When is accessing an NHS patient record classed as wrong?

[Sp3849]

So I work for CAMHS as a secretary. My son who has autism was referred into CAMHS 18 months ago and I have heard nothing. I have rang and rang the doctors to chase and they say they have expedited it and can't do much more but I know a referral for mental health should not take this long. After asking colleagues for months to keep an eye out for his referral I was told last week after being beside myself because my son was so poorly by a colleague to check his file to see what the hold up is and if the referral had been picked up and we had missed it . Now this is a job I do on a daily basis. Parents always phone to check on referrals for progress updates for Thier children I really didn't think it would be an issue. How wrong was I! Had an email today and I am being investigated by information governance for accessing my son's health record. I have a meeting with my manager on Wednesday to discuss what I have done and I am not sure what to expect. As he was being referred to us surely I can check that referral? He would be a patient anyway. I didn't look at anything else or do anything else. It turns out when looking the silly g.p referred to the wrong service anyway and it was sent back last to year and go has done nothing with it

You must know you can’t check? You could have asked a colleague or ideally your manager.

You can only access records where there is a clinical need arising through the course of your work. Never in the circumstances you describe even if the person has asked you to do so. Yes it is gross misconduct. No question.

She probably told people

@Kimmeridge - hardly 'bloody stupid' thanks. Reading the post this was an action suggested by a colleague- although their position is t mentioned, to see what documentation there was on file regarding the referral. Whilst I also clearly stated it was gross misconduct, She could potentially take that documentation with her, if the person who advised her to look into it, had the authority to do so. Whilst it's still gross misconduct- She may be able to keep her job if there is any supporting documents they may need willing to consider.......

Why don't they make these files password protected for just the GPs or management.

In the olden days when HR was Personnel, any file (paper) were filed in a locked cabinet in the managers office. This was at the Benefits Agency, so any family claimants file would be removed too.

It would also take away the worry that your Auntie Doris can see your file now she's working as your GP receptionist.

I got my CAMHS and my GPs mixed up. Either way, it makes sense for password protection.

Did your colleague set you up?
How did they know you accessed the file?

After asking colleagues for months to keep an eye out for his referral I was told last week after being beside myself because my son was so poorly by a colleague to check his file to see what the hold up is and if the referral had been picked up and we had missed it

Who was the colleague? Are they senior? Was it a suggestion or an instruction?

You could use this as mitigation - either that a senior instructed you and/or that another colleague thought it was OK too and therefore training must be lacking... (unfortunately the colleague should have known better than to have suggested it and you should have known better than to act on it). It does occur to me that it may have been a malicious suggestion to get you into trouble.

Your basic training should have made it clear that looking at the files of anyone you know is never acceptable.

Unfortunately this is a disciplinary issue, you are asked to acknowledge and adhere to all data protection protocols when you join the Trust. You should have asked your line manager to look into this for you rather than access his records yourself.

I know it's frustrating whilst chasing referrals but you need to adhere to the policy outlined by your trust. Explain the situation in your meeting but I would be expecting heavy repercussions for this.

It’s a sackable offence I’m afraid.

If you needed access to his file you should have done a SAR.

It’s logged.

i also wonder if colleague set you up,
it may be logged but they need to have a reason to check

Yup, this! I'm sorry OP as it sounds like you've had a stressful wait for a service... But when you started in your NHS post you will have had mandatory training on Information Governance which very clearly states that you cannot access your own or any other family member's health care record. There'll be a record of you having completed the training so I think it would be hard to claim ignorance on this.

In the health board I work in Information Governance are hot on checking for people looking up records they shouldn't and it's a serious disciplinary matter. I promise I understand the stress you've been under but I do find it a little concerning that you thought this was something that was ok to do.

I don't think it's fair to say that. The colleague may have suggested it but she didnt forcd the OP to do it. She should have known its against the rules & made her enquiry through the normal channels.

I know any computer courses we get at work confidentiality is drummed into us & the consequences of doing unauthorised checks made very clear.

Wow, this is so wrong. Think about it, as if this was allowed people could be doing it for the wrong reasons. Your colleague would probably face instant dismissal for doing this

Records are linked and as it's all online there's a clear record of what's been accessed. In our training it was made clear that when logged into patient records Information Governance can see a record of every single click you make as it were, so even when looking up a patient you only look at the parts of their record that's appropriate for the role you're playing in their care now (e.g. Not looking at a gynaecology appointment from 8 years ago if you work in podiatry).

So it doesn't surprise me at all that as soon as she clicked on a relative's file the system flagged it.

The system is password protected. NHS staff have personal logins and there is a check to say why do you need to access this file. Everything is logged automatically, so the system will have flagged immediately that OP had accessed the file.

It is basic information governance and all NHS staff do the same training and it is a mandatory, annual training. It would be a serious issue and will likely have serious consequences.

I had similar recently, wanted to access my child's record about a camhs referral, had a colleague look for me and provide the information. Access to my child's record is possible but not ethical, I expect measures are in place as every access to the system is logged and presumably when you logged in, an alert was raised. Sorry but I can not see any mitigating factors and you really should expect the worst.

I worked with a couple of girls who did this 🙄 one colleague kept asking me to look at her child’s notes. I said no and that I could lose my job if I was caught looking at someone’s notes outside of what was required for my role. The other colleague said she had looked her own kids records up. They weren’t found out straight away but when they were they were basically just read the riot act but did not lose their jobs.

If you’re in a Union speak to a rep for advice.

Don’t bother trying to get a statement off a colleague - you should have known from data governance training that you can’t do that and nobody can give you advice or permission to do so. It also suggests that you don’t appreciate the seriousness of what you did. You are better off acknowledging that you made a big mistake and saying that even though you were desperate you regret it and would never do it again.

Your only defence might be that you have not received appropriate IG training. Otherwise you need to apologise very sincerely and hope that you don't lose your job.

OP you need to make a record of exactly what conversations you had and with who about accessing records.
Ensure that you take records of the dates and times of your mandatory training sessions.
If you can demonstrate that you were NOT given GDPR training this may mitigate the circumstances.
Take a representative with you.
But be prepared for the worst case scenario. This is gross misconduct.

I used to work in a doctors surgery and we had a long (and very boring) talk on information governance. I didn’t know until then that I couldn’t access my own records.

I’m not clear, did you access your son’s notes or a colleague on your behalf. If a colleague, then that’s no different to you ringing in.

if you accessed your son’s records, then you could argue that you did that in the course of your every day job. Also, have you had any confidentiality training regarding this aspect? If not, you could mention this.

(and who was the person / work colleague who reported this?)

Completely understand as I’ve done the training but it doesn’t automatically flag up there’s just a record of people who have accessed the notes. So someone must of looked at this record of who accessed the notes for some reason.

It seems like a colleague has maybe reported OP or someone has overheard OP talking about it (if she has been) and reported her.

As PP have said its never OK to access records of family members. Ask for further training on IG and apologise. The biggest issue though is whether you understand why this is an issue. I would consider the reasons this is not appropriate and be prepared to discuss them in your meeting

This would be gross misconduct in the civil service