I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

Health Privacy Update: What is a “bad faith” request for access to health records?

Posted by

In a new health privacy decision of the Information and Privacy Commissioner of Ontario, we find out what needs to be proven to show a patient is making a request for access to health records in “bad faith”.

Decision 87:  Interprets “Bad Faith” Requests

A patient saw a chiropodist at a foot clinic. The patient wanted a copy of his health record and was given “all the notes on file”. The patient thought there should be more records and made a complaint to the IPC.

The foot clinic admitted there was another record of a “biomechanical assessment” but refused to provide a copy to the patient. The clinic concluded the patient was making the request in bad faith because the patient had not paid for the services rendered to him by the clinic. The clinic also concluded the request for access could result in a risk of serious harm.

The IPC ordered the foot clinic to provide the patient with a copy of the record.

This is the first time the provision of a bad faith request under PHIPA has been interpreted by the IPC.

Bad faith has been defined as: “The opposite of “good faith”, generally implying or involving actual or constructive fraud, or a design to mislead or deceive another, or a neglect or refusal to fulfil some duty or other contractual obligation, not prompted by an honest mistake as to one’s rights, but by some interested or sinister motive. … “bad faith” is not simply bad judgement or negligence, but rather it implies the conscious doing of a wrong because of a dishonest negligence in that it contemplates a state of mind affirmatively operating with furtive design or ill will.”

The patient had not paid the clinic. The patient had told the clinic he didn’t intend to actually use the custom orthotics but needed the documentation for a dispute with the Ministry of Health and Long-Term Care. The clinic alleged the patient intentionally misled them about the purpose of his visit.

The IPC concluded that to find bad faith, the foot clinic had to prove the request for access to the health record was made in bad faith – not that the patient engaged in bad faith activities to receive services. The clinic failed to prove bad faith for the request for a copy of the report.

Neither could the clinic prove there was a risk of serious harm in providing the patient with a copy of the record. The clinic stated that if it released the biomechanical assessment, the patient might give it to an unregulated person who could harm the patient in the delivery of orthotics. The IPC concluded that harm was at best speculative and at worst unlikely.

Bottom Line: A patient’s right of access to their health records is foundational. “Good” patients have the right and “bad” patients have the same right. “Bad” behaviour by a patient (such as not paying their bills) does not equate to a bad faith request for health records.  

Want to read about other decisions of the IPC? Click here to get my free up-to-date Summary of all the IPC’s PHIPA Decisions.

Join me for my next Health Privacy Officer training and become even more confident in your role.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Team Privacy Training Events

April 15, May 3, June 7, 13, 20 & 25

For Primary Care clinics and FHTs

Kate trains health professionals from many more primary care organizations how being privacy-respectful can improve therapeutic relationships. more details...

Speaking event

April 10, 2019

At Osgoode Hall

Kate speaks at the Osgoode Health Law Certificate workshop on privacy for health care organizations. More details...

Primary care webinars: Contracts & Communications

April 11 and May 2, 2019, 12 noon

Part of Kate’s monthly webinar series.

Our April webinar is on employee contracts, and in May our title is communication faux pas.

Full details of the 2019 webinar series and registration here.

Privacy Officer training

April 30 through June 4, 2019

Kate’s specialist training course for Privacy Officers in health organizations.

Open to all health Privacy Officers, as well as those hoping to become Privacy Officers. Full details and registration for Privacy Officer training next spring here...

Advanced Privacy Officer training

June 18, 2019

For experienced Privacy Officers within healthcare organisations.

This one day training course focuses on how to handle difficult privacy situations using real-life (but anonymized) case studies and role-play. Full details and registration here...

Free healthcare privacy webinar - ask me anything!

April 3, 2019 12 noon - 1 pm and
May 1, 2019 9 - 10 am

Free webinar - advance registration needed

Whether you're an experience privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

Should a doctor always disclose a terminal illness? Absolutely yes. Every time. Then I read the article. It gave m… https://t.co/aY37fzR1K8

about 1 hour ago

A recent Canadian study published in the JAMA found that hospitals have a serious issue when it comes to throwing a… https://t.co/UUl5wP4nPe

about 4 hours ago

What do #FamilyHealth teams need to know about #SocialMedia and the #Law? https://t.co/6nakmScCGP #healthprivacy #FHTs #HealthLaw #employee

about 16 hours ago

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557