I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update #2 – August 2017 – Precedent setting new case Decision 49

Posted by

The Information and Privacy Commissioner of Ontario just released two more decisions all health care providers in Ontario should read.

Decision 48: A hospital received a request for access to records. The hospital provided the complainant with a full copy of his health records but the complainant believed there should be additional records (specifically letters from a social worker). The complainant had copies of the letters the social worker had written and wanted confirmation that the hospital had those letters in its records. The social worker had since retired from the hospital. The hospital searched for those records, but could not find them. The IPC required the hospital to provide affidavits explaining the searches performed and steps taken to locate responsive records.  IPC concluded that the hospital had completed a “reasonable search” and was convinced the hospital did not have copies of the social worker letters. The IPC dismissed the complaint.

Bottom Line:  Decision 48 supports previous decisions of the IPC and explains the responsibility to conduct “reasonable searches”.

Decision 49: This one is monumental. For the first time, the IPC has ordered a patient to destroy records using the “recipient” rules under the health privacy legislation.

After a clinical appointment, a patient took a photograph of a physician’s computer screen. The image captured the health information of 71 other patients. The patient was upset that the physician had left the computer unlocked with his and other people’s information on the screen. He wanted to pursue a legal claim against the physician and was threatening to make the image public or share the image with his lawyer in order to file a lawsuit against the physician or both.  Once notified of the photograph, the physician asked the patient to securely destroy it because he was not authorized to have the other patients’ information. The patient refused. The physician notified the 71 patients of the privacy breach. The IPC will review the physician’s practices separately.

IPC concluded that the photograph was a record of personal health information and that the physician had disclosed personal health information to the patient by not protecting the information on the computer screen. The disclosure was not authorized by PHIPA.

IPC found that the patient was a “recipient” of personal health information under PHIPA.  As such, the IPC had the authority to and ordered the patient to destroy the image and all copies because the patient had or intended to contravene PHIPA.  Because the patient had not yet initiated legal action against the physician many months later, the IPC refrained from deciding whether the patient would have been entitled to use the image for the purposes of litigation. The hospital undertook to maintain a copy of the image in case of future litigation.

Bottom Line:  Decision 49 is a bit of a game changer.

First, it is essential that health care providers take care not to allow patients or visitors to collect information from computer screens or other sources. Even if done inadvertently, allowing patients to view other patients’ information constitutes a privacy breach.

Second, this is the first time we see a recipient ordered to destroy health information.  When there has been a breach, one of the first obligations is to contain the breach. One way to contain the breach is to make sure that anyone who received or copied personal health information inappropriately confirms they have destroyed the copy or returned the record.  It is rare to have a recipient refuse to comply with this request. This decision now demonstrates the IPC’s power to compel the destruction of copies of health records in the hands of those who should not have the information.

Here is an updated summary of all 49 IPC PHIPA Decisions


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Team Privacy Training Events

September 17, September 24, October 16, October 24 and November 21

For Primary Care clinics, Children’s Aid and FHTs

Kate trains health professionals from many more primary care organizations how being privacy-respectful can improve therapeutic relationships. more details...

Speaking event

October 23, 2019

Osgoode Professional Development – Mental health Certificate

Kate joins the faculty for this training event. More details...

Primary care webinars: Contracts & Communications

September 5 and October 3, 2019, 12 noon

Part of Kate’s monthly webinar series.

Our September webinar is about understanding contracts you may be asked to sign, and in Octber our title is Managing incapacity in the workplace.

Full details of the 2019 webinar series and registration here.

Privacy Officer training

January 20 & 27 and February 3,10 & 18, 2020

Kate is the program chair for the Osgoode Certificate in Privacy in Healthcare.

This program explores the range of privacy interests that must be protected in the day-to-day treatment of patients, the development of information systems and the creation of institutional policies.More details ...

Advanced Privacy Officer training

December 10, 2019

For experienced Privacy Officers within healthcare organisations.

This one day training course focuses on how to handle difficult privacy situations using real-life (but anonymized) case studies and role-play. Full details and registration here...

Free healthcare privacy webinar - ask me anything!

August 7 and September 4, 2019, 10-11am EST

Free webinars - advance registration needed

Whether you're an experience privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets


One of the key privacy messages every healthcare organization needs to know is a patient has a right to access thei… https://t.co/5yUfeakz1j

08:01 AM Sep 21st

Have you witnessed a bad situation where the organization’s response or lack of response made things worse?… https://t.co/3b3UgwRHxj

08:01 AM Sep 20th

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557

.