Professionals are directly liable for disclosures of personal patient information, even if they address the situation in good faith

September 26th, 2024

On October 27, 2023, the Québec College of Physicians’ Disciplinary Council (the “Council”) rendered a major decision regarding the minimum threshold professionals must meet to protect the personal information they gain access to in the context of their work.

The decision makes it clear that a professional’s lack of familiarity with a cloud platform on which medical information concerning patients is stored does not release them from their duty of professional secrecy and confidentiality. They are still expected to strictly control access to these types of platforms.

In this particular case, the professional saved confidential patient files on a personal cloud platform. Files stored in photo format include photos of patients in the operating room at the time of surgery, clinical observations, medical prescriptions, operating lists, on-call schedules, reports and progress notes.

The cloud platform in question had been created by her ex-husband, who owned it, and was being used as a family cloud platform. He had his wife’s username and password. He also acted as an assistant in the company she had set up to practise her profession. He therefore had access to the many files she had saved on the platform as part of her professional activities.

The court noted that, despite her good faith, the professional had allowed a third-party access to files containing confidential medical information and nominative patient data.

Based on these facts, the Council concluded that in trusting her ex-husband, the professional had failed to comply with the provisions for protecting patient rights, professional secrecy and confidentiality of medical information.

The decision shows that the Disciplinary Council took the following factors into account:

  • The objective seriousness of the offence committed by the professional, which jeopardized fundamental patient rights protected by the Charter of human rights and freedoms and by several laws.
  • The professional’s breaches do not constitute an isolated act, considering the period over which the offence was committed, i.e. nine years.
  • The professional knew that her ex-husband had access to the cloud platform where she saved photos and information about her patients.
  • The professional acknowledged the facts during the investigation and self-disclosed the breaches of confidentiality to the Professional Inspection Service of the Québec College of Physicians, to the Access to Information Commission, and to the management of the establishments where she practised.

The court pointed out that even if a professional acts in good faith, lacks knowledge about information technology or cloud computing matters and voluntarily reports an accidental disclosure of personal information, this still counts as a breach of their duty to keep medical records confidential, grant access only to authorized persons and preserve the secrecy of any confidential information obtained in the course of their practice.

In a decision rendered on April 9, 2024, the Disciplinary Council enshrined a joint recommendation to strike the professional off the roll for two weeks.

The key takeaway is that professionals who use technology in their practice have a duty of diligence. This includes understanding the technologies used and ensuring that personal information stored therein remains confidential.