St. Albert doctor suspended for privacy breach

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.stalbertgazette.com/article/20130328/SAG0801/303289997/-1/sag0801/st-albert-doctor-suspended-for-privacy-breach

An emergency room doctor from St. Albert has been suspended for at
least a month because she illegally tapped into restricted medical
files.

The College of Physicians & Surgeons of Alberta announced this week
that it had found Deanne “Dee” Gayle Watrich, an emergency room doctor
and a St. Albert resident, to be guilty of unprofessional conduct.

Watrich had previously admitted to unprofessional conduct at a hearing
tribunal held by the college last November.

Specifically, the tribunal wrote in its ruling, Watrich accessed the
electronic health records of three people 21 times between Aug. 5,
2009, and May 2, 2010, without having a patient/physician relationship
with those people.

It’s okay for doctors to access patient records if they are actually
treating those patients, explained college spokesperson Kelly Eby, but
not otherwise.

“She accessed the electronic health records of three people who she
was not treating,” she said. “It’s an invasion of privacy.” It also
violates the provincial Health Professions Act and Health Information
Act, and goes against the Canadian Medical Association’s Code of
Ethics and the college’s standards of practice.

Watrich’s case started when the provincial privacy commission began
investigating a complaint from a man who had requested an Alberta
Netcare log. The log showed that nine doctors, none of whom were
treating him, had accessed his electronic health records. He alleged
that Watrich might be the one responsible.

The man listed his partner and mother as co-complainants, both of whom
had their files accessed by three other doctors.

Watrich admitted to the privacy commissioner and to the tribunal that
she was responsible for accessing these restricted records using the
logins of 12 other doctors.

On 21 occasions, the tribunal heard, Watrich used computers in the
emergency department of the Edmonton Misericordia Hospital to access
these records after the previous user had not logged out, and did so
knowing that her personal ID would not show up in the computer’s logs
as a result.

Watrich was in a personal relationship with one of the complainants
when she accessed some of the records, the tribunal found, and in a
relationship with the former spouse of said complainant when she
accessed others.

“I don’t know why I logged in to their Netcare and why I did it so
many times,” Watrich said at the hearing last November. “It didn’t
actually give me any power. It didn't give me anything.” In
retrospect, she believed accessing these records might have been a way
for her to cope with the difficult divorce and child-custody
proceedings her partner was going through at the time.

Watrich told the tribunal that she was humiliated and embarrassed by
her actions and “deeply disappointed in (herself).” She had apologized
to the complainants, and paid a “significant monetary settlement” to
them in a related lawsuit. Covenant Health (which runs the
Misericordia) had also put a reprimand on her record.

Even though Watrich didn’t disclose any of the information she
accessed, the tribunal ruled, her actions were done repeatedly and
with intent to deceive, and impugned the reputation of her fellow
physicians.

The tribunal suspended Watrich from medical practice for 60 days. She
will be actively banned for 30 days and then on probation for six
months, during which she may be suspended for another 30 days if she
does not show good behaviour.

Watrich was also ordered to take an ethics course and to pay
$22,232.59 to cover the cost of the college’s investigation. She has
done both.

The tribunal’s ruling can be found at cpsa.ab.ca.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.