5 New PHIPA IPC decisions … time to catch up
There have been some interesting health privacy decisions out of the Information and Privacy Commissioner’s Office in the last few months. Here’s a recap:
Decisions 119 and 121 – May and June 2020
Key Take Away Message: When there is a dispute over whether a health care organization has completed a “reasonable search”, the organization must be able to show how it concluded there are no additional records to be found. There will be times where a health care organization loses or does not record clinical sessions. In such cases, it is important to be transparent about the reason the records do not exist.
A patient of a pain management clinic asked for access to his medical records. The clinic provided a copy of his records. The patient thought additional records should exist (specifically images and discharge papers).
The clinic explained there were no additional records because the images were not saved or recorded due to an ultrasound machine malfunction and the discharge papers were not completed because the patient experienced a medical emergency during his appointment.
The patient was dissatisfied and complained to the IPC.
The IPC upheld the clinic’s search as reasonable and dismissed the complaint. The complainant did not provide sufficient evidence to establish a reasonable basis for his belief that additional responsive records exist. The clinic gave a sufficient explanation for why it was unable to locate and provide the complainant with the images and discharge papers.
This matter was reconsidered by the IPC at the request of the patient. The complainant alleged but did not establish either a fundamental defect in the adjudication process or a procedural error in the Decision. The IPC denied the reconsideration request.
Decision 120 – May 2020
Key Take Away Message: Video surveillance on a health organization’s property is almost always a record of personal health information to which a patient has a right of access. Other patients’ images if captured in the video recordings will have to be severed from the requester’s images. This decision discusses the interplay between PHIPA and FIPPA (which applies to hospitals in Ontario).
A patient sought access under the Freedom of Information and Protection of Privacy Act to all hospital video surveillance footage taken of him during two days he was a patient at the hospital. The hospital found video taken on one of the two days. The video was composed of four recordings from three different hospital cameras. It was compiled by the hospital at the request of the Crown Attorney’s office for use in a law enforcement proceeding. The hospital issued a fee estimate of $2,316.50 for an external service provider to obscure images of non-hospital staff individuals in the video. Although the hospital and the complainant treated it as an access request and appeal under FIPPA, the IPC treated as a complaint under PHIPA.
The IPC ordered the hospital to grant access to most of the video, excluding 12 seconds of images of two other patients to be obscured. The IPC concluded the video surveillance footage included PHI. The IPC concluded that images of the requester and images of hospital staff and police officers interacting with him at the hospital were his PHI. However, the IPC also held that the video images of other patients and images of hospital staff, police officers and firefighters who do not interact with the complainant were not the complainant’s PHI.
The IPC concluded the video recordings were not “dedicated primarily to the complainant’s personal health information”, even though most of the video contained the complainant’s PHI. The video surveillance footage was recorded for security purposes and the video that was compiled from the footage was created for a legal proceeding.
The complainant only had a right of access to his PHI in the video that could be severed from the rest of the video.
The IPC concluded that images of hospital staff assisting other patients are not the personal information of those staff. Similarly, the police officers and firefighters appear in the video in a professional capacity, and not a personal one; therefore, images of them in the video do not qualify as their personal information under FIPPA. The hospital was required to disclose those remaining portions of the video to the complainant under FIPPA (i.e. parts of the video in which he does not appear but hospital staff, police officers, and firefighters do).
The IPC upheld the hospital’s search for records as reasonable.
This decision also discusses fees. The fees were analyzed under PHIPA and not FIPPA. The hospital was able to charge a $100 fee for reviewing the video and providing it on a CD and charge for obscuring 12 seconds of the video.
There is no Decision 122 yet
Decision 123 – June 2020
Key Take Away Message: If you have video surveillance in your health care organization, the recordings are likely records of personal health information which are subject to a right of access. Concerns about organizational security and safety are legitimate issues that may limit a patient’s right of access to recordings. However, arguing that granting access will cause a risk of serious harm must be beyond speculative or theoretical risk.
A patient requested video recordings of events leading up to, and including, his restraint and placement in a seclusion room by hospital staff. The hospital is the province’s only high security forensic mental health program for clients served by both the mental health and justice systems.
The IPC concluded that the video recordings contained the requester’s personal health information. The IPC ordered the hospital to grant the complainant access to the portions of the complainant’s personal health information that were not subject to an exemption and could be severed. The hospital was not required to grant access to video recordings or details of the high security facility’s physical layout and video surveillance system. The IPC found that most of the video footage containing the complainant’s PHI could be severed by using obscuring technology to withhold the background portions that revealed information about the facility’s physical layout and video surveillance system. However, the IPC identified two portions of video to be withheld that could not reasonably be severed.
This decision discusses the test for records that are “dedicated primarily to” the requester’s PHI. This decision also discusses the test when granting access to records could give rise to a risk of serious harm. The complainant was aware of the circumstances of his restraint and placement in a seclusion room, including identifying information about the individuals against whom he filed a complaint, who were the same staff members that the hospital suggested were most at risk of the harm. The hospital’s evidence did not demonstrate a risk of harm well beyond the merely possible or speculative.
Decision 124 – July 2020
Key Take Away Message: Don’t let your staff save work-related personal health information on their home computers or send emails that include health information to themselves or their family members.
A rehabilitation clinic reported two breaches to the IPC:
- the estranged spouse of a clinic employee had access to PHI of clinic clients stored on personal computing devices that were in the possession of the spouse (inadvertently downloaded by the employee); and
- the spouse reported discovering emails in his account that contained additional PHI of clinic clients (sent by the employee to her spouse for printing).
The issues were brought to the clinic’s attention by the estranged spouse. Nothing like family drama to bring privacy issues to the table.
The clinic confirmed that the spouse returned the devices and that he deleted the emails, had not made any copies of, retained or shared the emails or any other personal health information of clients of the employee or the clinic.
The clinic revised its Clinician Agreement, Privacy Policy and Confidentiality Agreement to teach staff that:
- printing a document may create a copy in a computer’s temporary downloads file and it is necessary to delete the temporary downloads folder daily or set up automatic deletion
- they are not permitted to send personal health information to a personal email address
- they may only send, download, or store personal health information in very limited circumstances; namely, where remote access is not available and the records cannot be viewed from an encrypted device
- they may not leave confidential information exposed for others to view.”
The clinic also instituted annual privacy training for all employees and specific instructions and training to all staff in response to the breaches.
The IPC concluded the clinic’s response was sufficient and no order was required.