I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update #3 – October 2017 – WOW! 6 new decisions of the IPC released last week

Posted by

Ontario’s Information and Privacy Commissioner just released six new health privacy decisions at the end of last week.

Want to know what they are about?

You can read my updated summaries of all 56 of the IPC PHIPA Decisions.

Or keep reading this blog for summaries of these six.

The decisions are not listed in chronological order in this blog because I want to alert you to Decision 54 first – where there is a recommendation to review your policies.

Decision 54:  A patient alleged her doctor disclosed more information than she agreed to when sending records to another physician relying on her express consent.  The patient had subsequently sent emails changing the nature of her express consent. The patient alleged that the physician ultimately shared too much information with the recipient physician. The IPC analyzed the “scope” of the patient’s consent to disclose information to another physician and discussed what constitutes a “withdrawal” of consent to disclose. The IPC concluded that while the physician had generally responded within scope, there were a few records provided to another physician outside the scope of the patient’s consent when the patient withdrew consent. The IPC ordered the physician to develop a written information practice that addresses how consents from patients to the disclosure of their PHI are to be processed, documented and clarified and to ensure that this written information practice includes a requirement for clarifying consent in situations of potential ambiguity or where there are conflicting instructions. The IPC commented generally that custodians need to be able to recreate packages of materials which are sent to other clinicians. This physician’s office was able to do so.

Bottom Line:  The IPC required this physician to do something. All custodians can take this order as a recommendation for their own practices. What to do?  Take a look at your privacy policy. Check to see if you have a written information practice that addresses how consents from patients to the disclosure of their PHI are to be processed, documented and clarified and ensure that your policy includes a requirement for clarifying consent in situations of potential ambiguity or where there are conflicting instructions. 

Decision 45 – We’ve been waiting for this one for awhile.  It’s a correction case. Interestingly involves the same family as relates to Decisions 32 (access complaint) and 38 (information management complaint). Parents asked the hospital to make corrections to their child’s record. The hospital’s decision not to make further corrections to the record was upheld by the IPC. The IPC concluded that some of the allegations did not raise issues of incompleteness or inaccuracy. The IPC stated that some of the allegations made by the parents fell outside the jurisdiction of the IPC (including issues of failure to meet standards of practice and treatment as well as the allegations of fraud). The IPC also responded to the parents’ concerns that the IPC was biased in favour of the hospital.

Bottom Line: This decision is consistent with other decisions of the IPC. There is nothing new required of health information custodians.  

Decision 52 – It’s a doozy. A 24-page decision (read super duper complicated) about an access request for hospital data. The patient asked for “underlying electronic data about him held by the hospital, in its native, industry-standard electronic format, including data files produced by diagnostic equipment”.  The IPC concluded that the complainant was not entitled to access data in the hospital’s electronic systems, devices or archives that could not be extracted through custom queries against reporting views available to the hospital. There was no obligation to produce patient data in its “native format”. In siting McInerney v. McDonald, the IPC stated that a patient has a right to access the same information viewed by or available to those providing health care. Not more data/information that the hospital itself could not reasonably utilize through reporting views available to it. But, the hospital was ordered to do specific tasks like issue a fee estimate and do another search for billing information.

Bottom Line: This decision should be reassuring to health care organizations. Patient requests for access to raw data in native format are rare. But if and when they happen they will require extra resources. This decision will help you understand when to reasonably say – “that’s all we can do for you”.  There is nothing new required of health information custodians.

Decision 53: The Ministry of Health and Long-Term Care received a request for access to records about coverage for a procedure performed outside Canada. It was a mixed request under FIPPA and PHIPA. The IPC ordered the Ministry to disclose one record. But upheld the Ministry’s decision to withhold two other records.

Bottom Line: There is nothing new required of health information custodians. But, it is helpful to know about it from the perspective of release of information in the context of litigation or other legal proceedings. 

Decision 55: A chiropractor received an access request from a father for records about his child. The chiropractor provided a copy of the record of the single visit. The father felt there should be additional records an complained the chiropractor had not conducted a “reasonable search“. The IPC found the chiropractor had conducted a “reasonable search” and that there was no reason to conduct a review in this case.

Bottom Line: There is nothing new required of health information custodians. But, this decision does reiterate what constitutes a “reasonable search”, FYI.

Decision 56: The Ministry of Health and Long-Term Care notified the IPC about a criminal fraud ring and as a side issue, concerns about the collection of health card numbers by an insurance company. The IPC was asked to review whether the insurance company should collect health card numbers for processing applications for supplementary health insurance plans (such as travel insurance and emergency medical travel insurance). The insurance company confirmed it collected health card numbers to be reimbursed for provincially insured services. The insurance company agreed to stop collecting health card numbers as part of its application process.  Instead the insurance company will collect health card numbers if there is a claim in order to be reimbursed for provincially insured services. Because the insurance company agreed to change its practices, a review by the IPC was not warranted.

Bottom Line: This decision relates to insurance companies – not health information custodians generally. No action is needed by custodians.  


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s Upcoming events

Team Privacy Training Events

April 19, May 17, June 13

For Primary Care clinics and FHTs

Kate trains health professionals from another three primary care organizations how being privacy-respectful can improve therapeutic relationships. more details...

Where immigration and health law issues collide

April 25, 2018

Presentation to invited Community Health Centre clients

In collaboration with immigration lawyer Jacqueline Swaisland.

2018 Privacy Officer Training

May 8 to June 12, 2018

16 hours live and online training

for Privacy Officers and Privacy Officers-to-be. Live sessions held in Toronto. details and booking...

De-escalation training

May 16, 2018

Training session for a Toronto Family Health Team

In conjunction with leadership coach Christine Burych.

Ask me anything (about health privacy)

12 noon, May 23, 2018

An hour webinar with Kate where you can ask Kate any privacy-related questions you have.

Open to all health Privacy Officers. Register here.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

A recent Canadian study published in the JAMA found that hospitals have a serious issue when it comes to throwing a… https://t.co/PVINxywro8

about 9 hours ago

What do #FamilyHealth teams need to know about #SocialMedia and the #Law? https://t.co/xRqEcF6d5Y #healthprivacy #FHTs #HealthLaw #employee

about 21 hours ago

[MAY 23] Register now for my “Ask Me Anything” webinar! Do you have privacy questions you want to ask me? This is y… https://t.co/R0bvs5h6JK

02:01 PM Apr 24th

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557