(g) on or about December 13, 2016, you sent personal health information relating to a [patient] via standard email;

(h) on or about August 31, 2016 and September 1, 2016, with respect to [Patient C], you:

(i) removed information from [Patient C]’s chart that should not have been removed relating to [Patient C]’s advanced care directives;

(ii) opened [Patient C]’s mail and sent an electronic copy of [Patient C]’s bank statement to [Patient C’s family member] without [Patient C]’s consent or authorization or the consent or authorization of [Patient C]’s substitute decision-maker;

(iii) sent personal health information relating to the [patient] via standard email;

(i) between about May 2011 and January 2017, you stored confidential and/or personal health information relating to [patients] on an unsecure USB drive, and/or you stored the USB drive in an unsecured location, without taking any precautions to protect access to the information;

2. You have committed an act of professional misconduct as provided by subsection 51(1)(c) of the Health Professions Procedural Code of the Nursing Act, 1991, S.O. 1991, c. 32, as amended, and defined in subsection 1(10) of Ontario Regulation 799/93, in that you gave information about a [patient] to a person other than the [patient] or his or her authorized representative without the consent of the [patient] or his or her authorized representative or as required by law, and in particular, while practising as a Registered Nurse at Albright Manor in Beamsville, Ontario:

(a) on or about November 28, 2016, you sent personal health information relating to a [patient] and/or several [patients] via standard email to your union representative, without the [patients’] consent or other authorization, and/or for no clinical purpose;

(b) on or about August 31, 2016 and September 1, 2016, with respect to [Patient C], you opened [Patient C]’s mail and sent an electronic copy of [Patient C]’s bank statement to [Patient C’s family member] without [Patient C]’s consent or authorization or the consent or authorization of [Patient C]’s substitute decision-maker;

3. You have committed an act of professional misconduct as provided by subsection 51(1)(c) of the Health Professions Procedural Code of the Nursing Act, 1991, S.O. 1991, c. 32, as amended, and defined in subsection 1(37) of Ontario Regulation 799/93, in that you engaged in conduct or performed an act, relevant to the practice of nursing, that, having regard to all the circumstances, would reasonably be regarded by members of the profession as disgraceful, dishonourable or unprofessional, and in particular, while practising as a Registered Nurse at Albright Manor in Beamsville, Ontario:

(a) on or about October 27, 2015, you sent personal health information relating to [Patient A] via standard email;

(b) in or around April 2016, without authority or approval, you:

(i) authored and posted a memo that contained inconsistent information from what management had provided to employees in a prior memo relating to the duration of a declared outbreak at the facility and the requirement for staff to provide Tamiflu prescriptions to their managers;

(ii) posted the memo in a manner that obscured management’s prior memo;

(c) on or about October 11, 2016, you sent personal health information relating to [Patient B] via standard email;

(d) on or about October 23, 2016, you sent personal health information relating to a [patient] via standard email;

(e) on or about November 28, 2016, you sent personal health information relating to a [patient] and/or several [patients] via standard email to your union representative, without the [patients’] consent or other authorization, and/or for no clinical purpose;

(f) on or about November 28, 2016, you sent personal health information relating to a [patient] via standard email;

(g) on or about December 13, 2016, you sent personal health information relating to a [patient] via standard email;

(h) on or about August 31, 2016 and September 1, 2016, with respect to [Patient C], you:

(i) removed information from the [patient]’s chart that should not have been removed relating to the [patient]’s advanced care directives;

(ii) opened the [patient]’s mail and sent an electronic copy of the [patient]’s bank statement to her [family member] without the [patients]’s consent or authorization or the consent or authorization of the [patient]’s substitute decision-maker;

(iii) sent personal health information relating to the [patient] via standard email;

(i) between about May 2011 and January 2017, you stored confidential and/or personal health information relating to [patients] on an unsecure USB drive, and/or you stored the USB drive in an unsecured location, without taking any precautions to protect access to the information.

Member’s Plea

The Member admitted the allegations set out in paragraphs 1(a), 1(b)(i), (ii), 1(c), 1(d), 1(e), 1(f), 1(g), 1(h)(i), (ii), (iii), 1(i), 2(a), 2(b), 3(a), 3(b)(i), (ii), 3(c), 3(d), 3(e), 3(f), 3(g), 3(h)(i), (ii), (iii) and 3(i) in the Notice of Hearing. The Panel received a written plea inquiry which was signed by the Member. The Panel also conducted an oral plea inquiry and was satisfied that the Member’s admission was voluntary, informed and unequivocal.

Agreed Statement of Facts

College Counsel and the Member’s Counsel advised the Panel that agreement had been reached on the facts and introduced an Agreed Statement of Facts, which reads, unedited, as follows:

THE MEMBER

1. Lauri Harvey (the “Member”) obtained a diploma in nursing from Niagara College in May 1996.

2. The Member registered with the College of Nurses of Ontario (“CNO”) as a Registered Nurse (“RN”) on September 13, 1996.

3. The Member worked as a full-time charge nurse at Albright Manor (the “Facility”) from October 3, 2011 to January 20, 2017, when she was terminated as a result of the incidents described below.

4. The Member entered into a voluntary undertaking with CNO on January 9, 2020 agreeing not to engage in the practice of nursing on an interim basis for health reasons.

