Health Privacy Update #2 – October 2017 – 2 new decisions of the IPC

Last week the IPC issued two new decisions for health care organizations in Ontario. The first one has practical impact on group practices like family health teams.

  1. Group practices should proactively clarify who is the health information custodian 

Decision 50 – This one will interest all family health teams and other group practices. It relates to a dispute between a physician and the other members of a group practice medical clinic.

The physician decided to leave the group practice medical clinic.  He believed he was the health information custodian over the health records of his patients and made private arrangements with the electronic medical record (eMR) service provider to extract the records of his patients from the shared eMR.  The medical clinic was taken by surprise when it discovered there were missing patient records from its eMR.  The  medical clinic believed it was the health information custodian (not the physician). This dispute went to court.  The parties entered into a “consent order” allowing the physician ongoing access to his patients’ records. The medical clinic was dissatisfied with the court process and outcome and complained to the IPC that the eMR service provider had improperly transferred some patient files to the departing physician without the clinic’s permission.

The IPC concluded it would not engage in a review and that the matter was better addressed by the courts. The IPC did comment on the fact that what most contributed to this dispute was the uncertainty over who was the health information custodian. The IPC referred to its document “How to Avoid Abandoned Records” where the IPC advised that all group practices should proactively identify the custodian for patient records in shared systems.

The IPC also recommends group practices address:

  • Arrangements for secure storage of records
  • The method of distribution of records in the event of a change in practice
  • The requirement to notify individuals in the event of a change in practice
  • Arrangements for dealing with the unforeseen departure of a custodian

With respect to the eMR service provider, the IPC stated that the agreement with the eMR service provider was vague as to who was the custodian and who should be notified of requests for patient record extraction. The take away message is that all group practices should make sure their contracts with eMR service providers clearly identify the custodian and who can authorize patient record extractions and who must be notified of such requests.

This case is not really relevant to hospitals or long-term care homes where the custodian status is never up for debate.

2. Prescribed Registry made a matching error involving two individuals with same name and date of birth

Decision 51 – An individual complained that a registry (a prescribed person under PHIPA) sent her a letter with another person’s laboratory test results.The IPC decided a review was not warranted under the circumstances.

As the back story, a mix up occurred with laboratory results relating to two individuals with the same first name and last name and date of birth. In conducting its investigation, the IPC concluded the mistake was not a labeling error by the referring physician (as first believed). Instead, it was a rare matching error (relating to computer linking logic) by the registry because one of the two individuals did not have an OHIP number that would have otherwise differentiated the two individuals. The registry sent test results to the wrong person. The IPC concluded that sending the letter to the wrong individual was an unauthorized disclosure of personal health information by the registry. But the IPC took no further action in this case. The registry was encouraged to look for opportunities to prevent this rare mistake from happening again.

Want to read all the decisions?: Here’s an updated summary of all 51 IPC PHIPA Decisions.