Doctor probed for improper health record access

A doctor with Covenant Health is under investigation by Alberta's College of Physicians and Surgeons for improperly accessing electronic health records to find out information about her partner's ex-husband.

The matter was referred to the college by Covenant Health, after an investigation by Alberta Information and Privacy Commissioner Frank Work.

Work found that the physician, who worked in the emergency room of an Edmonton hospital, had contravened the Health Information Act.

"You assume that docs' patient confidentiality long before there was an electronic health record. This was something that you might have assumed would be second nature but I guess everyone's human," Work said.

The investigation was launched after a man complained that nine people had accessed his Netcare health record over a 14-month period, none of whom was his personal physician. His new partner and his mother also reported suspicious activity on their accounts.

The man suspected his ex-wife, a nurse, and her partner, the physician with Covenant Health. Some of the accesses seemed to occur at the same time as developments in his divorce.

The nurse was cleared as she was on leave when the health records were accessed. The investigation then focused on the physician.

The physician admitted in April 2011 to using her colleagues' accounts to improperly look at health information. She said she did not share this information with her partner and said it was a coincidence that accesses matched developments in the divorce.

"You know that they're going through a divorce and custody hearing .. and even though I'm not a part of that, I sit on the outside," she said in her interview with the Privacy Commissioner's office.

"It's really been a horribly trying time ... I think it was just the only thing I felt I had some kind of power over. I know that's wrong and it's a terribly wrong use of that power."

The doctor made this admission in an "uncautioned statement," which means it can't be used as evidence against her in a prosecution.

She would not make a statement under caution, so the commissioner accepted this admission to help with his investigation of procedures used by Covenant Health to protect patient records.

Covenant Health referred the matter to the College of Physicians and Surgeons on June 21. A letter of reprimand was also placed on her file.

"It did come as a surprise," said Jon Popowich, a Covenant Health vice-president and Chief Privacy Officer.

"We do take it quite seriously. It was pretty disappointing for us to learn that a physician working at one of our sites didn't follow our policies to protect patient privacy."

Work found that Covenant Health had not properly trained its own physicians on how to secure their accounts.

The investigation found it was common practice for staff to simply access electronic health records using whatever account happened to be open at the time.

Covenant Health has taken a number of remedial actions since then. They include reminding the 12 physicians whose accounts were improperly accessed to log out of Netcare, and implementing a smart card system for computer terminals.