We know this intuitively – but it bears repeating. Health care organizations should be very careful when speaking with the media about specific patient cases.

There is a new Information and Privacy Commissioner of Ontario (IPC) health privacy decision directly on this topic. Decision 82

Background: A patient of a hospital died. The family members of the deceased patient made allegations against the hospital’s Chief of Staff to the College of Physicians and Surgeons of Ontario. That case was then taken to the Health Professions Appeal and Review Board (HPARB). HPARB issued a decision. In the HPARB decision, the patient’s initials were used.

The media asked the hospital to comment on the case. The hospital did so. In one interview the hospital CEO inadvertently used the patient’s name after the reporter first used it.

The patient’s family complained to the IPC that the hospital shared the patient’s health information and in so doing breached the deceased patient’s privacy rights and the health privacy legislation.

The hospital stated it felt it needed to reassure the public it was safe to come to the hospital and only spoke to the media about facts already available to the public through the HPARB decision.

Decision: Among other things, the IPC found that:

1. The hospital’s statements to the media contained personal health information – even when the patient’s name was not used – because there was enough information available in the public sphere to identify the patient in question.
2. However, so long as the hospital did not disclose more information than had been shared in the public HPARB decision – the hospital did not violate the health privacy legislation, the Personal Health Information Protection Act (PHIPA). PHIPA should not be interpreted to prohibit repetition of facts and evidence in public court or tribunal decisions. Repetition of such facts is not a “disclosure” under PHIPA.
3. However, the hospital went beyond repeating facts of the HPARB case in two ways:
   • When the CEO mentioned the patient’s name to the media – when HPARB had only referred to the patient by initials; and
   • When a hospital representative made statements to the media about the patient’s general health condition.
4. The hospital’s privacy policies were confusing. The hospital’s media policy failed to address a situation where an unnamed patient was at issue. The hospital’s policies needed to make clear that information about a patient, even without a name, can be identifying information. The hospital was directed to amend its policies.

NOTE: This decision has a lot of additional content not mentioned in this blog post. For example, the decision also addresses the hospital’s obligations to provide notice to the complainant of a privacy breach and whether it did so. It also addresses policy management issues. It also addresses what constitutes an appropriate privacy investigation.

Bottom Line: This decision is important reading for public affairs staff and health care leadership. Communicating with the media about patient cases comes with responsibility. It is important to remember that even if you do not use patient names – there may be other publicly available information that can be linked to identify patients involved.