Health Privacy Update #3 – October 2017 – WOW! 6 new decisions of the IPC released last week

Ontario’s Information and Privacy Commissioner just released six new health privacy decisions at the end of last week.

Want to know what they are about?

You can read my updated summaries of all 56 of the IPC PHIPA Decisions.

Or keep reading this blog for summaries of these six.

The decisions are not listed in chronological order in this blog because I want to alert you to Decision 54 first – where there is a recommendation to review your policies.

Decision 54:  A patient alleged her doctor disclosed more information than she agreed to when sending records to another physician relying on her express consent.  The patient had subsequently sent emails changing the nature of her express consent. The patient alleged that the physician ultimately shared too much information with the recipient physician. The IPC analyzed the “scope” of the patient’s consent to disclose information to another physician and discussed what constitutes a “withdrawal” of consent to disclose. The IPC concluded that while the physician had generally responded within scope, there were a few records provided to another physician outside the scope of the patient’s consent when the patient withdrew consent. The IPC ordered the physician to develop a written information practice that addresses how consents from patients to the disclosure of their PHI are to be processed, documented and clarified and to ensure that this written information practice includes a requirement for clarifying consent in situations of potential ambiguity or where there are conflicting instructions. The IPC commented generally that custodians need to be able to recreate packages of materials which are sent to other clinicians. This physician’s office was able to do so.

Bottom Line:  The IPC required this physician to do something. All custodians can take this order as a recommendation for their own practices. What to do?  Take a look at your privacy policy. Check to see if you have a written information practice that addresses how consents from patients to the disclosure of their PHI are to be processed, documented and clarified and ensure that your policy includes a requirement for clarifying consent in situations of potential ambiguity or where there are conflicting instructions. 

Decision 45 – We’ve been waiting for this one for awhile.  It’s a correction case. Interestingly involves the same family as relates to Decisions 32 (access complaint) and 38 (information management complaint). Parents asked the hospital to make corrections to their child’s record. The hospital’s decision not to make further corrections to the record was upheld by the IPC. The IPC concluded that some of the allegations did not raise issues of incompleteness or inaccuracy. The IPC stated that some of the allegations made by the parents fell outside the jurisdiction of the IPC (including issues of failure to meet standards of practice and treatment as well as the allegations of fraud). The IPC also responded to the parents’ concerns that the IPC was biased in favour of the hospital.

Bottom Line: This decision is consistent with other decisions of the IPC. There is nothing new required of health information custodians.  

Decision 52 – It’s a doozy. A 24-page decision (read super duper complicated) about an access request for hospital data. The patient asked for “underlying electronic data about him held by the hospital, in its native, industry-standard electronic format, including data files produced by diagnostic equipment”.  The IPC concluded that the complainant was not entitled to access data in the hospital’s electronic systems, devices or archives that could not be extracted through custom queries against reporting views available to the hospital. There was no obligation to produce patient data in its “native format”. In siting McInerney v. McDonald, the IPC stated that a patient has a right to access the same information viewed by or available to those providing health care. Not more data/information that the hospital itself could not reasonably utilize through reporting views available to it. But, the hospital was ordered to do specific tasks like issue a fee estimate and do another search for billing information.

Bottom Line: This decision should be reassuring to health care organizations. Patient requests for access to raw data in native format are rare. But if and when they happen they will require extra resources. This decision will help you understand when to reasonably say – “that’s all we can do for you”.  There is nothing new required of health information custodians.

Decision 53: The Ministry of Health and Long-Term Care received a request for access to records about coverage for a procedure performed outside Canada. It was a mixed request under FIPPA and PHIPA. The IPC ordered the Ministry to disclose one record. But upheld the Ministry’s decision to withhold two other records.

Bottom Line: There is nothing new required of health information custodians. But, it is helpful to know about it from the perspective of release of information in the context of litigation or other legal proceedings. 

Decision 55: A chiropractor received an access request from a father for records about his child. The chiropractor provided a copy of the record of the single visit. The father felt there should be additional records an complained the chiropractor had not conducted a “reasonable search“. The IPC found the chiropractor had conducted a “reasonable search” and that there was no reason to conduct a review in this case.

Bottom Line: There is nothing new required of health information custodians. But, this decision does reiterate what constitutes a “reasonable search”, FYI.

Decision 56: The Ministry of Health and Long-Term Care notified the IPC about a criminal fraud ring and as a side issue, concerns about the collection of health card numbers by an insurance company. The IPC was asked to review whether the insurance company should collect health card numbers for processing applications for supplementary health insurance plans (such as travel insurance and emergency medical travel insurance). The insurance company confirmed it collected health card numbers to be reimbursed for provincially insured services. The insurance company agreed to stop collecting health card numbers as part of its application process.  Instead the insurance company will collect health card numbers if there is a claim in order to be reimbursed for provincially insured services. Because the insurance company agreed to change its practices, a review by the IPC was not warranted.

Bottom Line: This decision relates to insurance companies – not health information custodians generally. No action is needed by custodians.