I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: 4 new health privacy decisions of the IPC released

Posted by

On Friday January 12, the Information and Privacy Commissioner of Ontario released four new decisions.

Here is my updated summary of all 64  IPC PHIPA Decisions

Decision 61: Reasonable Search: A physician received a request for access to all records relating to the complainant’s deceased son. The complainant believed additional records should exist. The physician said he did not have additional records documenting contact with two other physicians – he had not spoken to the patient about these physicians and had not referred the patient to them. The complainant was looking for email communications between the physician and other physicians. The physician was not the deceased’s primary physician. The physician had been a consultant. The IPC concluded the physician conducted a “reasonable search” and dismissed the complaint. The physician was able to describe how he reviewed his email systems and the IPC believed the physician completed the searches and found no additional records.

Bottom Line:  This decision supports other decisions of the IPC about what it means to do a “reasonable search”.  You may receive requests for documents or records outside the traditional health record. You are required to search other places – like email systems – to ensure there are no additional records relating to the request. If you can prove you did so, the IPC is likely to support your conclusion that you completed a reasonable search.

Decision 62: Snooping: A physician accessed health records of two related individuals without authorization in a group practice. One individual patient was deceased and the other related person was alive.  The patients did not authorize the physician to view their records. It was alleged the physician then shared the information with his relative.

Two corporate entities were involved. The physician was a shareholder in a medical corporation affiliated with the health centre. Both the health centre and the physician corporation were operating as health information custodians. The physician was an agent of the medical corporation. The health centre owned the electronic medical record (EMR) the physician used as part of his shareholder position.

The IPC found that the lack of documentation of the relationship between the health centre, the medical corporation and the physician caused unnecessary confusion in this case.

The IPC concluded that the health centre was the health information custodian (not both the health centre and the medical corporation). The IPC focused on the fact that the health centre owned the EMR and controlled access by the physicians to the EMR and was responsible for the security of the EMR. Since the incident, the two corporations have concluded that the health centre is the health information custodian.

The IPC concluded the physician used the information of the two patients without authorization. There was no information to find that the physician had disclosed the information to his relative.

The IPC concluded the health centre had not met its obligations under section 12(1) at the time of the events. The group practice had since taken sufficient action so that no orders were required. The steps included:

  • Formalizing the relationship with the medical corporation
  • Ensuring all physicians were trained in privacy
  • Creating a joint privacy committee of both health centre members and physicians
  • Clarifying how discipline of physicians would be addressed in future

Bottom Line: All my FHT clients need to sit up and take note of this case. In this case, just like a family health team,  a group of physicians and an administrative group worked together to share care. The IPC was concerned that these groups had not formalized their privacy relationship.  Sound familiar? When one of the physicians viewed records inappropriately, the administrative group lacked the leverage to prevent it from happening in the first place or to discipline the physician.  The IPC was satisfied that the physicians and administrative group since did document and clarify their relationship. So – calling all family health teams – if you have not documented your privacy relationship with your group of physicians yet, do so now.  Otherwise, you might be found responsible for the actions of a rogue physician using your shared system.

Decision 63: Correction Request: A CCAC received a request to correct diagnostic or risk codes in the complainant’s health record. One of the risk codes was amended, three other codes were removed from the “active” health record and a statement of disagreement was added. The CCAC was not able to “expunge” because of its duty to keep a copy of any changes made to the record. Through mediation, only one issue remained for one diagnostic code relating to a diagnosis received from a referring primary care physician. The IPC upheld the CCAC’s decisions. The complainant was not able to prove the information held by the CCAC was inaccurate or incomplete. The IPC acknowledged the CCAC made the disputed information “inactive” and a statement of disagreement was included in the record.

Bottom Line: This decision is consistent with other IPC decisions about correction.  The CCAC in this case acted reasonably in making an individual’s file inactive and allowing the individual to attach a statement of disagreement.

Decision 64: Snooping + Prosecution: A hospital reported a breach involving a registration clerk accessing health records of a media-attracting patient and 443 other patients without authorization. The breach was discovered by the hospital from a proactive audit. This file was referred to the Attorney General. The registration clerk pled guilty to contravening PHIPA and was fined $10,000. The IPC concluded that the hospital had taken sufficient steps to safeguard information specifically through: updating its privacy policies to include greater detail about the disciplinary consequences of privacy breaches; annual confidentiality agreements for all staff; privacy warning on electronic health records systems; training and sending an email to all staff re privacy and snooping; and through its auditing practices.  The IPC concluded that hospitals should be able to audit the “type” of information viewed through auditing and highly encouraged the hospital to include such criteria for auditing when looking for a new electronic health record provider.

Bottom Line: Here we have another example of an individual snooping who bore the consequences personally. The hospital for whom the individual worked was not prosecuted and no orders were issued against the hospital by the IPC. Custodians should look at what the hospital did as risk management instructions.  Having a robust privacy program is an excellent defence against organizational liability for snooping activity.  It means taking privacy seriously through training and auditing.  If you are updating your electronic health record system, ensure it has the capability to log the “type” of information viewed or accessed by users.


If you enjoyed this article please share it:

Previous and next posts from Kate:

Some of Kate’s Upcoming events

Where immigration and health law issues collide

April 25, 2018

Presentation to invited Community Health Centre clients

In collaboration with immigration lawyer Jacqueline Swaisland.

2018 Privacy Officer Training

May 8 to June 12, 2018

16 hours live and online training

for Privacy Officers and Privacy Officers-to-be. Live sessions held in Toronto. Course is now full, but here are details and booking for Kate's October course.

De-escalation training

May 16, 2018

Training session for a Toronto Family Health Team

In conjunction with leadership coach Christine Burych.

Team Privacy Training Events

May 17, June 13

For Primary Care clinics and FHTs

Kate trains health professionals from another two primary care organizations how being privacy-respectful can improve therapeutic relationships. more details...

Ask me anything (about health privacy)

12 noon, May 23, 2018

An hour webinar with Kate where you can ask Kate any privacy-related questions you have.

Open to all health Privacy Officers. Register here.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

What does a Privacy Officer do in a health care organization? https://t.co/rQRBq051u3 #healthprivacy #HealthLaw #TorontoLawyer

about 4 hours ago

The Commissioner provided an update on Latest Developments at the IPC. Here are some highlights.… https://t.co/XKVkb6Aunm

about 8 hours ago

Have you looked at your hospital’s Professional Staff Rules and Regulations lately? https://t.co/CTp6xa8OyC #HealthLaw #hospitals

about 10 hours ago

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557