Health Privacy Update: 4 new health privacy decisions of the IPC released
On Friday January 12, the Information and Privacy Commissioner of Ontario released four new decisions.
Here is my updated summary of all 64 IPC PHIPA Decisions
Decision 61: Reasonable Search: A physician received a request for access to all records relating to the complainant’s deceased son. The complainant believed additional records should exist. The physician said he did not have additional records documenting contact with two other physicians – he had not spoken to the patient about these physicians and had not referred the patient to them. The complainant was looking for email communications between the physician and other physicians. The physician was not the deceased’s primary physician. The physician had been a consultant. The IPC concluded the physician conducted a “reasonable search” and dismissed the complaint. The physician was able to describe how he reviewed his email systems and the IPC believed the physician completed the searches and found no additional records.
Bottom Line: This decision supports other decisions of the IPC about what it means to do a “reasonable search”. You may receive requests for documents or records outside the traditional health record. You are required to search other places – like email systems – to ensure there are no additional records relating to the request. If you can prove you did so, the IPC is likely to support your conclusion that you completed a reasonable search.
Decision 62: Snooping: A physician accessed health records of two related individuals without authorization in a group practice. One individual patient was deceased and the other related person was alive. The patients did not authorize the physician to view their records. It was alleged the physician then shared the information with his relative.
Two corporate entities were involved. The physician was a shareholder in a medical corporation affiliated with the health centre. Both the health centre and the physician corporation were operating as health information custodians. The physician was an agent of the medical corporation. The health centre owned the electronic medical record (EMR) the physician used as part of his shareholder position.
The IPC found that the lack of documentation of the relationship between the health centre, the medical corporation and the physician caused unnecessary confusion in this case.
The IPC concluded that the health centre was the health information custodian (not both the health centre and the medical corporation). The IPC focused on the fact that the health centre owned the EMR and controlled access by the physicians to the EMR and was responsible for the security of the EMR. Since the incident, the two corporations have concluded that the health centre is the health information custodian.
The IPC concluded the physician used the information of the two patients without authorization. There was no information to find that the physician had disclosed the information to his relative.
The IPC concluded the health centre had not met its obligations under section 12(1) at the time of the events. The group practice had since taken sufficient action so that no orders were required. The steps included:
- Formalizing the relationship with the medical corporation
- Ensuring all physicians were trained in privacy
- Creating a joint privacy committee of both health centre members and physicians
- Clarifying how discipline of physicians would be addressed in future
Bottom Line: All my FHT clients need to sit up and take note of this case. In this case, just like a family health team, a group of physicians and an administrative group worked together to share care. The IPC was concerned that these groups had not formalized their privacy relationship. Sound familiar? When one of the physicians viewed records inappropriately, the administrative group lacked the leverage to prevent it from happening in the first place or to discipline the physician. The IPC was satisfied that the physicians and administrative group since did document and clarify their relationship. So – calling all family health teams – if you have not documented your privacy relationship with your group of physicians yet, do so now. Otherwise, you might be found responsible for the actions of a rogue physician using your shared system.
Decision 63: Correction Request: A CCAC received a request to correct diagnostic or risk codes in the complainant’s health record. One of the risk codes was amended, three other codes were removed from the “active” health record and a statement of disagreement was added. The CCAC was not able to “expunge” because of its duty to keep a copy of any changes made to the record. Through mediation, only one issue remained for one diagnostic code relating to a diagnosis received from a referring primary care physician. The IPC upheld the CCAC’s decisions. The complainant was not able to prove the information held by the CCAC was inaccurate or incomplete. The IPC acknowledged the CCAC made the disputed information “inactive” and a statement of disagreement was included in the record.
Bottom Line: This decision is consistent with other IPC decisions about correction. The CCAC in this case acted reasonably in making an individual’s file inactive and allowing the individual to attach a statement of disagreement.
Decision 64: Snooping + Prosecution: A hospital reported a breach involving a registration clerk accessing health records of a media-attracting patient and 443 other patients without authorization. The breach was discovered by the hospital from a proactive audit. This file was referred to the Attorney General. The registration clerk pled guilty to contravening PHIPA and was fined $10,000. The IPC concluded that the hospital had taken sufficient steps to safeguard information specifically through: updating its privacy policies to include greater detail about the disciplinary consequences of privacy breaches; annual confidentiality agreements for all staff; privacy warning on electronic health records systems; training and sending an email to all staff re privacy and snooping; and through its auditing practices. The IPC concluded that hospitals should be able to audit the “type” of information viewed through auditing and highly encouraged the hospital to include such criteria for auditing when looking for a new electronic health record provider.
Bottom Line: Here we have another example of an individual snooping who bore the consequences personally. The hospital for whom the individual worked was not prosecuted and no orders were issued against the hospital by the IPC. Custodians should look at what the hospital did as risk management instructions. Having a robust privacy program is an excellent defence against organizational liability for snooping activity. It means taking privacy seriously through training and auditing. If you are updating your electronic health record system, ensure it has the capability to log the “type” of information viewed or accessed by users.