Investigation Finds No Evidence of Snooping in Medical Files But Uncovers Another Serious Issue

October 20, 2009

The Office of the Information and Privacy Commissioner found no evidence to support an allegation that an employee of a doctor’s office looked in an individual’s medical file and disclosed information from that file to the patient’s ex-wife. The investigation did, however, find a serious contravention of the Health Information Act (HIA).

An individual complained to the Information and Privacy Commissioner when recent remarks by his ex-wife convinced him that she had knowledge of his medical information without his consent. Specifically, the individual alleged that an employee of his doctor’s office had accessed his health information in the clinic’s electronic medical record (EMR) and disclosed information about him stopping a particular medication to his ex-wife.

The investigator confirmed the employee had accessed the complainant’s medical records for purposes related to her employment in 2006, but found that the employee could not have disclosed information about the patient stopping the medication. The investigator found that the employee had last accessed the Complainant’s health records over three years ago and that the records did not contain information about the individual stopping the medication at that time.

While the investigator found no evidence to support the Complainant’s allegations, she discovered that almost two years of health information had been permanently lost by the clinic when it switched EMR systems in 2006. The investigator found this to be a contravention of the HIA, which requires custodians to take steps to protect health information against reasonably anticipated threats such as loss.

In addition to recommendations to the physician and the EMR vendor, the investigator recommended that the Physician Office System Program, which assists physicians in acquiring EMR technology, develop guidelines that will advise the 2000+ physicians facing data migration within the next two years on how to manage this risk.