The West Coast District Health Board has admitted it can't be sure its clinicians have always followed the rules for accessing patient files.
Two WCDHB staff are among four clinicians under investigation for snooping at medical files of cricket player Jesse Ryder through system-sharing while he was a patient in Christchurch Hospital.
The other two clinicians are from Christchurch and South Canterbury.
Only staff involved in the care of a patient are supposed to access the patient's files.
The WCDHB has refused to answer questions from The Westport News about the incidents, saying staff privacy comes before the public right to know.
However, programme manager Michael Frampton today conceded similar breaches of patient privacy might have happened before and not been picked up.
Initially, he told The Westport News the WCDHB was confident similar breaches hadn't happened before. Further questioned, he acknowledged "it's possible'' the WCDHB might not know of previous breaches. He said the WCDHB seldom audited staff access to patient files because of the amount of work an audit involved.
The Ryder case was the first time a proactive audit had discovered inappropriate access to data, said Mr Frampton. He did not know what had prompted the audit.
The DHB used a number of clinical patient information systems, none of which the public could access or view, he said.
It was able to trace who had inappropriately accessed Ryder's information because each staff member had a unique log-in.
"It's hugely positive that the process works but nonetheless a significant disappointment that it had to.''
The Westport News asked the WCDHB whether the Coast clinicians who accessed Ryder's files were doctors or nurses, where they worked, and when and why they had accessed his files. The newspaper also asked whether either clinician had been suspended and how long the investigation was likely to take.
Mr Frampton said answering any of the questions was "not appropriate''.
"These are ongoing investigations and at the end of the day these individuals themselves are entitled to privacy. This is a matter affecting the employment relationship. This is not something I'm going to provide any further information about.''
He said the WCDHB considered any inappropriate access to a patient's records a matter of serious misconduct and subject to its disciplinary process.
David Meates, who heads the Canterbury and West Coast DHBs, said the patient information systems were designed to provide clinical staff involved in various aspects of a patient's care access to the best medical information available to inform their decisions.
"Sharing electronic information means faster, better and safer care. Put simply, electronic information sharing saves lives.''
Mr Meates said there were processes in place to protect patient privacy. They included ensuring access was only by the staff directly involved in a patient's care, via unique log-ins which are completely traceable and left a `footprint' each time a record is accessed.
The clinical information system that was used inappropriately was PACS (Picture Archive and Communications System - for radiology/X-ray images), a cross-DHB system for sharing radiology information.
eSCRV (shared care record view) was not used although it too was an electronic information sharing system and the same audit processes applied, Mr Meates said.
eSCRV was a secure portal enabling clinicians to share relevant information according to their role in a patient's care. A doctor or registered nurse would be able to see a wide range of information while a pharmacist would be able to see information useful to them such as prescriptions, allergies and discharge letters.
"For staff members to access patient files they need to `tick a box' to access patient records. Therefore they are made aware that they should only access the record if they are involved in patient care,'' Mr Meates said.