I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update #3 – October 2017 – WOW! 6 new decisions of the IPC released last week

Posted by

Ontario’s Information and Privacy Commissioner just released six new health privacy decisions at the end of last week.

Want to know what they are about?

You can read my updated summaries of all 56 of the IPC PHIPA Decisions.

Or keep reading this blog for summaries of these six.

The decisions are not listed in chronological order in this blog because I want to alert you to Decision 54 first – where there is a recommendation to review your policies.

Decision 54:  A patient alleged her doctor disclosed more information than she agreed to when sending records to another physician relying on her express consent.  The patient had subsequently sent emails changing the nature of her express consent. The patient alleged that the physician ultimately shared too much information with the recipient physician. The IPC analyzed the “scope” of the patient’s consent to disclose information to another physician and discussed what constitutes a “withdrawal” of consent to disclose. The IPC concluded that while the physician had generally responded within scope, there were a few records provided to another physician outside the scope of the patient’s consent when the patient withdrew consent. The IPC ordered the physician to develop a written information practice that addresses how consents from patients to the disclosure of their PHI are to be processed, documented and clarified and to ensure that this written information practice includes a requirement for clarifying consent in situations of potential ambiguity or where there are conflicting instructions. The IPC commented generally that custodians need to be able to recreate packages of materials which are sent to other clinicians. This physician’s office was able to do so.

Bottom Line:  The IPC required this physician to do something. All custodians can take this order as a recommendation for their own practices. What to do?  Take a look at your privacy policy. Check to see if you have a written information practice that addresses how consents from patients to the disclosure of their PHI are to be processed, documented and clarified and ensure that your policy includes a requirement for clarifying consent in situations of potential ambiguity or where there are conflicting instructions. 

Decision 45 – We’ve been waiting for this one for awhile.  It’s a correction case. Interestingly involves the same family as relates to Decisions 32 (access complaint) and 38 (information management complaint). Parents asked the hospital to make corrections to their child’s record. The hospital’s decision not to make further corrections to the record was upheld by the IPC. The IPC concluded that some of the allegations did not raise issues of incompleteness or inaccuracy. The IPC stated that some of the allegations made by the parents fell outside the jurisdiction of the IPC (including issues of failure to meet standards of practice and treatment as well as the allegations of fraud). The IPC also responded to the parents’ concerns that the IPC was biased in favour of the hospital.

Bottom Line: This decision is consistent with other decisions of the IPC. There is nothing new required of health information custodians.  

Decision 52 – It’s a doozy. A 24-page decision (read super duper complicated) about an access request for hospital data. The patient asked for “underlying electronic data about him held by the hospital, in its native, industry-standard electronic format, including data files produced by diagnostic equipment”.  The IPC concluded that the complainant was not entitled to access data in the hospital’s electronic systems, devices or archives that could not be extracted through custom queries against reporting views available to the hospital. There was no obligation to produce patient data in its “native format”. In siting McInerney v. McDonald, the IPC stated that a patient has a right to access the same information viewed by or available to those providing health care. Not more data/information that the hospital itself could not reasonably utilize through reporting views available to it. But, the hospital was ordered to do specific tasks like issue a fee estimate and do another search for billing information.

Bottom Line: This decision should be reassuring to health care organizations. Patient requests for access to raw data in native format are rare. But if and when they happen they will require extra resources. This decision will help you understand when to reasonably say – “that’s all we can do for you”.  There is nothing new required of health information custodians.

Decision 53: The Ministry of Health and Long-Term Care received a request for access to records about coverage for a procedure performed outside Canada. It was a mixed request under FIPPA and PHIPA. The IPC ordered the Ministry to disclose one record. But upheld the Ministry’s decision to withhold two other records.

Bottom Line: There is nothing new required of health information custodians. But, it is helpful to know about it from the perspective of release of information in the context of litigation or other legal proceedings. 

Decision 55: A chiropractor received an access request from a father for records about his child. The chiropractor provided a copy of the record of the single visit. The father felt there should be additional records an complained the chiropractor had not conducted a “reasonable search“. The IPC found the chiropractor had conducted a “reasonable search” and that there was no reason to conduct a review in this case.

Bottom Line: There is nothing new required of health information custodians. But, this decision does reiterate what constitutes a “reasonable search”, FYI.

Decision 56: The Ministry of Health and Long-Term Care notified the IPC about a criminal fraud ring and as a side issue, concerns about the collection of health card numbers by an insurance company. The IPC was asked to review whether the insurance company should collect health card numbers for processing applications for supplementary health insurance plans (such as travel insurance and emergency medical travel insurance). The insurance company confirmed it collected health card numbers to be reimbursed for provincially insured services. The insurance company agreed to stop collecting health card numbers as part of its application process.  Instead the insurance company will collect health card numbers if there is a claim in order to be reimbursed for provincially insured services. Because the insurance company agreed to change its practices, a review by the IPC was not warranted.

Bottom Line: This decision relates to insurance companies – not health information custodians generally. No action is needed by custodians.  

If you enjoyed this article please share it:

Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Team Privacy Training Events
February 12, 19, 26, 27, Mar 2, 9, 11, 24, 27

For Primary Care clinics, Hospitals, Community Agencies and Children’s Aid

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Speaking event March 25, 2020

Osgoode Professional Development – Health Law Certificate

Kate joins the faculty for this training event. More details...

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our March webinar is on questions to ask your insurer and the April program is on changes to pregnant employees' positions.
Full details of the 2020 webinar series and registration here.

Health Privacy Officer training
April 28, 2020

For Privacy Officers within healthcare organisations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Osgoode Health Privacy training
January 20 & 27 and February 3,10 & 18, 2020

Kate is the program chair for the Osgoode Certificate in Privacy in Healthcare.

This program explores the range of privacy interests that must be protected in the day-to-day treatment of patients, the development of information systems and the creation of institutional policies. More details...

Free healthcare privacy webinar - ask me anything!
March 4 (cancelled) but back April 1

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

Trust Builders: Profiles of Health Privacy Officers – Simeon Kanev, Alliance for Healthier Communities… https://t.co/aB8lazdQxH

01:01 PM Feb 25th

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557