Privacy commissioner recommends GN charge alleged snooping doctor
Doctor looked up colleagues medical files on ‘numerous occasions’ over 18-month period
Nunavut Information and Privacy Commissioner Graham Steele says a doctor committed a “profound” intrusion of privacy when looking through a colleague’s medical records “numerous” times over a period of 18 months. (File photo)
Nunavut’s privacy commissioner is recommending charges against a former Nunavut doctor for allegedly going through a colleague’s medical records without a legitimate reason.
A review by Graham Steele also admonished the Department of Health for not following through on privacy recommendations department authorities committed to three years ago.
The case involves a doctor and worker in the territory’s health-care system. Steele declined to identify anyone involved or reveal their genders or the location of the incident, in order to protect the identity of the person who complained.
According to the report, in May 2020, there was an unspecified workplace incident between the doctor and worker. The review does not divulge details of the incident because they are not relevant to the decision, said Steele in the report.
“It is enough to say that the incident was stressful for the complainant, and that the doctor later acknowledged that their conduct was inappropriate,” he said.
The doctor then started looking through the worker’s electronic medical records “on numerous occasions” over the next 18 months.
Using Nunavut’s access to information law, the worker requested an audit trail which shows who accessed the medical records.
The doctor was confronted with this evidence, and then wrote a letter to Nunavut’s territorial chief of staff admitting to the unauthorized access. The letter included a rationale for the behaviour.
In his review, Steele called the letter “self-serving and scarcely believable,” and noted that it used “information obtained from the privacy breach to try to justify the privacy breach.”
He called this case of employee “snooping” a “profound” violation of personal privacy.
The doctor’s contract was terminated and the case was referred to Nunavut’s professional regulator.
Barriers to prosecution
Steele includes a number of recommendations in his review, and top of that list is that the Department of Health consider prosecuting the doctor under the territory’s privacy protection law.
It allows a maximum fine of $5,000 for anyone who knowingly collects, uses or discloses personal information contrary to the law.
“But I am aware of the difficulties,” Steele said in the review.
“The doctor is no longer in Nunavut, there is a six-month limitation period for a summary conviction offence, the maximum fine hardly merits the required cost and effort, and GN Justice may first have to negotiate a prosecution protocol for ATIPP offences with [Public Prosecution Service of Canada].”
Indeed, there appears to be some confusion over which government department is responsible for deciding whether to prosecute.
Department of Health spokesperson Chris Puglia told Nunatsiaq News that the decision to prosecute is up to the Department of Justice.
Nunatsiaq News then reached out to the Department of Justice.
“The commissioner’s report recommends Health prosecute, so that department would have the lead on it,” stated spokesperson Peter Varga.
Three years, no progress
Steele’s other recommendations include the development of a privacy “anti-intrusion” plan, that the Health Department start using software that will “red flag” suspicious behaviours in accessing medical records, and that the department hire someone to investigate and follow up on these red flags.
He also recommended the Department of Health change security protocols in its electronic medical records system so users who have no relationship to the records they are looking up would receive a warning, and that the department change security protocols so certain users can be blocked from accessing certain patient files.
Steele made one more recommendation he said he has never made before: that the Department of Health update his office by the end of the year on progress made in developing an anti-intrusion plan.
This is because the Health Department was subject to a similar review in April 2020. That’s when a health-care worker accessed the medical information of someone because “his spouse was having an affair with the complainant and he was concerned about the possibility that [the complainant] had tested positive for a sexually transmitted infection.”
At that time, Steele’s predecessor made a list of recommendations, including warnings to users who access medical information of people to whom they are not associated, and random audits of the electronic records system.
“Despite the minister’s statement in 2020 that all recommendations had been accepted and would be implemented, the recommendation about targeted and random audits was in fact rejected,” stated Steele in his review.
“The rest of the 14 recommendations, says Health, are currently … at various stages of being implemented or explored.”
In an interview Monday, Steele said he wants an update from the department this year because of what happened, or rather did not happen, with this case.
“Three years ago, the department said they were going to make changes and it appears very much they didn’t,” he said.
“This time we need to follow up and make sure you do the things you say you’re to do.”
The Department of Health is reviewing Steele’s recommendations and has referred the matter to Nunavut’s professional licensing body, which is investigating, according to Puglia.
“The GN has terminated all contracts that this physician has with the GN,” he stated in an email. “At the time that this came to light, the individual had left the territory.”
excellent reporting.
You should name the doctor, or give a few more details to narrow down who it might be, as he or she may have done it to others, and probably did. The government is not going to voluntarily disclose misconduct by their employees. People who worked with this doc deserve to know. We won’t be able to figure out which employee it was by naming them, none of the doctors works with only one other person.
Take it up with the ATIPP commissioner. The report does not contain any names. This is to protect the identity of the complainant who has already had their privacy breached.
https://atipp-nu.ca/sites/default/files/23-239%20Review%20Report.pdf
Glad to see that the Commissioners is holding Department of Health accountable for their wrong doing. Healthcare providers and arrogant management thinks that they are indispensable and cover up . Enough is enough and we have a watch dog who can bring them to public attention . Hope he will not fired for brining this publicly as GN does not like anyone doing their job.
So like Department of Health always trying to pass their job to Justice for prosecuting. Get some real education on the process to follow. Do you at least have a privacy breach policy or HR process to follow when unauthorized access was determined? Ha ha high hopes.
this worried me too and how can a patient inquire into snoops who have access to files?
I like the ‘red flag’ suggestion and hope it proceeds.
Good on the GN signalling to its employees that there are no regulatory offences ever going to be prosecuted. Why not just remove the section of the law if it’s never used? Here you have a case where a computer audit and the doctor admits to the violation so it’s basically a given you’d have a conviction. Last I counted December-March is four months so still time to lay charges.
.
Love this reporting:
.
Department of Health told Nunatsiaq News that the decision to prosecute is up to the Department of Justice.
.
Nunatsiaq News then reached out to the Department of Justice who said it’s up to Health.
.
Thank you Minister John Main and Ministerless Justice for grade A buck-passing. I and all GN employees now know that when we violate personal privacy that the most we stand to lose is our jobs, which is no biggie because how hard is it to find another one these days, particularly health employees or doctors.
I remember a time when the local rink attendant was privy to everyone’s private medical information. How times have changed.