First of all – it’s time to celebrate.

There have been now more than 100 decisions of the Information and Privacy Commissioner of Ontario on health privacy.  That’s a celebratory day in my office.  (Note: the IPC did not publish Decision 100 today – so I’ve got to celebrate Decision 101 instead!)

Okay – back to content – what can we learn from this new decision?

Facts:  In this case, a patient of a hospital requested under the Personal Health Information Protection Act (PHIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA) access to records relating to another patient’s allegations against him of inappropriate behaviour.

What inappropriate behaviour?

We don’t know.  The decision references stalking – so the allegations were likely very serious.

The requester asked the hospital for the name of the other patient who made the allegations and full disclosure of all written documents about the complaint.

The hospital looked for records. They found a note in the medical record of the other patient (who made the complaint) and an email exchange between staff members on how to manage the complaint.

The hospital denied the requester access to records.

The requester made a complaint to the IPC – for being denied access and also complained that the hospital did not complete a sufficient search for additional records.

The IPC concluded:

• The information requested was personal health information – so the complaint proceeded
• The request for access would proceed first under PHIPA and second under FIPPA
• The records at issue were not “dedicated primarily” to the personal health information of the requester
• There was personal health information about the requester in the email record that could be reasonably severed from the rest of the record
• BUT, because the email between staff was subject to solicitor-client privilege, the hospital was justified in not providing any part of the email to the requester.

The hospital was not required to produce the email to the requester.

However, the IPC also concluded that the hospital failed to demonstrate that it had undertaken a reasonable search for records and ordered the hospital to do a search and provide evidence of its efforts.

Bottom Line:  This case deals with a difficult topic. If your health care organization manages a complaint from one patient about another patient, note that the records you create in response to the complaint may be subject to requests for access under PHIPA (or FIPPA if you are also subject to that legislation).  Do you have to give all or parts of a record to the alleged perpetrator? Well, it depends.  You certainly have to consider whether the alleged perpetrator has a right of access if the person makes an access request.  You may need to consider whether: (1) there are competing privacy interests to protect of the other patient; (2) there are safety issues to be managed; (3) the records are subject to solicitor-client privilege; (4) the purpose of the record at issue; (5) parts of records can be provided.

Want to read more: Click for a free summary of all the IPC decisions about health privacy in Ontario

Join me for Advanced Privacy Officer training for health care oganizations on December 10, 2019! Twists and turns of real-life scenarios.