Snooping and Unauthorized Access to Medical Records
Electronic medical records are now commonplace for many healthcare providers. However, just because you have technical sign-in ability to access an electronic records system does not mean that you have authority to access all records in the system. “Snooping” is when a health care provider accesses a patient's personal health information without authorization. If you do not need this information to provide care and do not have consent, this is a breach of patient privacy and is included in the offences set out in the Personal Health Information Protection Act, 2004 (“PHIPA”).[1]
Unauthorized access includes viewing personal health information in electronic information systems.[2] This is true even in situations where the person accessing the electronic record system has technical sign-in ability and would otherwise be able to view the record for the purpose of providing health care. The motive for snooping may be as seemingly harmless as simple curiosity, or could range to attempts to profit off of and sell patient information to others. Regardless of the reason, snooping violates the privacy rights of individuals and undermines trust in the healthcare system.
The IPC’s annual statistical reports have revealed that unauthorized access to personal health information is on the rise. In 2019, snooping accounted for 18.4%[3] of self-reported health privacy breaches, and this increased to over 20.1%[4] and 20.9%[5] in 2020 and 2021, respectively.
OPSDT Decision on Breach of Confidentiality
The recent case of College of Physicians and Surgeons of Ontario v. Safar Zadeh[6] is a reminder that snooping in confidential medical records is taken seriously. In this case, the Ontario Physicians and Surgeons Discipline Tribunal (the “OPSDT”) found that an endocrinologist practising at a Toronto hospital, Dr. Zadeh, committed acts of professional misconduct relating to snooping. Specifically, Dr. Zadeh’s access and disclosure of a patient’s personal health information without the patient’s consent was found to be conduct that would reasonably be regarded by members of the profession as disgraceful, dishonourable, or unprofessional.[7]
Dr. Zadeh treated the patient in question (referred to as “Patient A” throughout the decision) only once in 2015. Dr. Zadeh was dating Patient A’s former spouse. In 2019, Dr. Zadeh accessed Patient A’s electronic medical records at the hospital three times without Patient A’s knowledge or consent. She took photographs of Patient A’s medical records, which included sensitive medical information, and texted these photos to Patient A’s former spouse. Dr. Zadeh also sent several messages to other people in which she disclosed Patient A’s personal health information without Patient A’s consent.
There is no question that sharing a patient’s confidential personal health information without their consent in this manner is contrary to the College’s policy on Protecting Personal Health Information and an offence under PHIPA. However, this decision reiterates that even accessing a patient’s personal health information without authorization is a breach of patient privacy.
Consequences of Snooping
In the case mentioned above, Dr. Zadeh received a five-month suspension as a penalty for the misconduct. The OPSDT noted that:
Dr. Safar Zadeh’s conduct is extremely serious. Only regulated health professionals can access electronic records in the way that Dr. Safar Zadeh did. She accessed Patient A’s confidential health records repeatedly for her own purposes. This, on its own, is harmful. […] The public’s trust in the medical profession is fragile. It is undermined when physicians gain improper and unauthorized access to confidential medical records, which contain highly sensitive and personal information, and misuse it. Electronic health records provide easy access to health information and for that reason, they must be very secure.[8] [Emphasis added.]
Outside of professional regulation, snooping could also result in in a monetary fine under PHIPA ($200,000 for an individual and $1,000,000 if the offender is an organization), as well as civil[9] and criminal[10] liability.
Takeaway
Snooping and unauthorized access to medical records pose serious threats to patient privacy and trust in the healthcare system. The case of College of Physicians and Surgeons of Ontario v. Safar Zadeh serves as a reminder of the consequences of snooping and highlights the need to maintain secure and confidential health records. Before accessing a patient’s electronic medical record, be sure that you are doing so in order to provide care and not for any improper purpose.
[1] S.O. 2004, c. 3, Sched. A, s. 72.
[2] Ibid, s. 55.1(2).
[3] 2019 Statistical Report of the Office of the Information and Privacy Commissioner of Ontario, p. 71.
[4] 2020 Statistical Report of the Office of the Information and Privacy Commissioner of Ontario, p. 56.
[5] 2021 Statistical Report of the Office of the Information and Privacy Commissioner of Ontario, p. 59.
[6] 2023 ONPSDT 8 [Zadeh].
[8] Ibid, paras. 19-20.
[9] In 2012, the Ontario Court of Appeal confirmed the existence and elements of the tort of intrusion upon seclusion in Jones v. Tsige, 2012 ONCA 32. In that case, the intrusion consisted of unauthorized access to the plaintiff’s bank records by the defendant bank employee. The Court recognized a right to bring a civil action for damages for the invasion of personal privacy, and ultimately awarded the plaintiff $10,000 in damages.
[10] Section 402.2 of Canada’s Criminal Code prohibits obtaining or possessing another person’s identity information with the intention of using it to commit an indictable offence, such as fraud or theft.