I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update #2 – October 2017 – 2 new decisions of the IPC

Posted by

Last week the IPC issued two new decisions for health care organizations in Ontario. The first one has practical impact on group practices like family health teams.

  1. Group practices should proactively clarify who is the health information custodian 

Decision 50 – This one will interest all family health teams and other group practices. It relates to a dispute between a physician and the other members of a group practice medical clinic.

The physician decided to leave the group practice medical clinic.  He believed he was the health information custodian over the health records of his patients and made private arrangements with the electronic medical record (eMR) service provider to extract the records of his patients from the shared eMR.  The medical clinic was taken by surprise when it discovered there were missing patient records from its eMR.  The  medical clinic believed it was the health information custodian (not the physician). This dispute went to court.  The parties entered into a “consent order” allowing the physician ongoing access to his patients’ records. The medical clinic was dissatisfied with the court process and outcome and complained to the IPC that the eMR service provider had improperly transferred some patient files to the departing physician without the clinic’s permission.

The IPC concluded it would not engage in a review and that the matter was better addressed by the courts. The IPC did comment on the fact that what most contributed to this dispute was the uncertainty over who was the health information custodian. The IPC referred to its document “How to Avoid Abandoned Records” where the IPC advised that all group practices should proactively identify the custodian for patient records in shared systems.

The IPC also recommends group practices address:

  • Arrangements for secure storage of records
  • The method of distribution of records in the event of a change in practice
  • The requirement to notify individuals in the event of a change in practice
  • Arrangements for dealing with the unforeseen departure of a custodian

With respect to the eMR service provider, the IPC stated that the agreement with the eMR service provider was vague as to who was the custodian and who should be notified of requests for patient record extraction. The take away message is that all group practices should make sure their contracts with eMR service providers clearly identify the custodian and who can authorize patient record extractions and who must be notified of such requests.

This case is not really relevant to hospitals or long-term care homes where the custodian status is never up for debate.

2. Prescribed Registry made a matching error involving two individuals with same name and date of birth

Decision 51 – An individual complained that a registry (a prescribed person under PHIPA) sent her a letter with another person’s laboratory test results.The IPC decided a review was not warranted under the circumstances.

As the back story, a mix up occurred with laboratory results relating to two individuals with the same first name and last name and date of birth. In conducting its investigation, the IPC concluded the mistake was not a labeling error by the referring physician (as first believed). Instead, it was a rare matching error (relating to computer linking logic) by the registry because one of the two individuals did not have an OHIP number that would have otherwise differentiated the two individuals. The registry sent test results to the wrong person. The IPC concluded that sending the letter to the wrong individual was an unauthorized disclosure of personal health information by the registry. But the IPC took no further action in this case. The registry was encouraged to look for opportunities to prevent this rare mistake from happening again.

Want to read all the decisions?: Here’s an updated summary of all 51 IPC PHIPA Decisions.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our December program will address harassment in the workplace.
Full details of the 2021 webinar series and registration here.

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Team Privacy Training Events
November 11, 12, 13, 18, 24, 25, 26, December 4 7

For Primary Care clinics, Hospitals, Community Agencies and Children’s Aid

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Free Part X CYFSA privacy webinar - ask me anything!
the second Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy designate or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Part X CYFSA Privacy Designate training
November 10 and 17

For Privacy Designates in the child welfare sector including children's aid societies and indigenous children's well-being centres

This course focuses on how to implement Part X of the Child Youth and Family Services Act in your organization.
Full details and registration here.

Health Privacy Officer training
April 2021

For Privacy Officers within healthcare organizations - now totally online.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Advanced Health Privacy Officer training
June 2021

For Privacy Officers within healthcare organizations - now totally online

This course focuses on taking theory into practice and we do real life scenarios to build your Privacy Officer skills.
Full details and registration here.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets


RT @choirchoirchoir: We sang the 🇨🇦 anthem at the Grey Cup 3 yrs ago + trended because we upped the BPM’s + actually had a good time with…

about 15 hours ago


contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557

.