Accessing Records of Family Members Nets Doctor Four-Month Suspension
A recent decision of the Ontario Physicians and Surgeons Discipline Tribunal (the “Tribunal”) emphasizes that a physician must not access a patient’s personal health information if they are not in the patient’s circle of care. Such unauthorized access is a breach of patient privacy that can constitute professional misconduct and can lead to a suspension.
Background
In a recent case, a radiologist was found to have accessed 20 patient records without consent. The 20 patients were treated at the hospital where the doctor worked, but were not his patients. Rather, the patients were acquaintances such as extended family members and colleagues. As the doctor was not providing care to these patients, he was outside their circles of care and, therefore, was required to obtain express consent from the patients in order to access their records.
The doctor and the College of Physicians and Surgeons of Ontario (the “CPSO”) jointly agreed before the Tribunal that his conduct constituted professional misconduct. The doctor admitted that he was aware of his duty to maintain the privacy of personal health information. He was reminded of this duty when he renewed his hospital privileges annually, and he was informed of this duty through hospital policies and the CPSO’s “Protecting Personal Health Information” policy. The Tribunal found that the doctor’s failure to protect patient privacy was conduct that members of the profession would regard as disgraceful, dishonourable, or unprofessional conduct.
Consequences
Having found that the doctor’s unauthorized access to records breached patient privacy and risked the public’s trust in the medical profession, the Tribunal ordered a penalty which included a four-month suspension. This was in recognition of the doctor having no prior discipline history, having admitted to his misconduct, and demonstrating appropriate conduct since the conduct was identified. In addition, the doctor faced consequences from his hospital, including
having his hospital privileges suspended for three months, during which he did not provide radiology services at other hospitals, and
having his radiology services overseen upon his return to the hospital.
The penalty also reflected that the doctor had participated in remediation activities (e.g., attended ethics and professionalism training, issued apology letters to the 20 patients) and that the penalty was a joint submission, which must be accepted unless doing so would be contrary to the public interest.
Takeaways
A physician is not authorized to access a patient’s personal health information if they are outside the patient’s circle of care, unless they have the patient’s consent, no matter how well the physician may know the patient. Breaches of patient privacy are extremely serious and will result in significant sanctions.
For assistance in implementing and/or reviewing your institution’s policies regarding privacy, access to personal health information, and proper use of electronic medical record systems, please contact us.