Prescription for privacy
It’s not a new story.
Employees at a health-related organization or business breaching privacy guidelines and snooping into someone’s personal and health information.
But in the case involving two pharmacy assistants, one of whom was fired, the pharmacy is as much to blame as the employees. According to Information and Privacy Commissioner Karen Rose, in August 2017, the pharmacy assistants breached the personal records of a former co-worker through the Drug Information System. The information was then allegedly shared with other employees.
One of the pharmacy assistants admitted to accessing the information, apparently in order to confirm which pharmacy this person was attending.
This employee was fired. It was determined the other pharmacy assistant wasn’t aware of the breach, and this employee was suspended. Privacy breaches have become such a common occurrence that the employees should have been more cautious with the personal information. The pharmacy also shares the blame in this case. As the report points out, the pharmacy had one login and password for the employees to access the Drug Information System. This has since been changed and staff have individual logins and passwords.
But the more disturbing facts are that the pharmacy did not have practices in place to detect or prevent privacy breaches, and it did not provide staff with privacy training related to health records. So, how were staff supposed to know what the best practices were if they were not trained? This is an obvious failure of management.
In this case, we know what happened to the employees.
But what consequences did the pharmacy face? At the very least, if the pharmacy wasn’t fined, then it should have been for its failures. And the pharmacy should have been identified.
People have a right to know which pharmacies have failed to uphold their duty to protect privacy. It is no different than telling consumers which restaurants are not meeting health code requirements.
People are in a vulnerable position when disclosing personal and health information to pharmacists.
That information they provide is vital to getting the help they need.
Even withholding a minor detail could affect their prescription and instructions.
And, people have a right to choose which pharmacists they go to, and make that choice on all relevant information, including any past wrongdoings.
Identifying the organization should also deter others from neglecting their basic duties.
Taking measures to improve practices, education and training after the fact are not good enough. The pharmacy should have made sure staff were properly trained and that practices to detect and prevent privacy breaches were implemented so the breach didn’t happen in the first place.