5. The Member subsequently transferred into the Non-Practising Class on January 13, 2020. As a result, the Member is not entitled to practice nursing in Ontario.

6. The Member is employed as an RN at the Niagara Detention Centre. However, the Member is currently on long-term disability leave with no expected return date.

THE FACILITY

7. The Facility is located in Beamsville, Ontario.

8. The Facility is a long-term care residence.

9. The Member routinely worked evening shifts, from 2:30 pm to 10:30 pm.

10. The Facility’s Chief Nursing Officer, [ ], supervised the Member from 2011 to 2016. [ ] assumed the position of Chief Nursing Officer, along with supervision responsibilities, in 2016.

The Facility’s Email Procedure and Communication Policy (March 2016)

11. Nurses at the Facility had access to multiple shared nursing stations. Each station was equipped with a computer and a unique email address identifier. For example, the email address that corresponded with the fifth-floor nursing station computer was nurse5@albrightcentre.ca.

12. The standard email addresses were not password protected. All staff members could access the email account.

13. Staff did not have personalized Facility-issued email addresses.

14. The standard email accounts were only to be used for contacting Facility management or connecting with external agencies. Emails containing personal health information, including outreach to patients’ families or a substitute decision maker (“SDM”), were prohibited, although this prohibition was inconsistently enforced by the Facility.

15. On March 7, 2016, the Facility articulated a formal communication policy (the “Communication Policy”) stating that staff were responsible for maintaining the integrity of patients’ personal health information.

16. Until the March 2016 Communication Policy was published, the Facility’s email practice did not clearly reflect the CNO Confidentiality and Privacy – Personal Health Information standard of practice, namely, that nurses meet CNO’s standard by “not [emphasis added] using standard email to send personal health information.”

17. The Facility’s new Communication Policy clearly outlined expectations guiding the use of standard email accounts to share personal health information. It stated that “email was not an appropriately secure means of communication for confidential information […] Confidential information should not be relayed via email. This includes email to residents and families/SDM.”

18. Furthermore, the Communication Policy confirmed that email could be used with caution to arrange a meeting or phone call but under no circumstances was patient information to be specified in an email.

INCIDENTS RELEVANT TO ALLEGATIONS OF PROFESSIONAL MISCONDUCT

Incidents Relating to [Patient A]

19. On or about October 27, 2015, the Member sent personal health information relating to [Patient A] using a standard email address nurse5@albrightcentre.ca.

20. The Member was not assigned to care for [Patient A] The Member was serving as a Charge Nurse during her shift on October 27, 2015, and part of her duties as Charge Nurse involved contacting patients or their SDMs to offer vaccines to the patients, as well as obtain and record the patient’s or SDM’s consent.

21. The Member emailed [Patient A]’s SDM requesting consent to administer a flu shot and tetanus booster. The Member did not provide any education to [Patient A]’s SDM regarding the potential risks and benefits of either injection generally or specifically given [Patient A]’s health profile.

22. On November 8, 2015, [Patient A]’s SDM provided consent in the absence of both general and specific information. As a result, [Patient A] was scheduled to receive both a flu shot and tetanus vaccine.

23. When a colleague was preparing to administer the tetanus vaccine to [Patient A], they noted in [Patient A]’s chart that she was allergic to the tetanus vaccine. The procedure was immediately discontinued.

24. If the Member were to testify, she would state that she had been instructed to verify consents for her list of patients as quickly as possible, and she therefore contacted the patients/SDMs to offer them all the available vaccines, with the expectation that individual patients’ health records would be checked for allergies before the administration of any vaccine to any patient. However, she acknowledges that the information she provided to [Patient A]’s SDM did not meet the required level of disclosure to properly obtain informed consent for medical intervention. She also acknowledges that by not checking whether [Patient A] was allergic to the vaccine, she created a situation in which both the risk to patient safety and the risk of medical administrative error increased, which breached the standards of practice.

25. In October 2015, the Facility Communication Policy had not yet been published. However, CNO’s Confidentiality and Privacy – Personal Health Information standard of practice, which provided that standard email was an inappropriate medium through which to communicate personal health information, was in effect. Therefore, by communicating personal health information over a standard email, the Member breached a standard of practice.

Infection Control Memorandum

26. On April 16, 2016, the Facility posted an internal memorandum (the “Facility Memorandum”) relating to inflection control protocols in a common area that was frequented by staff.

27. The Facility’s CEO, along with the Director of Nursing and Personal Care (formerly Chief Nursing Officer), [ ], drafted the Facility Memorandum to inform staff that, because the Facility was experiencing an outbreak that had been reported to the Ministry of Health and Long-Term Care, all staff were required to have prescriptions for Tamiflu effective through Monday, April 25, 2016. The Facility Memorandum instructed staff to provide these prescriptions to management.

28. The Facility Memorandum also mentioned a possible termination date of the projected outbreak status.

29. Shortly after management posted the Facility Memorandum, the Member drafted her own memorandum (the “Memo”) about the same topic that contained contradictory information.

30. If the Member were to testify, she would state that she had previously been assigned as the RN lead on the Facility’s Infection Control Program and therefore believed that posting her Memo was in keeping with that role.

31. Nevertheless, the Member acknowledges that she had not received permission to post her Memo or to substitute her own instructions for those outlined by management in the Facility Memorandum.

