The province’s privacy commissioner is recommending a Moncton doctor face disciplinary measures and provincial charges after he accessed medical files of 141 women during a two-year period.

anne-bertrand-852_1

Anne Bertrand, the province's privacy commissioner, made five recommendations in her report that examined a privacy breach inside the Vitalité Health Network. (CBC)

Anne Bertrand released her report on Dr. Fernando Rojas Lievano on Thursday that detailed how the radio-oncologist at the Dr.-Georges-L-Dumont University Hospital Centre accessed the files of 141 women a total of 350 times.

The report makes five recommendations to the Vitalité Health Network:

  • Vitalité should consider disciplinary measures against Rojas

  • Vitalité should consider charges under the Provincial Offences Procedures Act

  • Random audits of access to electronic patient records be made more frequent

  • The authority quickly limit or restrict access to patient records when any suspicious activities are found

  • Continue the limits on Rojas’s access to the electronic patient records system and impose ongoing monitoring

Vitalité issued a statement on Thursday, saying it just received the report and will need to take time to review its conclusions and recommendations.

Meanwhile, the health network will continue with its own internal investigative process, the statement said.

"Our final report as well as recommendations will be submitted in the fall of 2014.

"Vitalité Health Network will not make any additional public statements before the conclusion of its internal investigative process."

Doctor still employed

The doctor is still employed by Vitalité, but has been "absent from his place of work since the end of February," the statement said, without explaining why he's not working at the hospital.

New Brunswick's privacy commissioner can only make recommendations and cannot order fines or force government agencies to follow her advice.

The report, however, used strong language to reinforce the findings.

Bertrand said she "strongly recommends" both disciplinary measures against the doctor and charges because of the "scale of unlawful accesses committed" by Rojas.

Fernando Rojas is still working, as of two weeks ago.

Dr. Fernando Rojas Lievano, a radio-oncologist at the Dr. Georges-L-Dumont University Hospital Centre in Moncton, accessed the files of 141 women a total of 350 times during a two-year period.

Some of the women, whose medical files were accessed by Rojas, work or worked at the hospital. Others were servers at a restaurant where he was a regular customer. 

The report confirmed the women were not the doctor’s patients and he told the commissioner that “he was looking at these patient files out of personal interest and to find out their age.”

“The ages of these women were between 13 and 39. Dr. Rojas Lievano also accessed the same patient files several times over the course of the audit period, from a few times to a considerable number of times,” the report said.

The report explained how Rojas’s unauthorized visits to these medical files were caught in an audit of the electronic patient record system.

Audit process should be strengthened

It also details how two additional audits were carried out as the scope of the privacy breach became known to the health authority’s administration. A retrospective audit was launched in April 2013 that examined the doctor's access to patient records from Sept. 1, 2010, to Jan. 18, 2013.

Bertrand’s report described meetings between the authority’s administration and Rojas over the privacy breach.

“During that meeting, Dr. Rojas Lievano was visibly shaken and stated that it was poor judgment on his part. He admitted to not having had the permission to access the patient records in question,” the report said.

“Dr. Rojas Lievano failed to provide any other reason for having accessed these records. Dr. Rojas Lievano qualified his actions by adding that he had neither copied nor communicated any of the information he had viewed in the electronic health records of these patients.”

TB patient

Bertrand’s report is recommending Vitalité’s audit process be strengthened to catch future privacy breaches more quickly. (CBC)

The report further stated that it did not find any evidence that Rojas shared the personal health information about the patients that he accessed or that Vitalité did not have any evidence to suggest any of the 141 patients were at risk because of the privacy breach.

The privacy commissioner’s report is making recommendations to strengthen Vitalité’s audit process to catch future breaches more quickly or to prevent other health professionals from making future unauthorized visits to patient records.

“By instituting more frequent random audits, suspicious activities will be detected more quickly; equally important, more frequent random audits will also serve as a deterrent to all users to only access electronic patient records when authorized,” the report said.

Bertrand's report also noted how unauthorized access to patient files is on the increase in Canada.

"Snooping in medical records is quickly becoming one of the most reported and publicly reproachable actions on the part of custodians who handle patient information to work in the health care industry throughout Canada," the report said.