Information watchdog leans on Nunavut gov't to prosecute doctor in health records intrusion

Nunavut's Information and Privacy Commissioner is recommending the territorial government consider prosecuting a doctor who accessed a colleague's health records without any medical reason to do so.

In a review report released on Monday, Graham Steele detailed how a doctor viewed his colleague's records numerous times over the span of 18 months, following "a workplace incident."

The report didn't include any details of the incident.

"It is enough to say that the incident was stressful for the Complainant, and that the doctor later acknowledged that their conduct was inappropriate and apologized for it," Steele wrote.

The victim filed a complaint with Steele's office in December 2022.

"When confronted with the audit evidence, the doctor admitted that they looked at the Complainant's medical records without any clinical reason," Steele's report reads, noting the admission came in a letter to the territorial medical chief of staff.

"The doctor offered a rationale for the data intrusion, but it is self-serving and scarcely believable. I find the letter constitutes a further privacy breach, because it uses information obtained from the privacy breach to try to justify the privacy breach."

In a statement to CBC News, the Department of Health said the doctor had left the territory and was on a locum contract when the allegations came to light. Still, the department terminated the doctor's contract, and said the victim also reported the incident to the Ontario and Quebec licensing bodies.

The Collège des médecins du Québec wrote in an email that it could neither confirm or deny it was investigating the specific doctor. It said the information only becomes public if the organization decides to file a complaint after completing an investigation. After a complaint is filed, a disciplinary hearing would be held.

The doctor looked through the complainants records through Nunavut's electronic medical records system, called Meditech, which keeps track of who looks at which records.

"Although there was an audit trail, Meditech had no built-in alert system. The doctor's actions came to light only because the Complainant asked, through ATIPP, to see the Meditech audit trail." 

The complainant requested that Steele name the doctor in the report, but Steele wrote that he decided not to as it wasn't deemed necessary and the ATIPP legislation prevents identifiable information unless required. 

Steele said the doctor committed two violations of the ATIPP Act, but that to his memory there has never been a conviction in Nunavut for these violations. He added, there have been prosecutions for data intrusion in other Canadian jurisdictions. 

Steele recommended the Department of Health, in consultation with the Justice department, consider prosecuting the doctor. But acknowledged there are difficulties, including the fact the doctor is no longer living in Nunavut and the fact the maximum fine, the maximum amount for both violations can't exceed $5,000, hardly merits the required cost and effort.