32. In her Memo, the Member stated that staff only needed to have Tamiflu prescriptions to cover them until Friday, April 22, 2016. Additionally, the Memo departed from the expected duration of the outbreak projected by Facility management and presented an alternative timeline.

33. The Member physically pinned her Memo on top of the Facility Memorandum, thereby obscuring its content and suggesting that the Member’s Memo superseded its instructions for staff to follow regarding Tamiflu prescriptions. The Member’s Memo began by describing itself as “a clarification note”.

34. By authoring and posting a document that contained inconsistent information from what Facility’s senior leadership provided to staff, as well as posting her Memo in a manner that obscured the original document, the Member breached a standard of practice.

Sending Personal Health Information via Standard Email (October-December 2016)

35. In or around October 2016 through December 2016, the Member sent unsecure emails to family members of Facility patients containing personal health information, as well as inappropriately disclosed patient health information to her union representative without clinical purpose.

The Member’s Knowledge of the Facility’s Communication Policy

36. On March 7, 2016, the Member had an email exchange with her supervisor and the Director of Nursing and Personal Care, [ ], regarding the problems with disclosing personal health information by email.

37. Also on March 7, 2016, [the Director of Nursing and Personal Care] distributed a memo to all staff regarding email policy and procedure. This memo stated that email was not an appropriate means for communicating confidential information, which included a patient’s name, diagnosis, admission status, health status, or the clinician’s concerns about the patient.

38. Despite the Member’s knowledge of the Facility’s Communication Policy, the Member continued to send emails with confidential information and personal health information after that time.

The Member’s Disclosure of Patients’ Personal Health Information Without Authorization

39. On October 11, 2016, the Member wrote to a patient’s [family member], enclosing paperwork for [ ] to complete regarding an Advanced Directive for [Patient C]. The document contained the patient’s full name and the patient’s chosen emergency medical directives and was sent from [ ].

40. On October 23, 2016, the Member wrote to [Patient C’s family member] of a different patient, again using [ ]. The Member directed the patient’s [family member] to disclose health concerns to that email address, writing:

For concerns with your mom that do not require immediate assistance please email myself at [ ]. I do check my emails every day I am at work. [emphasis added]

41. On November 28, 2016, the Member wrote to the [Patient C’s family member] of another patient, disclosing personal health information. The Member described investigations about the patient’s medical condition, and details of his current status, including his diagnoses and medications.

42. Also on November 28, 2016, the Member emailed certain patients’ personal health information for her own benefit without proper authorization and without clinical purpose. The Member felt that she had been unfairly criticized her for her charting practices, and wrote to a union representative, asking for a second opinion about her charting. The Member enclosed excerpts from two patients’ charts in the email without protecting the personal health information relating to the patients.

43. On December 13, 2016, the Member sent two emails relating to the same patient: one to [Patient C’s family member] containing the patient’s name and information about new medications the patient had started taking, and another to her supervisor at the Facility containing the patient’s name and information about the patient’s behaviour. The Member also inadvertently copied the second email to [Patient C’s family member]. The [family member] subsequently reported the incident to the Facility for investigation.

44. In addition to the Facility’s March 2016 Communication Policy, CNO’s Confidentiality and Privacy – Personal Health Information standard of practice, which provides that standard email was an inappropriate medium to communicate personal health information, was in effect during the March through December 2016 timeframe.

45. By sending personal health information relating to a patient and/or several patients over standard email to her union representative without the patients’ consent or authorization, as well as sending personal health information over standard email on multiple occasions between October and December 2016, the Member breached a standard of practice.

Incidents Relating to [Patient C]

46. From August through September 2016, the Member intervened in the financial affairs of [Patient C] and sent confidential communications using the Facility’s unsecure email addresses.

47. For approximately twenty years, [Patient C] received assistance with her financial affairs from her [ ] friend, [“ ”]. Although [Patient C’s friend] did not have a formal Power of Attorney (“POA”), [Patient C] did not want this arrangement to change. She was capable of managing her finances but relied on [her friend’s] assistance because she sometimes had difficulty travelling to the bank.

48. [Patient C’s family member] indicated to the Member that she wanted to have Power of Attorney over her mother’s financial affairs.

49. Without consent to investigate, review, copy or distribute [Patient C]’s personal financial information, the Member commenced a search into the patient’s records and disclosed confidential arrangements to [Patient C’s family member].

50. On August 31, 2016, the Member sent an email to [Patient C’s family member] stating:

So I have found a couple of things.

1. I went down to [Patient C]’s chart and removed the form signed by [Patient C’s friend] but when I looked through some of the bills from pharmacy that are waiting [here] for you I found an envelope from a bank, I hope that you don’t mind but I opened it and scanned the documents so your [sic] to review I thought they might be helpful in your pursuit to obtain financial POA. [emphasis added]

2. I also found a $20 bill in an envelope I am not sure where it came from but I submitted put [sic] in her petty cash

3. I spoke with [ ] about the petty cash statements and this is what I have been told

a. [Patient C] has $377 in there and the only payments coming out are for her hairdressing

b. [ ] indicated that [Patient C’s friend] is putting money into the petty cash using money order cheques from a bank

i. Oct 2014 $500

ii. May 2015 $1100 was the rebate from the RH

iii. April 2016 $500 from [Patient C’s friend]

iv. Aug 2016 $500 from [Patient C’s friend]

So I asked [ ] why is [Patient C’s friend] putting money in and she indicated that her records have him as to billing contact, and she contacts him and he brings the cheques in. This worried me so I contacted [ ] because if he has access to [Patient C’s] bank account that means that he has POA for Finance. [ ] indicated that she would look to see what kind of paperwork she has supporting this. She indicates that there are no papers indicating that he has POA of finance but she does indicate that when mom was admitted [Patient C’s friend]signed all of the paperwork for consent. I have checked with Medical Pharmacies and they have you as financial contact so that is good.

