A junior Waikato Hospital doctor was left "humiliated and ashamed" after colleagues, including senior clinicians, accessed his medical records without good reason.
The doctor had been treated at the hospital's emergency department, and later became aware that colleagues appeared to know about his medical issues, and he was the subject of workplace gossip.
The Privacy Commissioner has found his privacy was breached - that the Waikato District Health Board interfered with the doctor's privacy by failing to safeguard personal health information and failing to release personal information to the doctor when he requested it.
The doctor, who the Herald is not naming, was a registrar at Waikato Hospital when he sought medical treatment at the emergency department on multiple occasions in 2016 and 2017, according to findings by the Privacy Commissioner's senior investigator.
Through a series of employment-related meetings the doctor became suspicious that his medical records had been inappropriately accessed by colleagues, managers and the human resources department.
He raised concerns with the DHB which undertook an audit of access to his medical file, and found no inappropriate access.
The doctor complained to the Privacy Commissioner in March 2018 to obtain a copy of the audit.
When checking the audit log, he noted the names of several senior clinicians and another registrar working in the same department as him, who had accessed his file without good reason.
"When you obtained the full audit log you could see that colleagues that you worked closely with had accessed your medical records," the investigator wrote in her findings.
The doctor said he was acutely aware that people in his workplace, including immediate colleagues, knew about his medical issues and he believed he was the subject of gossip.
"You felt humiliated and ashamed that your information had been accessed."
The investigator accepted the doctor had suffered harm and found the DHB had breached principle 5 of the Health Information Privacy Code, which governs the way information is stored.
"You say that your health information was then used by the DHB in employment proceedings which resulted in your resignation as a registrar in November 2018," the investigator stated.
In May last year the doctor received a letter of apology from the HR department with the subject line "Clinicians sharing of health information to Waikato DHB staff".
The letter said it had become apparent the doctor's information had not been used by the DHB in compliance with Rule 10 of the Code, which places restrictions on how people and organisations can use or disclose health information.
"In particular, your health information was used without your consent for the purpose of your personnel management."
The doctor again complained to the Privacy Commissioner.
In December he officially requested from the DHB its investigation into the privacy breaches, and all internal correspondence regarding himself from those involved in the privacy breaches and another doctor in his department.
In January the DHB said it had already provided the investigation information, but ignored the request for internal correspondence.
When questioned by the Privacy Commissioner the DHB said the doctor's request did not fall within the scope of Rule 6 of the Code, which gives individuals the right to access their health information.
"I do not accept that reasoning," the investigator wrote. "Your request was for 'all internal correspondence regarding myself from those involved in my privacy breaches'.
"You were clearly asking for information 'regarding yourself' and this is within scope of a principle 6 request."
The DHB then said the information was not readily retrievable because of the wide scope of the request but the investigator said it didn't appear the DHB had made any attempt to retrieve the information.
"You specifically named five clinical staff. The DHB asking those staff to search their emails for information relating to you and the issues raised relating to your medical records would not appear to be an overly onerous task."
The investigator found the DHB in breach of principle 6 but said the DHB had reconsidered its approach to the requests and would now conduct a search for the information.
Despite the apology letter from the HR department last May the DHB later told the Privacy Commissioner it relied on exceptions to Rule 10 as reasons for using the doctor's information in personnel management.
The rule allows an agency to use health information for a different purpose than it was collected if it believes it is necessary to prevent a serious threat to public health or safety, or to the life or health of the person concerned, or another person.
The investigator discontinued the investigation into whether the DHB used the doctor's information inappropriately but said he could take the case to the Human Rights Review Tribunal.
She recommended the DHB consider reviewing its policies around its employees seeking medical treatment in its ED.
"Employees should be able to seek medical treatment without fear that their treatment information will be disseminated to their colleagues or supervisors."
The doctor told the Herald he'd been forced to switch medical specialities because of the situation and had moved on.
"They put me through a nightmare and denying my experience and outright lying to me over a period of time took an enormous toll on me."
The DHB said in a statement its staff took privacy very seriously.
"All staff have a professional and ethical obligation to maintain privacy and confidentiality and are reminded of this obligation frequently.
"Additionally, all new staff members to the DHB must undertake a mandatory privacy course so they are aware of their obligations."
With regard to this case, the DHB said it found no privacy breaches during the audit because the access logs showed the names of staff members who had left the organisation and were unable to be contacted.
"The response to the relevant audit request clearly stated that no unauthorised access had been identified from those that we had been able to verify," the statement said.
When asked why the doctor had to complain to the Privacy Commissioner to get a copy of the audit, the DHB said its policy at the time required staff access information to be withheld to protect their privacy.
"This approach was subsequently reconsidered and the full audit information released once concerns were raised.
"It is now policy to release staff access information following a patient request."
When asked why it would not release personal information to the doctor when he requested it, a breach under the Privacy Act, the DHB maintained the initial request was unclear and broad.
"It has since been clarified and the DHB is compiling the requested information."
When asked why the DHB used the doctor's personal information in personnel management of him when the information was not collected for that purpose, the DHB said it could not comment in detail on that "due to privacy reasons".
"However, we note that the Privacy Commissioner has not found any breach by the DHB in this regard."
On the letter of apology, the DHB again said it could not comment because of privacy but that in the ensuing events "all relevant safety measures were taken to ensure patient and staff safety at all times".