I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: Be very careful when speaking with the media about patients

Posted by

We know this intuitively – but it bears repeating. Health care organizations should be very careful when speaking with the media about specific patient cases.

There is a new Information and Privacy Commissioner of Ontario (IPC) health privacy decision directly on this topic. Decision 82

Background: A patient of a hospital died. The family members of the deceased patient made allegations against the hospital’s Chief of Staff to the College of Physicians and Surgeons of Ontario. That case was then taken to the Health Professions Appeal and Review Board (HPARB). HPARB issued a decision. In the HPARB decision, the patient’s initials were used.

The media asked the hospital to comment on the case. The hospital did so. In one interview the hospital CEO inadvertently used the patient’s name after the reporter first used it.

The patient’s family complained to the IPC that the hospital shared the patient’s health information and in so doing breached the deceased patient’s privacy rights and the health privacy legislation.

The hospital stated it felt it needed to reassure the public it was safe to come to the hospital and only spoke to the media about facts already available to the public through the HPARB decision.

Decision: Among other things, the IPC found that:

  1. The hospital’s statements to the media contained personal health information – even when the patient’s name was not used – because there was enough information available in the public sphere to identify the patient in question.
  2. However, so long as the hospital did not disclose more information than had been shared in the public HPARB decision – the hospital did not violate the health privacy legislation, the Personal Health Information Protection Act (PHIPA). PHIPA should not be interpreted to prohibit repetition of facts and evidence in public court or tribunal decisions. Repetition of such facts is not a “disclosure” under PHIPA.
  3. However, the hospital went beyond repeating facts of the HPARB case in two ways:
    • When the CEO mentioned the patient’s name to the media – when HPARB had only referred to the patient by initials; and
    • When a hospital representative made statements to the media about the patient’s general health condition.
  4. The hospital’s privacy policies were confusing. The hospital’s media policy failed to address a situation where an unnamed patient was at issue. The hospital’s policies needed to make clear that information about a patient, even without a name, can be identifying information. The hospital was directed to amend its policies.

NOTE: This decision has a lot of additional content not mentioned in this blog post. For example, the decision also addresses the hospital’s obligations to provide notice to the complainant of a privacy breach and whether it did so. It also addresses policy management issues. It also addresses what constitutes an appropriate privacy investigation.

Bottom Line: This decision is important reading for public affairs staff and health care leadership. Communicating with the media about patient cases comes with responsibility. It is important to remember that even if you do not use patient names – there may be other publicly available information that can be linked to identify patients involved.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Health Privacy Officer training
September 22, 2020

For Privacy Officers within healthcare organizations - now totally online.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our September program is on privacy litigation and the October program will address harassment issues and scenarios.
Full details of the 2020 webinar series and registration here.

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month (Off for the Summer - next up: September 2 and October 7)

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Free Part X CYFSA privacy webinar - ask me anything!
the second Wednesday of every month (next up: July 8 and August 12)

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Team Privacy Training Events
July 8, 23, 28 August 4, October 7, 8

For Primary Care clinics, Hospitals, Community Agencies and Children’s Aid

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets



contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557

.