I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: New IPC decision in health privacy released – now 70

Posted by

Ding ding ding.  New health privacy decisions are out!

The Information and Privacy Commissioner of Ontario just released decision 70 – we are still missing decisions 68 and 69.  I will let you know when they are posted on the IPC’s site.   Here’s my summary of all IPC PHIPA Decisions   UPDATE: The other two have now been released.

Decision 70 involved a long-term care home. A long-term care home employee took files home and lost records relating to two prospective residents.   The information included community care access centre (CCAC) files including names, addresses, medical diagnosis, medical history, contact information, treating physician names and health card numbers. The home notified the affected individuals.  The home did not permit staff to take patient files home with them. The employee had done so due to workload issues and inexperience.

IPC concluded that the long-term care home had not done enough to prevent the breach. The home’s policies and confidentiality agreement should have prohibited the removal of files of identifiable health information from the facility.

IPC document “What to do when faced with a privacy breach” was identified as a source for reminders how to prevent privacy breaches.

In response to the breach, the home updated its policies to prohibit removal of identifiable health information from the facility and updated its staff training accordingly. The home met with employee and provided time management training and retraining on privacy.

Bottom Line:

Health Privacy Officers – make sure your policies specifically include a statement that identifiable health information is not to be removed from the office.  You may wish to add a caveat along the lines of: “unless you have a supervisor’s approval or if required by law – like attending at court”.  Add similar language to your annual confidentiality statement as well.

I get questions about taking information home all the time.  There is a lot of pressure to complete assessments within “normal business hours” and when I am doing in person training I hear that sometimes clinicians take patient charts home to work on.

Heads up.  If you intend to take identifiable information off site – you need to know whether the facility or office where you work allows you to do so.  In most cases, you should not take paper copies or unencrypted electronic information off site. If you must work from home, you should instead remote access into your clinical environment using a virtual private network.   From time to time, you may be allowed to take identifiable information off site.  If you do – you must be on your privacy game!

In this scenario for Decision 70, the employee was a social worker who was fairly inexperienced and had too much to do.  She didn’t ask anyone whether she could take files home to do work from home.  On her way home, she stopped off to have a workout.  Somewhere between leaving work and getting home, she lost the files.  This is a cautionary tale.  If you have identifiable health information with you – you should take it straight home and not stop off and leave it where you could lose it or it could be stolen.

Last chance! My Privacy Officer training starts May 8th – but I am closing the registration tomorrow night.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2025 program is now live.
Full details of the 2025 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2025

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Health Privacy Officer Foundations training
starts Spring 2025

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2025

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557

    .