Do you want [ ] and [ ] (billing for the Home) to change the contact to you?

Please let me know if there is anything else I can help you with.

51. On September 1, 2016, the Member emailed [Patient C’s family member] documents relating to changing [Patient C’s] financial Power of Attorney.

52. If the Member were to testify, she would explain that she thought she was being helpful by assisting [Patient C’s family member] with POA matters. However, upon reflection, the Member acknowledges that she had no legal or therapeutic basis to access [Patient C]’s bank statement, financial information or personal documents without obtaining consent or authorization.

53. By opening [Patient C]’s mail, disclosing a copy of the patient’s bank statement without consent or proper authorization and sending personal health information relating to [Patient C] by standard email, the Member breached therapeutic nurse-patient boundaries and violated a standard of practice of the profession. Moreover, the Member further breached a standard of practice by removing information from [Patient C]’s chart relating to [Patient C]’s advanced care directives for no therapeutic purpose.

Inappropriate Storage of Personal Health Information on USB Drive

54. In or around May 2011, Facility management provided staff with USB drives as part of a feedback-gathering exercise to solicit opinions regarding policies and procedures.

55. If the Member were to testify, she would state that she kept the USB drive and continued to use it to store personal health information. Because she was not asked to return it, she determined that it was permissible to retain and use the USB drive following the management-initiated exercise in May 2011.

56. The Member lost the USB drive provided to her by the Facility. The Member started using a personal USB drive that she brought from home as a replacement for the Facility’s USB drive. She did not tell management that she had lost a USB drive that, by her own admission, had an assortment of patients’ personal health information.

57. Between May 2011 and January 2017, the Member stored confidential and personal health information relating to at least 16 Facility patients on the new unsecure USB drive.

58. In addition to personal health information relating to patients at the Facility, including medical records and photographs of 16 patients in various stages of undress (taken in connection with the Facility’s Botox Program), the USB drive also contained personal documents belonging to the Member, such as animal photographs and a Hollywood film.

59. For an approximately six-year period, the Member stored the USB drive in an unsecure location and did not take precautions to protect its content, such as password protection or encryption. Moreover, the USB drive was accessible to others.

60. If the Member were to testify, she would state that the original USB drive was provided to staff by the Facility for work purposes without clear direction about not using it for personal health information. However, the Member acknowledges that, as an RN, she had a heightened professional obligation to safeguard patients’ personal health information and protect such sensitive content from unauthorized dissemination and inadvertent disclosure.

61. By storing personal health information on an unencrypted, personal USB drive and maintaining it in an unsecure, heavily trafficked area at the Facility, the Member breached a standard of practice. The Member recognizes that she had a responsibility to protect patient confidentiality during her practice.

CNO STANDARDS

62. CNO has published nursing standards to set out the expectations for the practice of nursing. CNO’s standards inform nurses of their accountabilities and apply to all nurses regardless of their role, job description or area of practice.

Professional Standards

63. CNO’s Professional Standards provides that each nurse is responsible for ensuring that their conduct meets the standards of the profession.

64. Nurses are expected to take responsibility for their actions and the consequences of those actions. Nurses are also accountable for conducting themselves in ways that promote respect for the profession as a whole and reinforce public confidence in the integrity and respectability of its members.

65. This practice standard indicates that a nurse demonstrates these expectations by, among other actions:

a) ensuring practice is consistent with CNO’s standards of practice and guidelines as well as legislation;

b) maintaining boundaries between professional therapeutic relationships and non-professional personal relationships; and,

c) demonstrating knowledge of and respect for each other’s roles, knowledge, expertise and unique contribution to the health care team.

Confidentiality and Privacy – Personal Health Information

66. CNO’s Confidentiality and Privacy – Personal Health Information practice standard discusses the expectations and obligations of a nurse under the Personal Health Information Protection Act (“PHIPA”).

67. PHIPA defines “personal health information” as any identifying information about patients that is in verbal, written or electronic form. This includes information collected by nurses during therapeutic nurse-patient relationships.

68. The legislation recognizes that personal health information belongs to patients and is simply being housed in health care facilities, who serve as Health Information Custodians.

69. The Confidentiality and Privacy practice standard provides key indicators nurses can use to ensure they are meeting expectations, including:

a) not using standard e-mail to send personal health information;

b) ensuring that security-enhanced e-mail is effective before sending personal health information this way;

c) advocating for policies and practices that ensure confidentiality during storage, transmission or transfer, or disposal of personal health information, whether in hard copy or electronic (e.g., e-mail or facsimile) form;

d) safeguarding the security of computerized, printed or electronically displayed or stored information against theft, loss, unauthorized access or use, disclosure, copying, modification or disposal;

e) seeking information about issues of privacy and confidentiality of personal health information;

f) maintaining confidentiality of [patients’] personal health information with members of the healthcare team, who are also required to maintain confidentiality, including information that is documented or stored electronically;

g) accessing information for her/his [patients] only and not accessing information for which there is no professional purpose; and,

h) considering if any harm may come to a [patient] as a result of a disclosure.

