Unauthorised access to 35 patients’ records sees trainee doctor suspended

It is never appropriate for health practitioners to access patient records for reasons such as personal interest, curiosity or for self-education. Unauthorised access to records and disclosure of patient information will breach legal, employment and professional obligations. 

Accessing patient records without clinical justification 

Dr N, a trainee doctor, admitted to accessing 35 patients’ medical records on 97 occasions without any legal reason or authority to do so. They also disclosed a patient’s personal health information to a friend who then reported this to police, and the matter was investigated. The subsequent audit revealed Dr N had accessed records over the course of several months. 

Some of the records accessed were of people Dr N knew. Records accessed included mental health records and psychiatric assessments. 

Dr N was not involved in the care of any of the patients and had no clinical need to access the records.  

Dr N explained they were suffering severe anxiety at the time. They were subsequently diagnosed with a chronic post-traumatic stress disorder and major depressive disorder. They had a history of grooming and sexual assault and of intimate partner violence and had recently ended a relationship with their fiancé who experienced drinking problems.  

Dr N said they were trying to identify whether certain individuals posed a threat. In searching for these individuals, Dr N had looked through records of multiple patients with the same name. Dr N now recognised that accessing patient notes had become a kind of anxiety-driven compulsive response which provided a semblance of control.  

Dr N agreed they had signed an employment confidentiality agreement and undertaken never to disclose patient information other than in the course of their official duties. Dr N had also knowingly bypassed ‘break glass’ system warnings that they were accessing records without authorisation. 

Dr N accepted their conduct was in breach of their professional obligations and privacy legislation. 

Dr N accepted the tribunal’s finding that the conduct constituted professional misconduct and was likely to bring the medical profession into disrepute. Disclosing information to another party was a serious breach of their obligations. 

The tribunal concluded that an appropriate penalty would have been at least four months’ suspension. However, since Dr N had been out of clinical practice for nearly three years the tribunal did not impose any further suspension. 

The tribunal took into account Dr N’s mental state and personal situation at the time. 

Since that time, Dr N had sought treatment and therapy and was permitted to work under supervision. 

There had been no further unauthorised access of records. 

Dr N was censured and required to comply with the requirements of the regulator for a further three years.  

They were ordered to undertake education on medical ethics, privacy, confidentiality and professional boundaries. They were also required to meet with a supervisor and undergo quarterly audits of their access to patient records. 

The tribunal ordered Dr N to pay $30,000. 

Dr N was granted an order that their name and any identifying details not be published. 

Patient health records can only be legally used: 

• to provide medical treatment to the patient at the time 
• for limited non-clinical purposes such as billing or complaint management 
• if the patient has consented to access for another purpose (for example, research or to support a compensation or insurance claim), or 
• with legal authority (for example under a subpoena or police warrant). 

Be sure that you understand your legal, professional and workplace obligations to maintain patient confidentiality and protect patient privacy. 

Never be tempted to access patient records for another reason, including personal interest, concern for a family member, curiosity or self-education.  

Consequences of an unauthorised and unjustified access can include fines, employment termination and loss of registration. 

Avant factsheet – Privacy essentials  

Avant article – Harsh penalties for unauthorised access to medical records 

Avant factsheet – Preventing data breaches 

Avant eLearning – Medical records: Chapter two – legal requirements 

Office of the Australian Information Commissioner – Handling information in a My Health Record 

Office of the Australian Information Commissioner – Guide to health privacy  

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.