I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update #3 – October 2017 – WOW! 6 new decisions of the IPC released last week

Posted by

Ontario’s Information and Privacy Commissioner just released six new health privacy decisions at the end of last week.

Want to know what they are about?

You can read my updated summaries of all 56 of the IPC PHIPA Decisions.

Or keep reading this blog for summaries of these six.

The decisions are not listed in chronological order in this blog because I want to alert you to Decision 54 first – where there is a recommendation to review your policies.

Decision 54:  A patient alleged her doctor disclosed more information than she agreed to when sending records to another physician relying on her express consent.  The patient had subsequently sent emails changing the nature of her express consent. The patient alleged that the physician ultimately shared too much information with the recipient physician. The IPC analyzed the “scope” of the patient’s consent to disclose information to another physician and discussed what constitutes a “withdrawal” of consent to disclose. The IPC concluded that while the physician had generally responded within scope, there were a few records provided to another physician outside the scope of the patient’s consent when the patient withdrew consent. The IPC ordered the physician to develop a written information practice that addresses how consents from patients to the disclosure of their PHI are to be processed, documented and clarified and to ensure that this written information practice includes a requirement for clarifying consent in situations of potential ambiguity or where there are conflicting instructions. The IPC commented generally that custodians need to be able to recreate packages of materials which are sent to other clinicians. This physician’s office was able to do so.

Bottom Line:  The IPC required this physician to do something. All custodians can take this order as a recommendation for their own practices. What to do?  Take a look at your privacy policy. Check to see if you have a written information practice that addresses how consents from patients to the disclosure of their PHI are to be processed, documented and clarified and ensure that your policy includes a requirement for clarifying consent in situations of potential ambiguity or where there are conflicting instructions. 

Decision 45 – We’ve been waiting for this one for awhile.  It’s a correction case. Interestingly involves the same family as relates to Decisions 32 (access complaint) and 38 (information management complaint). Parents asked the hospital to make corrections to their child’s record. The hospital’s decision not to make further corrections to the record was upheld by the IPC. The IPC concluded that some of the allegations did not raise issues of incompleteness or inaccuracy. The IPC stated that some of the allegations made by the parents fell outside the jurisdiction of the IPC (including issues of failure to meet standards of practice and treatment as well as the allegations of fraud). The IPC also responded to the parents’ concerns that the IPC was biased in favour of the hospital.

Bottom Line: This decision is consistent with other decisions of the IPC. There is nothing new required of health information custodians.  

Decision 52 – It’s a doozy. A 24-page decision (read super duper complicated) about an access request for hospital data. The patient asked for “underlying electronic data about him held by the hospital, in its native, industry-standard electronic format, including data files produced by diagnostic equipment”.  The IPC concluded that the complainant was not entitled to access data in the hospital’s electronic systems, devices or archives that could not be extracted through custom queries against reporting views available to the hospital. There was no obligation to produce patient data in its “native format”. In siting McInerney v. McDonald, the IPC stated that a patient has a right to access the same information viewed by or available to those providing health care. Not more data/information that the hospital itself could not reasonably utilize through reporting views available to it. But, the hospital was ordered to do specific tasks like issue a fee estimate and do another search for billing information.

Bottom Line: This decision should be reassuring to health care organizations. Patient requests for access to raw data in native format are rare. But if and when they happen they will require extra resources. This decision will help you understand when to reasonably say – “that’s all we can do for you”.  There is nothing new required of health information custodians.

Decision 53: The Ministry of Health and Long-Term Care received a request for access to records about coverage for a procedure performed outside Canada. It was a mixed request under FIPPA and PHIPA. The IPC ordered the Ministry to disclose one record. But upheld the Ministry’s decision to withhold two other records.

Bottom Line: There is nothing new required of health information custodians. But, it is helpful to know about it from the perspective of release of information in the context of litigation or other legal proceedings. 

Decision 55: A chiropractor received an access request from a father for records about his child. The chiropractor provided a copy of the record of the single visit. The father felt there should be additional records an complained the chiropractor had not conducted a “reasonable search“. The IPC found the chiropractor had conducted a “reasonable search” and that there was no reason to conduct a review in this case.

Bottom Line: There is nothing new required of health information custodians. But, this decision does reiterate what constitutes a “reasonable search”, FYI.

Decision 56: The Ministry of Health and Long-Term Care notified the IPC about a criminal fraud ring and as a side issue, concerns about the collection of health card numbers by an insurance company. The IPC was asked to review whether the insurance company should collect health card numbers for processing applications for supplementary health insurance plans (such as travel insurance and emergency medical travel insurance). The insurance company confirmed it collected health card numbers to be reimbursed for provincially insured services. The insurance company agreed to stop collecting health card numbers as part of its application process.  Instead the insurance company will collect health card numbers if there is a claim in order to be reimbursed for provincially insured services. Because the insurance company agreed to change its practices, a review by the IPC was not warranted.

Bottom Line: This decision relates to insurance companies – not health information custodians generally. No action is needed by custodians.  


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2025 program is now live.
Full details of the 2025 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2025

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Health Privacy Officer Foundations training
starts Spring 2025

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2025

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557

    .