Dealing with employee breaches

Janice Sibbald offers advice on dealing with confidentiality breaches by practice staff – intentional or not

  • Date: 29 April 2019

THE HR and Employment Law team at MDDUS often gets calls passed to us from our medical and dental legal adviser colleagues relating to breaches in patient confidentiality. We don’t need to tell you that confidentiality breaches can have a major effect on the reputation of a medical or dental practice and have to be taken extremely seriously.

In many cases, these can be dealt with under routine SEA (significant events analysis) procedures and learning can be applied to individuals or to the whole practice. This may include additional training or revised internal processes and procedures being put in place. Individual training plans may be devised for those employees whose performance or conduct has been substandard. In any profession, human error can play a part in confidentiality breaches but you should ensure that internal processes are adequate and reviewed regularly and that employees have had appropriate training.

In some cases an employee’s conduct may warrant a disciplinary hearing. The decision as to whether the error or mistake warrants a formal disciplinary action can only be taken once a full investigation of the situation has been carried out.

You should conduct an investigation to establish all the facts in order to determine whether a disciplinary hearing is required. Any witness statements should be obtained and signed, and written notes should be taken as these may be used as part of disciplinary proceedings. It is usual practice for an employee to remain at work during the investigation phase. Suspension should only be used in exceptional circumstances and is normally paid.

The investigation should be carried out where possible by someone who is not involved in the disciplinary hearing to ensure objectivity. Many IT systems are able to provide you with an audit trail if you believe that medical records have been accessed inappropriately. Internal calls are usually recorded and can be reviewed to obtain evidence of any potential confidentiality breach over the phone.

You may also wish to check that the practice has a confidentiality policy that the employee has signed and was trained on.

Should you decide that the matter warrants a formal hearing, invite the employee in writing to the meeting, giving at least 48 hours’ notice. If dismissal is a possibility then reference should be made to this in the letter. Ensure that the employee is aware of the right to be accompanied by a colleague or a trade union representative (not a family member or legal representative) and be clear that their role in these meetings is to ask for points of clarity and to take notes, but the majority of the speaking should be done by the employee.

Any relevant documents, such as audit logs or transcripts, should be provided to the employee in advance of the hearing. Make sure that you have thoroughly prepared prior to the meeting with the facts and a list of questions you want to ask the employee, and ensure that there is sufficient opportunity for the employee to have their say during the meeting and raise any mitigating circumstances.

At the hearing you should focus on the behaviours or actions that you are concerned about, providing the employee with clear facts and examples. Create a further opportunity for the employee to inform you if they feel that further support or training is necessary or if there are any obstacles to avoid repeating mistakes – or the reasons for their unacceptable behaviour.

After the hearing has taken place, you should then adjourn the meeting in order to give yourself sufficient time to make a decision. In some cases, you may need to adjourn until the next day and this would certainly be the recommendation if considering a dismissal.

You should refer to your internal disciplinary policy, but possible outcomes would include no action, a verbal warning, first written warning, final written warning or dismissal. You can jump to any stage depending on the severity of the conduct or performance. A sanction can stay “live” or on the employee’s file for around 6-24 months. It is useful also to consider the reaction of the employee and if they understand why there was a breach and show remorse for the situation.

After every formal stage, the employee should be given the right to appeal the outcome of the hearing. Employees should state the basis of their appeal in writing, and appeal meetings should be convened within a reasonable timescale. The employee has the same rights to be accompanied at an appeal, and someone impartial, where possible, should conduct the hearing. The result of the appeal should be confirmed to the employee in writing.

Where possible, different managers/ partners should conduct different levels of disciplinary hearings to ensure the process is fair and impartial. A confidentiality breach is normally detailed in disciplinary procedures as a significant event.

Confidentiality is the backbone of every medical and dental practice and any breaches should be taken seriously and under relevant UK employment legislation. If you require any further assistance, including our disciplinary factsheet and template letters, please do not hesitate to contact one of the employment law advisers on 0333 043 4444 or at advice@mddus.com.

Janice Sibbald is an employment law adviser at MDDUS

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Read more from this issue of Practice Manager

Practice Manager is published twice yearly and distributed to MDDUS practice managers and others with management responsibility in dental and medical surgeries. It features articles on employment law, health and safety, risk as well as profiles of practices across the UK. Browse our current and back issues below.
In this issue

Related Content

shutterstock_247397758.jpg

GDPR

General Data Protection Regulation checklist

Coroner's inquests

Save this article

Save this article to a list of favourite articles which members can access in their account.

Save to library

For registration, or any login issues, please visit our login page.