70. In relation to matters requiring consent and substitute decision makers, nurses meet the practice standard by, among other actions:

a) obtaining [patients’] express consent before disclosing his/her health information outside the health team, including to family members and friends of the [patient];

b) seeking consent from the substitute decision maker when the [patient] is incapable of providing knowledgeable consent; and,

c) ensuring [patients] are provided with an opportunity to withhold or withdraw consent to disclose their name, location in the facility and general health status.

Ethics

71. CNO’s Ethics standard provides that nurses have a commitment to the nursing profession. Professional status brings with it the respect and trust of the public. Maintaining the respect of the public requires, amongst other things, for nurses to conduct themselves in a manner that reflects well on the profession.

72. CNO identified respecting and upholding privacy and confidentiality as important values in providing nursing care. Specifically, “[patients] have the right to confidentiality and nurses make an implicit promise to maintain confidentiality.”

Therapeutic Nurse-Client Relationship

73. The Therapeutic Nurse-Client Relationship (“TNCR”) practice standard begins by stating that therapeutic nursing services “contribute to the [patient’s] health and well-being” and that the nurse-patient relationship is based on “trust, respect, empathy and professional intimacy, and requires appropriate use of the power inherent in the care provider’s role.”

74. Moreover, nurses are expected to maintain professional boundaries with patients and effectively establish limits to what qualifies as therapeutic care.

75. The TNCR indicates that a nurse demonstrates these expectations by, among other actions:

a) ensuring that she/he does not interfere with the [patient’s] personal relationships; and,

b) recognizing that there may be an increased need for vigilance in maintaining professionalism and boundaries in certain practice settings.

ADMISSIONS OF PROFESSIONAL MISCONDUCT

76. The Member admits that she committed the acts of professional misconduct as alleged in paragraphs 1 and 2 of the Notice of Hearing, as described in paragraphs 11 to 61 above, in that she repeatedly sent personal health information using unsecure standard email, authored and posted an internal memo without authority or approval and, in posting the memo, obscured management’s memo on the same topic. The Member also failed to obtain patient consent or authorization in circumstances where such permission was required to access personal health and/or financial information, as well as improperly removed information from a patient’s chart, and inappropriately stored confidential personal health information on an unsecure USB drive.

77. The Member admits that she engaged in conduct or performed an act, relevant to the practice of nursing, that, having regard to all the circumstances would reasonably be regarded by members as dishonourable and unprofessional with respect to the same conduct, as alleged in paragraph 3 in the Notice of Hearing and as described in paragraphs 11 to 61 above.

Decision

The College bears the onus of proving the allegations in accordance with the standard of proof, that being the balance of probabilities based upon clear, cogent and convincing evidence.

Having considered the evidence and the onus and standard of proof, the Panel finds that the Member committed acts of professional misconduct as alleged in paragraphs 1(a), 1(b)(i), (ii), 1(c), 1(d), 1(e), 1(f), 1(g), 1(h)(i), (ii), (iii), 1(i), 2(a), 2(b), 3(a), 3(b)(i), (ii), 3(c), 3(d), 3(e), 3(f), 3(g), 3(h)(i), (ii), (iii) and 3(i) in the Notice of Hearing. With respect to allegations #3(a), 3(b)(i), (ii), 3(c), 3(d), 3(e), 3(f), 3(g), 3(h)(i), (ii), (iii) and 3(i), the Panel finds that the Member engaged in conduct that would reasonably be regarded by members of the profession to be dishonourable and unprofessional.

Reasons for Decision

The Panel considered the Agreed Statement of Facts and the Member’s plea and finds that this evidence supports findings of professional misconduct as alleged in the Notice of Hearing.

Allegations #1(a), (c), (d), (e), (f), (g), (h)(i), (ii), (iii) and (i) in the Notice of Hearing are supported by paragraphs 19-25, 35-61 and 66-73 in the Agreed Statement of Facts. The Panel relied primarily on paragraphs 11-17 for context. The Member used a standard email account meant for contacting facility management or external agencies to send [patients’] personal health information. Despite the facility inconsistently enforcing the policy to not use the email for [patients’] families or substitute decision makers (“SDM”), the Member was responsible for adhering to the College standards for protection of [patient] health information. The Member sent personal health information related to [Patient A], [Patient B] and [Patient C] through standard email. The Member accessed [Patient C]’s financial information, including unopened mail from a bank and shared the contents via standard email with the [patient]’s [family member] without the [patient]’s consent. In addition, the Member stored confidential and/or personal health information related to 16 [patients] on an unsecure USB drive between May 2011 and January 2017. These actions are a breach of the College’s practice standard titled, Confidentiality and Privacy - Personal Health Information that emphasizes the importance of maintaining the confidentiality of [patient] personal health information.

