The province’s privacy commissioner is recommending a Moncton doctor face disciplinary measures and provincial charges after he accessed medical files of 141 women during a two-year period.
Anne Bertrand released her report on Dr. Fernando Rojas Lievano on Thursday that detailed how the radio-oncologist at the Dr.-Georges-L-Dumont University Hospital Centre accessed the files of 141 women a total of 350 times.
The report makes five recommendations to the Vitalité Health Network:
Vitalité should consider disciplinary measures against Rojas
Vitalité should consider charges under the Provincial Offences Procedures Act
Random audits of access to electronic patient records be made more frequent
The authority quickly limit or restrict access to patient records when any suspicious activities are found
- Continue the limits on Rojas’s access to the electronic patient records system and impose ongoing monitoring
Vitalité issued a statement on Thursday, saying it just received the report and will need to take time to review its conclusions and recommendations.
Meanwhile, the health network will continue with its own internal investigative process, the statement said.
"Our final report as well as recommendations will be submitted in the fall of 2014.
"Vitalité Health Network will not make any additional public statements before the conclusion of its internal investigative process."
Doctor still employed
The doctor is still employed by Vitalité, but has been "absent from his place of work since the end of February," the statement said, without explaining why he's not working at the hospital.
New Brunswick's privacy commissioner can only make recommendations and cannot order fines or force government agencies to follow her advice.
The report, however, used strong language to reinforce the findings.
Bertrand said she "strongly recommends" both disciplinary measures against the doctor and charges because of the "scale of unlawful accesses committed" by Rojas.
Some of the women, whose medical files were accessed by Rojas, work or worked at the hospital. Others were servers at a restaurant where he was a regular customer.
The report confirmed the women were not the doctor’s patients and he told the commissioner that “he was looking at these patient files out of personal interest and to find out their age.”
“The ages of these women were between 13 and 39. Dr. Rojas Lievano also accessed the same patient files several times over the course of the audit period, from a few times to a considerable number of times,” the report said.
The report explained how Rojas’s unauthorized visits to these medical files were caught in an audit of the electronic patient record system.
Audit process should be strengthened
It also details how two additional audits were carried out as the scope of the privacy breach became known to the health authority’s administration. A retrospective audit was launched in April 2013 that examined the doctor's access to patient records from Sept. 1, 2010, to Jan. 18, 2013.
Bertrand’s report described meetings between the authority’s administration and Rojas over the privacy breach.
“During that meeting, Dr. Rojas Lievano was visibly shaken and stated that it was poor judgment on his part. He admitted to not having had the permission to access the patient records in question,” the report said.
“Dr. Rojas Lievano failed to provide any other reason for having accessed these records. Dr. Rojas Lievano qualified his actions by adding that he had neither copied nor communicated any of the information he had viewed in the electronic health records of these patients.”
The report further stated that it did not find any evidence that Rojas shared the personal health information about the patients that he accessed or that Vitalité did not have any evidence to suggest any of the 141 patients were at risk because of the privacy breach.
The privacy commissioner’s report is making recommendations to strengthen Vitalité’s audit process to catch future breaches more quickly or to prevent other health professionals from making future unauthorized visits to patient records.
“By instituting more frequent random audits, suspicious activities will be detected more quickly; equally important, more frequent random audits will also serve as a deterrent to all users to only access electronic patient records when authorized,” the report said.
Bertrand's report also noted how unauthorized access to patient files is on the increase in Canada.