I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

IPC Decision 101 – How to deal with a patient’s request for access to records about another patient’s complaint

Posted by

First of all – it’s time to celebrate.

There have been now more than 100 decisions of the Information and Privacy Commissioner of Ontario on health privacy.  That’s a celebratory day in my office.  (Note: the IPC did not publish Decision 100 today – so I’ve got to celebrate Decision 101 instead!)

Okay – back to content – what can we learn from this new decision?

Facts:  In this case, a patient of a hospital requested under the Personal Health Information Protection Act (PHIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA) access to records relating to another patient’s allegations against him of inappropriate behaviour.

What inappropriate behaviour?

We don’t know.  The decision references stalking – so the allegations were likely very serious.

The requester asked the hospital for the name of the other patient who made the allegations and full disclosure of all written documents about the complaint.

The hospital looked for records. They found a note in the medical record of the other patient (who made the complaint) and an email exchange between staff members on how to manage the complaint.

The hospital denied the requester access to records.

The requester made a complaint to the IPC – for being denied access and also complained that the hospital did not complete a sufficient search for additional records.

The IPC concluded:

  • The information requested was personal health information – so the complaint proceeded
  • The request for access would proceed first under PHIPA and second under FIPPA
  • The records at issue were not “dedicated primarily” to the personal health information of the requester
  • There was personal health information about the requester in the email record that could be reasonably severed from the rest of the record
  • BUT, because the email between staff was subject to solicitor-client privilege, the hospital was justified in not providing any part of the email to the requester.

The hospital was not required to produce the email to the requester.

However, the IPC also concluded that the hospital failed to demonstrate that it had undertaken a reasonable search for records and ordered the hospital to do a search and provide evidence of its efforts.

Bottom LineThis case deals with a difficult topic. If your health care organization manages a complaint from one patient about another patient, note that the records you create in response to the complaint may be subject to requests for access under PHIPA (or FIPPA if you are also subject to that legislation).  Do you have to give all or parts of a record to the alleged perpetrator? Well, it depends.  You certainly have to consider whether the alleged perpetrator has a right of access if the person makes an access request.  You may need to consider whether: (1) there are competing privacy interests to protect of the other patient; (2) there are safety issues to be managed; (3) the records are subject to solicitor-client privilege; (4) the purpose of the record at issue; (5) parts of records can be provided.

Want to read more: Click for a free summary of all the IPC decisions about health privacy in Ontario

Join me for Advanced Privacy Officer training for health care oganizations on December 10, 2019! Twists and turns of real-life scenarios.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Health Privacy Officer training
September 22, 2020

For Privacy Officers within healthcare organizations - now totally online.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our September program is on privacy litigation and the October program will address harassment issues and scenarios.
Full details of the 2020 webinar series and registration here.

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month (Off for the Summer - next up: September 2 and October 7)

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Free Part X CYFSA privacy webinar - ask me anything!
the second Wednesday of every month (next up: July 8 and August 12)

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Team Privacy Training Events
July 8, 23, 28 August 4, October 7, 8

For Primary Care clinics, Hospitals, Community Agencies and Children’s Aid

Kate trains health professionals from many more health care organizations how being privacy-respectful can improve therapeutic relationships. More details...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets



contact details

P.O. Box 97010 Roncesvalles
Toronto Ontario M6R 3B3

(416) 855 9557

.