I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: Be very careful when speaking with the media about patients

Posted by

We know this intuitively – but it bears repeating. Health care organizations should be very careful when speaking with the media about specific patient cases.

There is a new Information and Privacy Commissioner of Ontario (IPC) health privacy decision directly on this topic. Decision 82

Background: A patient of a hospital died. The family members of the deceased patient made allegations against the hospital’s Chief of Staff to the College of Physicians and Surgeons of Ontario. That case was then taken to the Health Professions Appeal and Review Board (HPARB). HPARB issued a decision. In the HPARB decision, the patient’s initials were used.

The media asked the hospital to comment on the case. The hospital did so. In one interview the hospital CEO inadvertently used the patient’s name after the reporter first used it.

The patient’s family complained to the IPC that the hospital shared the patient’s health information and in so doing breached the deceased patient’s privacy rights and the health privacy legislation.

The hospital stated it felt it needed to reassure the public it was safe to come to the hospital and only spoke to the media about facts already available to the public through the HPARB decision.

Decision: Among other things, the IPC found that:

  1. The hospital’s statements to the media contained personal health information – even when the patient’s name was not used – because there was enough information available in the public sphere to identify the patient in question.
  2. However, so long as the hospital did not disclose more information than had been shared in the public HPARB decision – the hospital did not violate the health privacy legislation, the Personal Health Information Protection Act (PHIPA). PHIPA should not be interpreted to prohibit repetition of facts and evidence in public court or tribunal decisions. Repetition of such facts is not a “disclosure” under PHIPA.
  3. However, the hospital went beyond repeating facts of the HPARB case in two ways:
    • When the CEO mentioned the patient’s name to the media – when HPARB had only referred to the patient by initials; and
    • When a hospital representative made statements to the media about the patient’s general health condition.
  4. The hospital’s privacy policies were confusing. The hospital’s media policy failed to address a situation where an unnamed patient was at issue. The hospital’s policies needed to make clear that information about a patient, even without a name, can be identifying information. The hospital was directed to amend its policies.

NOTE: This decision has a lot of additional content not mentioned in this blog post. For example, the decision also addresses the hospital’s obligations to provide notice to the complainant of a privacy breach and whether it did so. It also addresses policy management issues. It also addresses what constitutes an appropriate privacy investigation.

Bottom Line: This decision is important reading for public affairs staff and health care leadership. Communicating with the media about patient cases comes with responsibility. It is important to remember that even if you do not use patient names – there may be other publicly available information that can be linked to identify patients involved.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
April 13, 20, 27, May 4, 11, 18, 25 2022

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2021

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our November program will address harassment and in December we discuss privacy.
Full details of the 2022 webinar series and registration here.

Team Privacy Training Events
November 1, 4, 10, 11, 12, 22, 24 December 3, 13

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

NEW! Ontario Hospital Association Professional Staff Credentialing Toolkit

2nd Edition is now available for managing physicians, dentists, midwives and nurse practitioners in hospitals Read here...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Part X CYFSA Privacy Designate Course - video course online

For Privacy Designates in the child welfare sector including children's aid societies and indigenous children's well-being centres

We focus on how to implement Part X of the Child Youth and Family Services Act in your organization.
Full details and registration here.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

[FEB 3 – WEBINAR SERIES] Ontario Not-for-Profit Corporations Act (ONCA) update Register now:… https://t.co/ndWcZ3Qp5E

about 2 hours ago

Join The Shush, my community for Privacy Officers in the healthcare sector. Develop knowledge, skills and judgment,… https://t.co/wA6ZJ51hMx

01:00 PM Dec 7th

I appreciate all the testimonials people give us. This one made me really proud. This is what we can do when we wa… https://t.co/WBeQwD8Bku

01:00 PM Dec 6th

contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557

.