I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: 4 new health privacy decisions of the IPC released

Posted by

On Friday January 12, the Information and Privacy Commissioner of Ontario released four new decisions.

Here is my updated summary of all 64  IPC PHIPA Decisions

Decision 61: Reasonable Search: A physician received a request for access to all records relating to the complainant’s deceased son. The complainant believed additional records should exist. The physician said he did not have additional records documenting contact with two other physicians – he had not spoken to the patient about these physicians and had not referred the patient to them. The complainant was looking for email communications between the physician and other physicians. The physician was not the deceased’s primary physician. The physician had been a consultant. The IPC concluded the physician conducted a “reasonable search” and dismissed the complaint. The physician was able to describe how he reviewed his email systems and the IPC believed the physician completed the searches and found no additional records.

Bottom Line:  This decision supports other decisions of the IPC about what it means to do a “reasonable search”.  You may receive requests for documents or records outside the traditional health record. You are required to search other places – like email systems – to ensure there are no additional records relating to the request. If you can prove you did so, the IPC is likely to support your conclusion that you completed a reasonable search.

Decision 62: Snooping: A physician accessed health records of two related individuals without authorization in a group practice. One individual patient was deceased and the other related person was alive.  The patients did not authorize the physician to view their records. It was alleged the physician then shared the information with his relative.

Two corporate entities were involved. The physician was a shareholder in a medical corporation affiliated with the health centre. Both the health centre and the physician corporation were operating as health information custodians. The physician was an agent of the medical corporation. The health centre owned the electronic medical record (EMR) the physician used as part of his shareholder position.

The IPC found that the lack of documentation of the relationship between the health centre, the medical corporation and the physician caused unnecessary confusion in this case.

The IPC concluded that the health centre was the health information custodian (not both the health centre and the medical corporation). The IPC focused on the fact that the health centre owned the EMR and controlled access by the physicians to the EMR and was responsible for the security of the EMR. Since the incident, the two corporations have concluded that the health centre is the health information custodian.

The IPC concluded the physician used the information of the two patients without authorization. There was no information to find that the physician had disclosed the information to his relative.

The IPC concluded the health centre had not met its obligations under section 12(1) at the time of the events. The group practice had since taken sufficient action so that no orders were required. The steps included:

  • Formalizing the relationship with the medical corporation
  • Ensuring all physicians were trained in privacy
  • Creating a joint privacy committee of both health centre members and physicians
  • Clarifying how discipline of physicians would be addressed in future

Bottom Line: All my FHT clients need to sit up and take note of this case. In this case, just like a family health team,  a group of physicians and an administrative group worked together to share care. The IPC was concerned that these groups had not formalized their privacy relationship.  Sound familiar? When one of the physicians viewed records inappropriately, the administrative group lacked the leverage to prevent it from happening in the first place or to discipline the physician.  The IPC was satisfied that the physicians and administrative group since did document and clarify their relationship. So – calling all family health teams – if you have not documented your privacy relationship with your group of physicians yet, do so now.  Otherwise, you might be found responsible for the actions of a rogue physician using your shared system.

Decision 63: Correction Request: A CCAC received a request to correct diagnostic or risk codes in the complainant’s health record. One of the risk codes was amended, three other codes were removed from the “active” health record and a statement of disagreement was added. The CCAC was not able to “expunge” because of its duty to keep a copy of any changes made to the record. Through mediation, only one issue remained for one diagnostic code relating to a diagnosis received from a referring primary care physician. The IPC upheld the CCAC’s decisions. The complainant was not able to prove the information held by the CCAC was inaccurate or incomplete. The IPC acknowledged the CCAC made the disputed information “inactive” and a statement of disagreement was included in the record.

Bottom Line: This decision is consistent with other IPC decisions about correction.  The CCAC in this case acted reasonably in making an individual’s file inactive and allowing the individual to attach a statement of disagreement.

Decision 64: Snooping + Prosecution: A hospital reported a breach involving a registration clerk accessing health records of a media-attracting patient and 443 other patients without authorization. The breach was discovered by the hospital from a proactive audit. This file was referred to the Attorney General. The registration clerk pled guilty to contravening PHIPA and was fined $10,000. The IPC concluded that the hospital had taken sufficient steps to safeguard information specifically through: updating its privacy policies to include greater detail about the disciplinary consequences of privacy breaches; annual confidentiality agreements for all staff; privacy warning on electronic health records systems; training and sending an email to all staff re privacy and snooping; and through its auditing practices.  The IPC concluded that hospitals should be able to audit the “type” of information viewed through auditing and highly encouraged the hospital to include such criteria for auditing when looking for a new electronic health record provider.

Bottom Line: Here we have another example of an individual snooping who bore the consequences personally. The hospital for whom the individual worked was not prosecuted and no orders were issued against the hospital by the IPC. Custodians should look at what the hospital did as risk management instructions.  Having a robust privacy program is an excellent defence against organizational liability for snooping activity.  It means taking privacy seriously through training and auditing.  If you are updating your electronic health record system, ensure it has the capability to log the “type” of information viewed or accessed by users.

If you enjoyed this article please share it:

Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
April 12, 19, 26, May 3, 10, 17, 24 2021

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2021

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Team Privacy Training Events
March 24, 25, 31 and April 6, 8, 22, 28

For Primary Care clinics, Hospitals, Community Agencies, Public Health Units, Schools, Police departments

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our April program will address how to run a meeting and in May we discuss the legal pit of doom in having your employees also as your patients.
Full details of the 2021 webinar series and registration here.

Part X CYFSA Privacy Designate Course - video course online

For Privacy Designates in the child welfare sector including children's aid societies and indigenous children's well-being centres

We focus on how to implement Part X of the Child Youth and Family Services Act in your organization.
Full details and registration here.

Osgoode Health Law Certificate

Kate is presenting at the Osgoode Health Law Certificate on March 11 on Privacy Issues

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

[JUNE 3 – WEBINAR SERIES] Risk registers - How should you be reporting on risk Register now:… https://t.co/k23RggybUh

about 12 hours ago

[JUNE 2] Register for my free upcoming Ask Me Anything About Health Privacy webinar at this link...… https://t.co/16pQCRvuMn

01:01 PM May 11th

contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557