Health Professionals Can Face Disciplinary Action for Not Properly Protecting Passwords and Access to Patients’ Health Information

A family doctor in Quebec kept her USB access key to Dossier Santé Québec (DSQ) - the platform on which physicians access health information - in the USB slot of her computer. Her computer remained in the office she shared with other physicians but was intended for her use only. She kept her DSQ password in an office folder that was accessible to other physicians and staff in her office and gave the access code to the administrative technicians in case they needed it.

These practices came to the attention of the College of Physicians of Quebec following a complaint by one of the physician’s patients who suspected that office staff consulted his record without his authorization and requested access to his information. The College of Physicians of Quebec opened an investigation and found that the physician’s colleagues had in fact consulted the DSQ to view her patient’s record on several occasions.

At her discipline hearing, the physician argued that she did not allow or give anyone access to the DSQ patient files. However, the disciplinary council found that she did not protect her password and that the DSQ access key was left in her computer. As such, she did not ensure that the confidentiality of the DSQ information was preserved and rendered these technical safeguards ineffective.

The disciplinary council noted that the physician had confidence in the staff at her clinic and her colleagues. However, this did not change that she had “blindly” trusted a third party not entitled to access her DSQ and was not vigilant about protecting the personal health information that it contained. This physician did not sufficiently protect her patient’s personal health information. Even though the physician had retired, her license was suspended for three months, sending the message that a privacy breach of this kind will not be “taken lightly”.

This is a reminder that health information custodians - those in custody and control of personal health information - have an obligation to ensure that personal health information is protected from loss, theft, and unauthorized use. Privacy breaches can cause patients to lose confidence in their health care providers and may fracture the health care provider/patient relationship, leading to complaints and disciplinary action.

Patients may also be more inclined to withhold information if they believe that their personal health information is not properly protected or safeguarded, which could have serious repercussions on their health.