I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: New IPC decision in health privacy released – now 70

Posted by

Ding ding ding.  New health privacy decisions are out!

The Information and Privacy Commissioner of Ontario just released decision 70 – we are still missing decisions 68 and 69.  I will let you know when they are posted on the IPC’s site.   Here’s my summary of all IPC PHIPA Decisions   UPDATE: The other two have now been released.

Decision 70 involved a long-term care home. A long-term care home employee took files home and lost records relating to two prospective residents.   The information included community care access centre (CCAC) files including names, addresses, medical diagnosis, medical history, contact information, treating physician names and health card numbers. The home notified the affected individuals.  The home did not permit staff to take patient files home with them. The employee had done so due to workload issues and inexperience.

IPC concluded that the long-term care home had not done enough to prevent the breach. The home’s policies and confidentiality agreement should have prohibited the removal of files of identifiable health information from the facility.

IPC document “What to do when faced with a privacy breach” was identified as a source for reminders how to prevent privacy breaches.

In response to the breach, the home updated its policies to prohibit removal of identifiable health information from the facility and updated its staff training accordingly. The home met with employee and provided time management training and retraining on privacy.

Bottom Line:

Health Privacy Officers – make sure your policies specifically include a statement that identifiable health information is not to be removed from the office.  You may wish to add a caveat along the lines of: “unless you have a supervisor’s approval or if required by law – like attending at court”.  Add similar language to your annual confidentiality statement as well.

I get questions about taking information home all the time.  There is a lot of pressure to complete assessments within “normal business hours” and when I am doing in person training I hear that sometimes clinicians take patient charts home to work on.

Heads up.  If you intend to take identifiable information off site – you need to know whether the facility or office where you work allows you to do so.  In most cases, you should not take paper copies or unencrypted electronic information off site. If you must work from home, you should instead remote access into your clinical environment using a virtual private network.   From time to time, you may be allowed to take identifiable information off site.  If you do – you must be on your privacy game!

In this scenario for Decision 70, the employee was a social worker who was fairly inexperienced and had too much to do.  She didn’t ask anyone whether she could take files home to do work from home.  On her way home, she stopped off to have a workout.  Somewhere between leaving work and getting home, she lost the files.  This is a cautionary tale.  If you have identifiable health information with you – you should take it straight home and not stop off and leave it where you could lose it or it could be stolen.

Last chance! My Privacy Officer training starts May 8th – but I am closing the registration tomorrow night.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Team Privacy Training Events
February 12, 19, 26, 27, Mar 2, 9, 11, 24, 27

For Primary Care clinics, Hospitals, Community Agencies and Children’s Aid

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Speaking event March 25, 2020

Osgoode Professional Development – Health Law Certificate

Kate joins the faculty for this training event. More details...

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our March webinar is on questions to ask your insurer and the April program is on changes to pregnant employees' positions.
Full details of the 2020 webinar series and registration here.

Health Privacy Officer training
April 28, 2020

For Privacy Officers within healthcare organisations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Osgoode Health Privacy training
January 20 & 27 and February 3,10 & 18, 2020

Kate is the program chair for the Osgoode Certificate in Privacy in Healthcare.

This program explores the range of privacy interests that must be protected in the day-to-day treatment of patients, the development of information systems and the creation of institutional policies. More details...

Free healthcare privacy webinar - ask me anything!
March 4 (cancelled) but back April 1

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

It is important for CAS leaders, lawyers and privacy officers to explain the changes in philosophy and practices in… https://t.co/llGPhdOUPI

51 minutes ago


contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557

.