When you set the bar higher than the law requires – make sure you can meet your own standards! PHIPA Decision 168
New decision of the Information and Privacy Commissioner of Ontario for health privacy.
And it is a doozy!
As background, it is important to know that our health privacy law, the Personal Health Information Protection Act, allows hospitals and other health information custodians to use identifiable health information without needing the consent of patients for the purposes of education of staff. In this case, a hospital set its own policy that stated the hospital would only use patient information for educational purposes with the the consent of patients. The hospital set its own bar higher than the law required. But then did not meet that standard. The hospital got in trouble for not meeting its own higher standard.
A patient complained to the Information and Privacy Commissioner of Ontario that hospital staff improperly looked at her health records. The patient was also a medical resident at the hospital (meaning a physician in post-graduate training). She believed her colleagues – other medical residents – were looking at her health records without permission.
The IPC got involved and started an investigation. The hospital took action and made organizational changes.
In the course of the mediation of the complaint, the patient agreed the hospital took the necessary actions to reassure her. She was allowed to lock her health record and she was given the opportunity to choose whether her records could be used for educational purposes. The hospital changed its policy and gave all patients the authority to withdraw their consent for the hospital to use their health records for educational purposes. With those reassurances, she closed her complaint.
However, the IPC started its own investigation about the hospital’s privacy policies, procedures and training.
As the IPC was doing its investigation, the patient was admitted to the hospital on several more occasions. She told staff that she had withdrawn consent to the use of her health information for educational purposes according to the new hospital policy. Her statements withdrawing consent were not recorded. She then discovered that two medical residents colleagues continued to look at her health records for education reasons. One of those residents was found to have looked at her records repeatedly. The patient was admitted to the hospital again over the course of months – and again the same medical resident looked at her patient records without authority. The patient notified the IPC.
The IPC investigated the new breaches too.
The hospital said:
- The policy to withdraw consent for educational purposes was not yet in force when the medical resident looked at the patient’s records
- The hospital took steps to address the patient’s concerns that her colleagues were looking at her records (and explained those efforts to the IPC, which were not reported in the decision)
- The hospital put a warning pop-up on the patient’s health record to inform all hospital staff to only use her records to deliver health care and not for education purposes
- The hospital audited the patient’s health record frequently
- With the pop-up warning flag there was a significant decrease in the number of views of the patient’s records
The IPC concluded:
- The hospital’s ultimate responses to the problem of unauthorized access to the patient’s records were sufficient and so did not issue an order against the hospital.
- However, the hospital failed to follow its own new Education policy, which allowed patients to withdraw their consent for use of their information for educational purposes. By not following its own information management practices it set (even though they chose a higher standard than the law required), the hospital breached the law. The law requires that hospitals follow their own privacy policies. This hospital did not do so.
- The hospital failed to teach its staff about its new Education policy – leading staff to continue to read and access the patient’s health information even after she instructed them not to do so. That breached PHIPA because the hospital failed to instruct its agents about its own privacy practices.
Key Messages for Health Information Custodians and Privacy Officers
There are a lot of messages that come out of this decision:
- Although not discussed, this is a case about snooping. The patient’s colleagues (the medical residents) may have accidentally come across her health records in the course of their work and education initially – but not repeatedly. Hospitals need to train their staff that when a colleague is admitted – they need to be thoughtful about secondary uses of such information. Repeatedly going back to a colleague’s health records under the guise of “I’m learning” undermines trust. If a resident is part of the care team of a colleague – that is legitimate access to records. If a resident is part of a research study and it happens that a colleague’s information is in the research study – that is legitimate. But every health information custodian should caution its staff not to review a colleague’s health information without absolute certainty the activity is authorized.
- Educational purposes are not part of the “circle of care”. “Circle of care” is sharing of information between health care providers to provide health care. Education is a secondary purpose – it is not providing health care. You cannot rely on a patient’s implied consent to share their information between team members for educational purposes.
- Hospitals and other health information custodians do not need patient consent to share information between team members for educational purposes – teaching agents. PHIPA permits that activity on a no consent basis. Custodians can choose to obtain consent – but there is no legal obligation to do so.
- If you voluntarily adopt a higher standard than the law requires – you had better be able to meet that higher standard. Do not offer patients choices you are not willing to respect.
- If you implement a new policy – you have to train everyone on the new policy. It is the law that custodians must train all agents on their privacy policies.
- When you are in a settlement situation – if you change your privacy rules to respect a particular patient’s needs – you need to communicate that change immediately to the people who may come in contact with that patient so that your promise is actioned right away. The hospital waited too long to explain the policy change to the exact people to whom it was intended to apply.
Want to read the decision for yourself? Decision 168
Want to read a summary of all the decisions of the IPC in Ontario – click here to download my free summary.