Indemnity issues surrounding data breaches can be complex and it is important that practices are aware of the requirements. Dr Dawn McGuire and Dr Ian Lavelle, Medico-Legal Consultants at Medical Protection, look at some cases and explain more.
Claims arising from data or confidentiality breaches are not uncommon. The practice may be pursued for these alleged breaches, whether within or outside healthcare provision.
For example, Medical Protection has received claims after medical information or test results have been divulged to a patient’s relative or representative without the patient’s consent.
Claims have also been reported to us following a practice employee accidentally sending medical information to the wrong recipient or address, losing medical records in their care, and leaving medical records in a public place.
Another case centred around a member of the practice team accessing a patient’s medical records without valid reason.
It is vital that the whole practice team is familiar with data protection laws, confidentiality and information security, and are adequately trained. The Data Protection Commission provides a useful guide to data protection for organisations and employees who have day-to-day responsibility for data protection (https://www.dataprotection.ie/en/organisations).
Claims or monetary penalties arising from data loss or data breaches fall outside of healthcare indemnity and is therefore outside the scope for Medical Protection assistance.
Healthcare organisations like GP practices need to ensure adequate protection is in place for these claims. The practice manager can explore adequate indemnity protection with a public liability insurer or other appropriate insurers, for example employers’ liability or directors’ liability insurances.
Mr T worked as an administrator in a GP practice. He heard that an old friend, Mr B, was a shadow of himself, and that his wife had left him. Mr T knew that Mr B was registered with his practice. When he was working on a late shift one day, Mr T looked into Mr B’s medical records and discovered that Mr B was recently tested for HIV and the result had come back positive. Mr T could not contain his shock and revealed this to a mutual friend when they met later the same day.
Two weeks later, the practice manager asked to speak to Mr T privately. Mr B had made a formal complaint to the practice as he suspected that someone from the practice had accessed his records and publicised his HIV status. An audit trail had revealed that Mr T had accessed Mr B’s record without any valid reason. Mr T underwent disciplinary action and was dismissed from the practice. The practice manager wrote a very apologetic and empathic letter to Mr B.
Another month later, the practice received a letter of claim requesting compensation for Mr B’s psychological trauma. Mr B claimed that his family and friends had deserted him, and he was now a recluse and terminally depressed. The senior partner of the practice contacted Medical Protection to request assistance. She was advised to notify their public liability insurer (PLI) instead.
The practice manager was familiar with data protection law and also knew that adequate indemnity protection had to be obtained from a PLI or other appropriate insurers. The practice’s PLI took over the conduct of this claim.
Ms C, a receptionist, was asked to contact Ms F to inform her that her blood iron level was low and that an iron supplement prescription was ready for collection. Ms F had a miscarriage recently and had been feeling lethargic, so the blood test was recommended.
Ms C called the landline number on record and spoke to a ‘Ms F’ but did not confirm other personal details, ie, date of birth. Ms C was very sympathetic about the miscarriage, wished Ms F a speedy recovery and relayed the blood test result and prescription information. Unbeknown to her, she was speaking to the patient’s sister, who was also ‘Ms F’.
Ms F pursued the practice for a data breach claim and alleged psychological injury. She had kept the pregnancy and miscarriage from her family due to personal reasons and the unintended revelation had led to a family rift and loss of trust.
The practice manager contacted their PLI and the claim was eventually satisfactorily settled.
Dr Lisa Lawless advises that doctors should be clear, effective, kind, and non-judgemental...
The Judge's report proposes that a Tribunal be established under legislation to hear and determine claims...
In December, the HSE released part of an external review into the case of 'Brandon', a...
The evidence on doctor burnout “should scare us and concern us”, the Director of the RCSI...
A review of public health governance structures and addressing “longstanding” IT infrastructure...