I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

IPC Decision 101 – How to deal with a patient’s request for access to records about another patient’s complaint

Posted by

First of all – it’s time to celebrate.

There have been now more than 100 decisions of the Information and Privacy Commissioner of Ontario on health privacy.  That’s a celebratory day in my office.  (Note: the IPC did not publish Decision 100 today – so I’ve got to celebrate Decision 101 instead!)

Okay – back to content – what can we learn from this new decision?

Facts:  In this case, a patient of a hospital requested under the Personal Health Information Protection Act (PHIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA) access to records relating to another patient’s allegations against him of inappropriate behaviour.

What inappropriate behaviour?

We don’t know.  The decision references stalking – so the allegations were likely very serious.

The requester asked the hospital for the name of the other patient who made the allegations and full disclosure of all written documents about the complaint.

The hospital looked for records. They found a note in the medical record of the other patient (who made the complaint) and an email exchange between staff members on how to manage the complaint.

The hospital denied the requester access to records.

The requester made a complaint to the IPC – for being denied access and also complained that the hospital did not complete a sufficient search for additional records.

The IPC concluded:

  • The information requested was personal health information – so the complaint proceeded
  • The request for access would proceed first under PHIPA and second under FIPPA
  • The records at issue were not “dedicated primarily” to the personal health information of the requester
  • There was personal health information about the requester in the email record that could be reasonably severed from the rest of the record
  • BUT, because the email between staff was subject to solicitor-client privilege, the hospital was justified in not providing any part of the email to the requester.

The hospital was not required to produce the email to the requester.

However, the IPC also concluded that the hospital failed to demonstrate that it had undertaken a reasonable search for records and ordered the hospital to do a search and provide evidence of its efforts.

Bottom LineThis case deals with a difficult topic. If your health care organization manages a complaint from one patient about another patient, note that the records you create in response to the complaint may be subject to requests for access under PHIPA (or FIPPA if you are also subject to that legislation).  Do you have to give all or parts of a record to the alleged perpetrator? Well, it depends.  You certainly have to consider whether the alleged perpetrator has a right of access if the person makes an access request.  You may need to consider whether: (1) there are competing privacy interests to protect of the other patient; (2) there are safety issues to be managed; (3) the records are subject to solicitor-client privilege; (4) the purpose of the record at issue; (5) parts of records can be provided.

Want to read more: Click for a free summary of all the IPC decisions about health privacy in Ontario

Join me for Advanced Privacy Officer training for health care oganizations on December 10, 2019! Twists and turns of real-life scenarios.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Team Privacy Training Events
October 16, October 24 and November 21

For Primary Care clinics, Children’s Aid and FHTs

Kate trains health professionals from many more primary care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Speaking event October 23, 2019

Osgoode Professional Development – Mental health Certificate

Kate joins the faculty for this training event. More details...

Primary care webinars: Managing Incapacity & Consent to Treatment

Part of Kate’s monthly webinar series.

Our October webinar is about managing incapacity, and the November title is Consent to Treatment.
Full details of the 2020 webinar series and registration here.

Advanced Privacy Officer training
December 10, 2019

For experienced Privacy Officers within healthcare organisations.

This one day training course focuses on how to handle difficult privacy situations using real-life (but anonymized) case studies and role-play. Full details and registration here...

Privacy Officer training
January 20 & 27 and February 3,10 & 18, 2020

Kate is the program chair for the Osgoode Certificate in Privacy in Healthcare.

This program explores the range of privacy interests that must be protected in the day-to-day treatment of patients, the development of information systems and the creation of institutional policies. More details...

Free healthcare privacy webinar - ask me anything!
October 2, November 6 and December 4

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets


We are walking on the edges of knives. https://t.co/HuAUHUfVTh #BusinessOfLaw #CoachingForLawyers #georgiaokeefe

09:01 AM Nov 15th

Law2Life Coaching is the best place successful lawyers can go to unlock more fun and fulfillment from life and work… https://t.co/vWkIPDbCj8

08:02 AM Nov 15th

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557

.