Allegations #1(b)(i) and (ii) in the Notice of Hearing are supported by paragraphs 26-34 and 63-65 in the Agreed Statement of Facts. The Member acknowledges that she authorized and posted an internal memo related to infection control protocols and the timing of these protocols without authority or approval. The memo was posted in such a way as to obscure the management’s original memo with the implication that the instructions from the original memo had been changed. The action breached the College’s Professional Standards specific to the Member demonstrating the knowledge of and respect for each other’s roles, knowledge, expertise and unique contribution to the health care team.

Allegation #2(a) in the Notice of Hearing is supported by paragraph 35 and 66-73 in the Agreed Statement of Facts. The Member acknowledges that she sent a [patient’s] and/or several [patients’] personal health information via standard email to her union representative without [patient] consent or other authorization and for no clinical purpose.

Allegation #2(b) in the Notice of Hearing is supported by paragraphs 49-53 and 66-75 with paragraphs 46-48 for context. The Member chose to involve herself in [Patient C]’s financial matters by opening [Patient C]’s mail, disclosing information obtained in the mail and other financial information via standard email to [Patient C’s family member]. The Member violated the College’s practice standards titled, Ethics and Therapeutic Nurse-Client Relationship (“TNCR”). In addition, the Member further breached the College’s practice standard titled Confidentiality and Privacy - Personal Health Information. The Member acknowledges that she had no legal or therapeutic basis to access [Patient C]’s financial and personal documents without obtaining consent or authorization.

Allegations #3(a), (c), (d), (e), (f), (g), (h)(i), (ii), (iii) and (i) in the Notice of Hearing are supported by paragraphs 19, 35, 39-43, 46, 50-58 and 66-72 in the Agreed Statement of Facts. The Member’s conduct demonstrated a serious disregard for her professional obligations to protect [patients’] personal health information. The Member admits that, as an RN, she had a heightened professional obligation to safeguard [patients’] personal health information and protect sensitive information as outlined in the College’s practice standard titled, Confidentiality and Privacy - Personal Health Information.

Allegations #3(b)(i) and (ii) in the Notice of Hearing are supported by paragraphs 26-34, 63-65 and 77 in the Agreed Statement of Facts. The Member committed an act of professional misconduct when she authored and posted a memo that contradicted the information provided by management and then posted said memo in a way that obscured the management’s original memo. Through the actions the Member’s conduct fell below the College’s Professional Standards. Specifically, the Member failed to demonstrate knowledge of and respect for delineated roles and knowledge, expertise and unique contribution to the health care team.

The Member’s conduct with respect to all of these allegations shows a disregard for [patients’] personal health information. This conduct is unprofessional as it falls below the standards of nursing with respect to confidentiality and trust. The Member’s conduct was dishonourable as she knew or ought to have known that disclosing personal health information and breaching their privacy was unacceptable and fell well below the standards of a professional.

Penalty

College Counsel and the Member’s Counsel advised the Panel that a Joint Submission on Order had been agreed upon. The Joint Submission on Order requests that this Panel make an order as follows:

1. Requiring the Member to appear before the Panel to be reprimanded virtually within three months of the date that this Order becomes final.

2. Directing the Executive Director to suspend the Member’s certificate of registration for four months. This suspension shall take effect from the date the Member obtains an active certificate of registration in a practicing class and shall continue to run without interruption as long as the Member remains in a practicing class.

3. Directing the Executive Director to impose the following terms, conditions and limitations on the Member’s certificate of registration:

a) The Member will attend a minimum of two meetings with a Regulatory Expert (the “Expert”) at her own expense and within six months from the date that the Member obtains an active certificate of registration in a practicing class. If the Expert determines that a greater number of session are required, the Expert will advise the Director of Professional Conduct (the “Director”) regarding the total number of sessions that are required and the length of time required to complete the additional sessions, but in any event, all sessions shall be completed within 12 months from the date the Member obtains an active certificate of registration in a practicing class. To comply, the Member is required to ensure that:

i. The Expert has expertise in nursing regulation and has been approved by the Director of Professional Conduct (the “Director”) in advance of the meetings;

ii. At least seven days before the first meeting, the Member provides the Expert with a copy of:

1. the Panel’s Order,

2. the Notice of Hearing,

3. the Agreed Statement of Facts,

4. this Joint Submission on Order, and

5. if available, a copy of the Panel’s Decision and Reasons;

iii. Before the first meeting, the Member reviews the following CNO publications and completes the associated Reflective Questionnaires, online learning modules, decision tools and online participation forms (where applicable):

1. Code of Conduct,

2. Confidentiality and Privacy – Personal Health Information,

3. Ethics,

4. Professional Standards, and

5. Therapeutic Nurse-Client Relationship;

iv. Before the first meeting, the Member reviews Circle of Care: Sharing Personal Health Information for Health-Care Purposes, as released by the Information and Privacy Commissioner of Ontario;

v. At least seven days before the first meeting, the Member provides the Expert with a copy of the completed Reflective Questionnaires and online participation forms;

vi. The subject of the sessions with the Expert will include:

1. the acts or omissions for which the Member was found to have committed professional misconduct,

2. the potential consequences of the misconduct to the Member’s patients, colleagues, profession and self,

3. strategies for preventing the misconduct from recurring,

4. the publications, questionnaires and modules set out above, and

5. the development of a learning plan in collaboration with the Expert;

vii. Within 30 days after the Member has completed the last session, the Member will confirm that the Expert forwards his/her report to the Director, in which the Expert will confirm:

