I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update #2 – October 2017 – 2 new decisions of the IPC

Posted by

Last week the IPC issued two new decisions for health care organizations in Ontario. The first one has practical impact on group practices like family health teams.

  1. Group practices should proactively clarify who is the health information custodian 

Decision 50 – This one will interest all family health teams and other group practices. It relates to a dispute between a physician and the other members of a group practice medical clinic.

The physician decided to leave the group practice medical clinic.  He believed he was the health information custodian over the health records of his patients and made private arrangements with the electronic medical record (eMR) service provider to extract the records of his patients from the shared eMR.  The medical clinic was taken by surprise when it discovered there were missing patient records from its eMR.  The  medical clinic believed it was the health information custodian (not the physician). This dispute went to court.  The parties entered into a “consent order” allowing the physician ongoing access to his patients’ records. The medical clinic was dissatisfied with the court process and outcome and complained to the IPC that the eMR service provider had improperly transferred some patient files to the departing physician without the clinic’s permission.

The IPC concluded it would not engage in a review and that the matter was better addressed by the courts. The IPC did comment on the fact that what most contributed to this dispute was the uncertainty over who was the health information custodian. The IPC referred to its document “How to Avoid Abandoned Records” where the IPC advised that all group practices should proactively identify the custodian for patient records in shared systems.

The IPC also recommends group practices address:

  • Arrangements for secure storage of records
  • The method of distribution of records in the event of a change in practice
  • The requirement to notify individuals in the event of a change in practice
  • Arrangements for dealing with the unforeseen departure of a custodian

With respect to the eMR service provider, the IPC stated that the agreement with the eMR service provider was vague as to who was the custodian and who should be notified of requests for patient record extraction. The take away message is that all group practices should make sure their contracts with eMR service providers clearly identify the custodian and who can authorize patient record extractions and who must be notified of such requests.

This case is not really relevant to hospitals or long-term care homes where the custodian status is never up for debate.

2. Prescribed Registry made a matching error involving two individuals with same name and date of birth

Decision 51 – An individual complained that a registry (a prescribed person under PHIPA) sent her a letter with another person’s laboratory test results.The IPC decided a review was not warranted under the circumstances.

As the back story, a mix up occurred with laboratory results relating to two individuals with the same first name and last name and date of birth. In conducting its investigation, the IPC concluded the mistake was not a labeling error by the referring physician (as first believed). Instead, it was a rare matching error (relating to computer linking logic) by the registry because one of the two individuals did not have an OHIP number that would have otherwise differentiated the two individuals. The registry sent test results to the wrong person. The IPC concluded that sending the letter to the wrong individual was an unauthorized disclosure of personal health information by the registry. But the IPC took no further action in this case. The registry was encouraged to look for opportunities to prevent this rare mistake from happening again.

Want to read all the decisions?: Here’s an updated summary of all 51 IPC PHIPA Decisions.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
starts March 2024

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2024

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2024 program is now live.
Full details of the 2024 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2024

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557

    .