I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

When you set the bar higher than the law requires – make sure you can meet your own standards! PHIPA Decision 168

Posted by

New decision of the Information and Privacy Commissioner of Ontario for health privacy.

And it is a doozy!

As background, it is important to know that our health privacy law, the Personal Health Information Protection Act, allows hospitals and other health information custodians to use identifiable health information without needing the consent of patients for the purposes of education of staff.  In this case, a hospital set its own policy that stated the hospital would only use patient information for educational purposes with the the consent of patients. The hospital set its own bar higher than the law required.  But then did not meet that standard.  The hospital got in trouble for not meeting its own higher standard.

Patient Complaint

A patient complained to the Information and Privacy Commissioner of Ontario that hospital staff improperly looked at her health records. The patient was also a medical resident at the hospital (meaning a physician in post-graduate training). She believed her colleagues – other medical residents – were looking at her health records without permission.

IPC’s Involvement

The IPC got involved and started an investigation. The hospital took action and made organizational changes.

In the course of the mediation of the complaint, the patient agreed the hospital took the necessary actions to reassure her.  She was allowed to lock her health record and she was given the opportunity to choose whether her records could be used for educational purposes. The hospital changed its policy and gave all patients the authority to withdraw their consent for the hospital to use their health records  for educational purposes. With those reassurances, she closed her complaint.

However, the IPC started its own investigation about the hospital’s privacy policies, procedures and training.

As the IPC was doing its investigation, the patient was admitted to the hospital on several more occasions. She told staff that she had withdrawn consent to the use of her health information for educational purposes according to the new hospital policy.  Her statements withdrawing consent were not recorded. She then discovered that two medical residents colleagues continued to look at her health records for education reasons. One of those residents was found to have looked at her records repeatedly.  The patient was admitted to the hospital again over the course of months – and again the same medical resident looked at her patient records without authority.  The patient notified the IPC.

The IPC investigated the new breaches too.


The hospital said:

  • The policy to withdraw consent for educational purposes was not yet in force when the medical resident looked at the patient’s records
  • The hospital took steps to address the patient’s concerns that her colleagues were looking at her records (and explained those efforts to the IPC, which were not reported in the decision)
  • The hospital put a warning pop-up on the patient’s health record to inform all hospital staff to only use her records to deliver health care and not for education purposes
  • The hospital audited the patient’s health record frequently
  • With the pop-up warning flag there was a significant decrease in the number of views of the patient’s records

IPC Decision

The IPC concluded:

  • The hospital’s ultimate responses to the problem of unauthorized access to the patient’s records were sufficient and so did not issue an order against the hospital.
  • However, the hospital failed to follow its own new Education policy, which allowed patients to withdraw their consent for use of their information for educational purposes. By not following its own information management practices it set (even though they chose a higher standard than the law required), the hospital breached the law. The law requires that hospitals follow their own privacy policies. This hospital did not do so.
  • The hospital failed to teach its staff about its new Education policy – leading staff to continue to read and access the patient’s health information even after she instructed them not to do so. That breached PHIPA because the hospital failed to instruct its agents about its own privacy practices.

Key Messages for Health Information Custodians and Privacy Officers

There are a lot of messages that come out of this decision:

  1. Although not discussed, this is a case about snooping. The patient’s colleagues (the medical residents) may have accidentally come across her health records in the course of their work and education initially – but not repeatedly.  Hospitals need to train their staff that when a colleague is admitted – they need to be thoughtful about secondary uses of such information. Repeatedly going back to a colleague’s health records under the guise of “I’m learning” undermines trust.  If a resident is part of the care team of a colleague – that is legitimate access to records. If a resident is part of a research study and it happens that a colleague’s information is in the research study – that is legitimate.  But every health information custodian should caution its staff not to review a colleague’s health information without absolute certainty the activity is authorized.
  2. Educational purposes are not part of the “circle of care”.  “Circle of care” is sharing of information between health care providers to provide health care. Education is a secondary purpose – it is not providing health care.  You cannot rely on a patient’s implied consent to share their information between team members for educational purposes.
  3. Hospitals and other health information custodians do not need patient consent to share information between team members for educational purposes – teaching agents. PHIPA permits that activity on a no consent basis. Custodians can choose to obtain consent – but there is no legal obligation to do so.
  4. If you voluntarily adopt a higher standard than the law requires – you had better be able to meet that higher standard.  Do not offer patients choices you are not willing to respect.
  5. If you implement a new policy – you have to train everyone on the new policy.  It is the law that custodians must train all agents on their privacy policies.
  6. When you are in a settlement situation – if you change your privacy rules to respect a particular patient’s needs – you need to communicate that change immediately to the people who may come in contact with that patient so that your promise is actioned right away. The hospital waited too long to explain the policy change to the exact people to whom it was intended to apply.

Want to read the decision for yourself? Decision 168

Want to read a summary of all the decisions of the IPC in Ontario – click here to download my free summary.

If you enjoyed this article please share it:

Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Health Privacy Officer Foundations training
starts March 2024

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2024

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2024 program is now live.
Full details of the 2024 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2024

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557