1. the dates the Member attended the sessions,

2. that the Expert received the required documents from the Member,

3. that the Expert reviewed the required documents and subjects with the Member, and

4. the Expert’s assessment of the Member’s insight into her behaviour;

viii. If the Member does not comply with any one or more of the requirements above, the Expert may cancel any session scheduled, even if that results in the Member breaching a term, condition or limitation on her certificate of registration;

b) For a period of 12 months from the date the Member returns to the practice of nursing, the Member will notify her employers of the decision. To comply, the Member is required to:

i. Ensure that the Director is notified of the name, address, and telephone number of all employer(s) within 14 days of commencing or resuming employment in any nursing position;

ii. Provide her employer(s) with a copy of:

1. the Panel’s Order,

2. the Notice of Hearing,

3. the Agreed Statement of Facts,

4. this Joint Submission on Order, and

5. a copy of the Panel’s Decision and Reasons, once available;

iii. Ensure that within 14 days of the commencement or resumption of the Member’s employment in any nursing position, the employer(s) forward(s) a report to the Director, in which it will confirm:

1. that they received a copy of the required documents, and

2. that they agree to notify the Director immediately upon receipt of any information that the Member has breached the standards of practice of the profession.

3. All documents delivered by the Member to the CNO, the Expert or the employer(s) will be delivered by verifiable method, the proof of which the Member will retain.

Penalty Submissions

Submissions were made by College Counsel.

The aggravating factors in this case were:

• The seriousness of the allegations;

• The high number of allegations;

• The Member’s continued breach of [patients’] personal health information several months after organizational policies were introduced;

• The Member’s continued breach of [patients’] personal health information despite being counseled by the Director of Nursing.

The mitigating factors in this case were:

• The Member had no prior disciplinary history with the College;

• The Member admitted to all of the allegations avoiding the expense and delay involved with a lengthy hearing;

• The Member accepted responsibility for her actions by agreeing to the Agreed Statement of Facts and Joint Submission on Order;

• The Member demonstrated a willingness to abide by the decisions in the Joint Submission on Order;

• Despite ill health, the Member made it a priority to attend the hearing and show her willingness to be governed by the College.

The proposed penalty provides for general deterrence through:

• The penalty package in its entirety demonstrates the College takes this type of conduct very seriously;

• The suspension and oral reprimand demonstrate to the public and membership this conduct will not be tolerated.

The proposed penalty provides for specific deterrence through:

• The suspension and reprimand.

The proposed penalty provides for remediation and rehabilitation through:

• The terms, conditions and limitations set out in the Joint Submission on Order that include two meetings with a Regulatory Expert to review specific standards;

• The Member will complete Reflective Questionnaires to ensure more insight and learnings regarding the nursing standards and expectations of the profession;

• Notification to the employer provides public protection.

Overall, the public is protected because the proposed Joint Submission on Order meets all of the goals of penalty. The public interest is protected by notification to the employer; deterrence to the profession is provided by the package of terms addressing the seriousness of the misconduct and the College’s unwillingness to tolerate breach of [patient]’s privacy and trust; and the Member’s interest is met by the terms, conditions and limitations of the Joint Submission on Order providing rehabilitation and remediation. The proposed order is within the range of orders made in cases with similar findings.

College Counsel submitted three cases to the Panel to demonstrate that the proposed penalty fell within the range of similar cases from this Discipline Committee.

CNO v. Hamilton (Discipline Committee, 2019). The member was found to have breached the standards by posting a [patient’s] personal health information to a publicly accessible internet page (Facebook) without the [patient]’s consent or authorization, making inappropriate statements towards a [patient]’s family and making inappropriate statements towards a family member which the family member could have perceived as a threat, in a public forum such as Facebook. The penalty included a reprimand, a three-month suspension, reflective questionnaires, review and completion of various College publications, online learning modules, two meetings with a Regulatory Expert and 12 months of employer notification.

CNO v. Kaufman (Discipline Committee, 2012). Amongst other findings, the member was found to have breached the standards by posting personal health information about a [patient] and allowing this information to be viewed on a publicly accessible internet page without the [patient]’s consent or authorization. The member’s behaviour resulted in emotional abuse to the [patient] and the conduct was deemed to be disgraceful, dishonourable and unprofessional misconduct. The member did not cooperate with the College nor attend the hearing. The penalty included a reprimand, a four-month suspension, two meetings with a Nursing Expert, review and completion of various College publications and educational modules and 12 months of employer notification.

CNO v. Nixey (Discipline Committee, 2019). Amongst other findings, the member was found to have committed an act of professional misconduct by permitting individuals with no health care purpose or other authorisation into the nursing station where they would reasonably be expected to view and have access to [patients’] personal health information. The penalty included a reprimand, a three-month suspension, two meetings with a Regulatory Expert following completion of various College publications and self-learning modules and 12 months of employer notification.

The Member’s Counsel submitted that the penalty as presented meets all of the key objectives and goals of penalty and provides public protection. The Member’s Counsel further submitted that an oral reprimand is a meaningful opportunity for the Member to hear from members of the Panel, their thoughts about the Member’s conduct. The Member acknowledges her duty to safeguard [patients’] personal health information and assures the Panel that, should she return to practice, remediation will be an important function. The Member’s Counsel stated that the Member has reflected and has a good understanding of her responsibilities.

