I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: 4 new health privacy decisions of the IPC released

Posted by

On Friday January 12, the Information and Privacy Commissioner of Ontario released four new decisions.

Here is my updated summary of all 64  IPC PHIPA Decisions

Decision 61: Reasonable Search: A physician received a request for access to all records relating to the complainant’s deceased son. The complainant believed additional records should exist. The physician said he did not have additional records documenting contact with two other physicians – he had not spoken to the patient about these physicians and had not referred the patient to them. The complainant was looking for email communications between the physician and other physicians. The physician was not the deceased’s primary physician. The physician had been a consultant. The IPC concluded the physician conducted a “reasonable search” and dismissed the complaint. The physician was able to describe how he reviewed his email systems and the IPC believed the physician completed the searches and found no additional records.

Bottom Line:  This decision supports other decisions of the IPC about what it means to do a “reasonable search”.  You may receive requests for documents or records outside the traditional health record. You are required to search other places – like email systems – to ensure there are no additional records relating to the request. If you can prove you did so, the IPC is likely to support your conclusion that you completed a reasonable search.

Decision 62: Snooping: A physician accessed health records of two related individuals without authorization in a group practice. One individual patient was deceased and the other related person was alive.  The patients did not authorize the physician to view their records. It was alleged the physician then shared the information with his relative.

Two corporate entities were involved. The physician was a shareholder in a medical corporation affiliated with the health centre. Both the health centre and the physician corporation were operating as health information custodians. The physician was an agent of the medical corporation. The health centre owned the electronic medical record (EMR) the physician used as part of his shareholder position.

The IPC found that the lack of documentation of the relationship between the health centre, the medical corporation and the physician caused unnecessary confusion in this case.

The IPC concluded that the health centre was the health information custodian (not both the health centre and the medical corporation). The IPC focused on the fact that the health centre owned the EMR and controlled access by the physicians to the EMR and was responsible for the security of the EMR. Since the incident, the two corporations have concluded that the health centre is the health information custodian.

The IPC concluded the physician used the information of the two patients without authorization. There was no information to find that the physician had disclosed the information to his relative.

The IPC concluded the health centre had not met its obligations under section 12(1) at the time of the events. The group practice had since taken sufficient action so that no orders were required. The steps included:

  • Formalizing the relationship with the medical corporation
  • Ensuring all physicians were trained in privacy
  • Creating a joint privacy committee of both health centre members and physicians
  • Clarifying how discipline of physicians would be addressed in future

Bottom Line: All my FHT clients need to sit up and take note of this case. In this case, just like a family health team,  a group of physicians and an administrative group worked together to share care. The IPC was concerned that these groups had not formalized their privacy relationship.  Sound familiar? When one of the physicians viewed records inappropriately, the administrative group lacked the leverage to prevent it from happening in the first place or to discipline the physician.  The IPC was satisfied that the physicians and administrative group since did document and clarify their relationship. So – calling all family health teams – if you have not documented your privacy relationship with your group of physicians yet, do so now.  Otherwise, you might be found responsible for the actions of a rogue physician using your shared system.

Decision 63: Correction Request: A CCAC received a request to correct diagnostic or risk codes in the complainant’s health record. One of the risk codes was amended, three other codes were removed from the “active” health record and a statement of disagreement was added. The CCAC was not able to “expunge” because of its duty to keep a copy of any changes made to the record. Through mediation, only one issue remained for one diagnostic code relating to a diagnosis received from a referring primary care physician. The IPC upheld the CCAC’s decisions. The complainant was not able to prove the information held by the CCAC was inaccurate or incomplete. The IPC acknowledged the CCAC made the disputed information “inactive” and a statement of disagreement was included in the record.

Bottom Line: This decision is consistent with other IPC decisions about correction.  The CCAC in this case acted reasonably in making an individual’s file inactive and allowing the individual to attach a statement of disagreement.

Decision 64: Snooping + Prosecution: A hospital reported a breach involving a registration clerk accessing health records of a media-attracting patient and 443 other patients without authorization. The breach was discovered by the hospital from a proactive audit. This file was referred to the Attorney General. The registration clerk pled guilty to contravening PHIPA and was fined $10,000. The IPC concluded that the hospital had taken sufficient steps to safeguard information specifically through: updating its privacy policies to include greater detail about the disciplinary consequences of privacy breaches; annual confidentiality agreements for all staff; privacy warning on electronic health records systems; training and sending an email to all staff re privacy and snooping; and through its auditing practices.  The IPC concluded that hospitals should be able to audit the “type” of information viewed through auditing and highly encouraged the hospital to include such criteria for auditing when looking for a new electronic health record provider.

Bottom Line: Here we have another example of an individual snooping who bore the consequences personally. The hospital for whom the individual worked was not prosecuted and no orders were issued against the hospital by the IPC. Custodians should look at what the hospital did as risk management instructions.  Having a robust privacy program is an excellent defence against organizational liability for snooping activity.  It means taking privacy seriously through training and auditing.  If you are updating your electronic health record system, ensure it has the capability to log the “type” of information viewed or accessed by users.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2025 program is now live.
Full details of the 2025 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2025

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Health Privacy Officer Foundations training
starts Spring 2025

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2025

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557

    .