NOTE: By submitting this form and registering with us, you are providing us with permission to store your personal data and the record of your registration. In addition, registration with the Medical Independent includes granting consent for the delivery of that additional professional content and targeted ads, and the cookies required to deliver same. View our Privacy Policy and Cookie Notice for further details.
Don't have an account? Register
ADVERTISEMENT
ADVERTISEMENT
Indemnity issues surrounding data breaches can be complex and it is important that practices are aware of the requirements. Dr Dawn McGuire and Dr Ian Lavelle, Medico-Legal Consultants at Medical Protection, look at some cases and explain more.
Claims arising from data or confidentiality breaches are not uncommon. The practice may be pursued for these alleged breaches, whether within or outside healthcare provision.
For example, Medical Protection has received claims after medical information or test results have been divulged to a patient’s relative or representative without the patient’s consent.
Claims have also been reported to us following a practice employee accidentally sending medical information to the wrong recipient or address, losing medical records in their care, and leaving medical records in a public place.
Another case centred around a member of the practice team accessing a patient’s medical records without valid reason.
It is vital that the whole practice team is familiar with data protection laws, confidentiality and information security, and are adequately trained. The Data Protection Commission provides a useful guide to data protection for organisations and employees who have day-to-day responsibility for data protection (https://www.dataprotection.ie/en/organisations).
Claims or monetary penalties arising from data loss or data breaches fall outside of healthcare indemnity and is therefore outside the scope for Medical Protection assistance.
Healthcare organisations like GP practices need to ensure adequate protection is in place for these claims. The practice manager can explore adequate indemnity protection with a public liability insurer or other appropriate insurers, for example employers’ liability or directors’ liability insurances.
Mr T worked as an administrator in a GP practice. He heard that an old friend, Mr B, was a shadow of himself, and that his wife had left him. Mr T knew that Mr B was registered with his practice. When he was working on a late shift one day, Mr T looked into Mr B’s medical records and discovered that Mr B was recently tested for HIV and the result had come back positive. Mr T could not contain his shock and revealed this to a mutual friend when they met later the same day.
Two weeks later, the practice manager asked to speak to Mr T privately. Mr B had made a formal complaint to the practice as he suspected that someone from the practice had accessed his records and publicised his HIV status. An audit trail had revealed that Mr T had accessed Mr B’s record without any valid reason. Mr T underwent disciplinary action and was dismissed from the practice. The practice manager wrote a very apologetic and empathic letter to Mr B.
Another month later, the practice received a letter of claim requesting compensation for Mr B’s psychological trauma. Mr B claimed that his family and friends had deserted him, and he was now a recluse and terminally depressed. The senior partner of the practice contacted Medical Protection to request assistance. She was advised to notify their public liability insurer (PLI) instead.
The practice manager was familiar with data protection law and also knew that adequate indemnity protection had to be obtained from a PLI or other appropriate insurers. The practice’s PLI took over the conduct of this claim.
Ms C, a receptionist, was asked to contact Ms F to inform her that her blood iron level was low and that an iron supplement prescription was ready for collection. Ms F had a miscarriage recently and had been feeling lethargic, so the blood test was recommended.
Ms C called the landline number on record and spoke to a ‘Ms F’ but did not confirm other personal details, ie, date of birth. Ms C was very sympathetic about the miscarriage, wished Ms F a speedy recovery and relayed the blood test result and prescription information. Unbeknown to her, she was speaking to the patient’s sister, who was also ‘Ms F’.
Ms F pursued the practice for a data breach claim and alleged psychological injury. She had kept the pregnancy and miscarriage from her family due to personal reasons and the unintended revelation had led to a family rift and loss of trust.
The practice manager contacted their PLI and the claim was eventually satisfactorily settled.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
Although diagnostic errors have many causes, clinical judgement is a significant contributing factor Every day, doctors...
Dr James Thorpe discusses recent research findings that highlight the detrimental effects Medical Council investigations...
ADVERTISEMENT
There is a lot of publicity given to the Volkswagen Golf, which is celebrating 50 years...
As older doctors retire, a new generation has arrived with different professional and personal priorities. Around...
Catherine Reily examines the growing pressures in laboratory medicine and the potential solutions,with a special focus...
The highlight of this year’s Irish Society for Rheumatology (ISR) Autumn Meeting was undoubtedly the...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
Leave a Reply
You must be logged in to post a comment.