Penalty Decision

The Panel accepts the Joint Submission on Order and accordingly orders:

1. The Member is required to appear before the Panel to be reprimanded virtually within three months of the date that this Order becomes final.

2. The Executive Director is directed to suspend the Member’s certificate of registration for four months. This suspension shall take effect from the date the Member obtains an active certificate of registration in a practicing class and shall continue to run without interruption as long as the Member remains in a practicing class.

3. The Executive Director is directed to impose the following terms, conditions and limitations on the Member’s certificate of registration:

a) The Member will attend a minimum of two meetings with a Regulatory Expert (the “Expert”) at her own expense and within six months from the date that the Member obtains an active certificate of registration in a practicing class. If the Expert determines that a greater number of session are required, the Expert will advise the Director of Professional Conduct (the “Director”) regarding the total number of sessions that are required and the length of time required to complete the additional sessions, but in any event, all sessions shall be completed within 12 months from the date the Member obtains an active certificate of registration in a practicing class. To comply, the Member is required to ensure that:

i. The Expert has expertise in nursing regulation and has been approved by the Director of Professional Conduct (the “Director”) in advance of the meetings;

ii. At least seven days before the first meeting, the Member provides the Expert with a copy of:

1. the Panel’s Order,

2. the Notice of Hearing,

3. the Agreed Statement of Facts,

4. this Joint Submission on Order, and

5. if available, a copy of the Panel’s Decision and Reasons;

iii. Before the first meeting, the Member reviews the following CNO publications and completes the associated Reflective Questionnaires, online learning modules, decision tools and online participation forms (where applicable):

1. Code of Conduct,

2. Confidentiality and Privacy – Personal Health Information,

3. Ethics,

4. Professional Standards, and

5. Therapeutic Nurse-Client Relationship;

iv. Before the first meeting, the Member reviews Circle of Care: Sharing Personal Health Information for Health-Care Purposes, as released by the Information and Privacy Commissioner of Ontario;

v. At least seven days before the first meeting, the Member provides the Expert with a copy of the completed Reflective Questionnaires and online participation forms;

vi. The subject of the sessions with the Expert will include:

1. the acts or omissions for which the Member was found to have committed professional misconduct,

2. the potential consequences of the misconduct to the Member’s patients, colleagues, profession and self,

3. strategies for preventing the misconduct from recurring,

4. the publications, questionnaires and modules set out above, and

5. the development of a learning plan in collaboration with the Expert;

vii. Within 30 days after the Member has completed the last session, the Member will confirm that the Expert forwards his/her report to the Director, in which the Expert will confirm:

1. the dates the Member attended the sessions,

2. that the Expert received the required documents from the Member,

3. that the Expert reviewed the required documents and subjects with the Member, and

4. the Expert’s assessment of the Member’s insight into her behaviour;

viii. If the Member does not comply with any one or more of the requirements above, the Expert may cancel any session scheduled, even if that results in the Member breaching a term, condition or limitation on her certificate of registration;

b) For a period of 12 months from the date the Member returns to the practice of nursing, the Member will notify her employers of the decision. To comply, the Member is required to:

i. Ensure that the Director is notified of the name, address, and telephone number of all employer(s) within 14 days of commencing or resuming employment in any nursing position;

ii. Provide her employer(s) with a copy of:

1. the Panel’s Order,

2. the Notice of Hearing,

3. the Agreed Statement of Facts,

4. this Joint Submission on Order, and

5. a copy of the Panel’s Decision and Reasons, once available;

iii. Ensure that within 14 days of the commencement or resumption of the Member’s employment in any nursing position, the employer(s) forward(s) a report to the Director, in which it will confirm:

1. that they received a copy of the required documents, and

2. that they agree to notify the Director immediately upon receipt of any information that the Member has breached the standards of practice of the profession.

3. All documents delivered by the Member to the CNO, the Expert or the employer(s) will be delivered by verifiable method, the proof of which the Member will retain.

Reasons for Penalty Decision

The Panel understands that the penalty ordered should protect the public and enhance public confidence in the ability of the College to regulate nurses. This is achieved through a penalty that addresses specific deterrence, general deterrence and, where appropriate, rehabilitation and remediation. The Panel also considered the penalty in light of the principle that joint submissions should not be interfered with lightly.

The proposed penalty addresses the goals of penalty as follows:

Specific Deterrence is addressed by:

• A reprimand and a four-month suspension.

General Deterrence is addressed by:

• A four-month suspension.

Remediation and rehabilitation are addressed by:

• A reprimand;

• Two meetings with a Regulatory Expert;

• Self-reflection;

• Terms, conditions and limitations.

Public Protection and Confidence are maintained by:

• The suspension and reprimand;

• Rehabilitation and remediation;

• The 12 month employer notification period which provides reassurance of proper conduct in the workplace.

Given this, the Panel concluded that the proposed penalty is reasonable and in the public interest. The Member has co-operated with the College and, by agreeing to the facts and the proposed penalty, has accepted responsibility. The Panel finds that the penalty meets all of the key objectives and satisfies the principles of specific and general deterrence, rehabilitation and remediation, and public protection.

• The penalty is also in line with what has been ordered in previous cases.

I, Terry Holland, RPN, sign this decision and reasons for the decision as Chairperson of this Discipline panel and on behalf of the members of the Discipline panel.