IPC decision highlights issues about threat assessment and PHIPA application

On January 31, 2024, the IPC/Ontario ordered the Ontario Medical Association’s Physician Health Program to provide a complainant with access to a draft assessment report, though it permitted the OMA to withhold behavioral information collected in preparing the report.

Many institutions have processes that support behavioral threat assessment – a process by which multi-disciplinary teams (often including medical clinicians) conduct a threat inquiry to gather behavioral information (usually indirectly), assess behaviors and determine whether someone poses a threat to themselves and/or others. The assessment can lead to interventions, medical and otherwise, that are of benefit to the person being assessed.

The OMA’s Physician Health Program appears to be a threat assessment program, though its mandate is vague, and involves “education; support and referral; assessment; and monitoring and advocacy.” And in responding to an IPC complaint about its access request denial, the OMA argued it was a health information custodian engaged primarily in the provision of health care. The IPC re-articulated the position as follows:

[16] The OMA PHP describes its monitoring function as “first and foremost a clinical service provided to an individual physician or learner to assist in the maintenance of their health in the context of recovery from a mental health or substance use disorder.” This may involve collecting clinical information, providing clinical opinions, and reviewing urine, hair, blood, or other toxicological tests.

[17] Overall, the OMA PHP states that its employees provide services “to maintain an individual’s mental condition, … to promote health, and in the case of clients already diagnosed, to prevent disease in the form of recurrence, all of which it states fall under the definition of “health care.”

This position drove the outcome given PHIPA has a very broad right of access to personal health information. The OMA was left with no valid basis to shield its draft report, even though the IPC has held that assessment is different than providing health care. The IPC did find that the (critical and sensitive) behavioral reports made to the OMA could be withheld on the basis of section 52(3), which applies to records “not… dedicated primarily to personal health information about the individual requesting access” and permits reasonable severance.

Threat assessment can and should be framed as beneficial to the person being assessed, which is important because it aligns threat assessment with the duty not to discriminate against individuals with disabilities. In other words, threat assessment is an aspect of accommodating disability and meeting institutional health and safety duties. Threat assessment is both a lawful and critical process.

This framing does not make threat assessment health care, nor should it ever be treated as health care in my view. The interventions that threat assessment invites are meant to help in the long and medium term, but in the short term they are about the restriction privileges (e.g., of practicing, working, attending school) based on the assessed risk. There is therefore a conflict in striving to be both a heath care provider and a threat assessor, and individuals under assessment must know the true nature of the process with which they are engaged. Are you my doctor? Or are you working for the institution? If threat assessment is framed as assessment, even if it is conducted by medical clinicians, PHIPA will not apply.

Ontario Medical Association Physician Health Program (Re), 2025 CanLII 9695 (ON IPC), <https://canlii.ca/t/k9ftg>, retrieved on 2025-07-17.

Sask CA says how to interpret access rights, and addresses various standards for proof of harm

On January 28, 2025, the Court of Appeal for Saskatchewan held that Saskatchewan Government Insurance could rightly withhold a report that questioned an individual’s fitness to drive based on a Health Information Protection Act discretionary exemption that permits a trustee to refuse access if “disclosure of the information could interfere with a lawful investigation or be injurious to the enforcement of an Act or regulation.”

The Court firstly held that the lower court erred in reading the exemption to apply only if the disclosure could interfere with “an existing or identifiable prospective investigation.” In doing so, the Court made an important point about purposive analysis and access-granting statutes, finding that one ought not give weight to the purpose of an access-granting statute without also giving weight to the purpose of the applicable exception to the granted right of access. It said:

[45] …in a case pitting a right of access against an exception to it, a court must not let the broad purpose of legislation granting rights of access overtake the exercise of properly interpreting provisions that provide exemptions. As always, the modern approach demands that the court must begin the interpretative exercise with attention to the words of the statute, as used in the context of the statute. It also requires that the interpreter consider statutory purpose in a somewhat broader sense than did the judge in this case. This idea is explained in Sullivan, as follows:

§9.02[1] Introduction. In its broadest sense, legislative purpose refers not only to the material goals the legislature hoped to achieve but also to the reasons underlying each feature of the implementing scheme. It asks the question why: why this legislation? why this arrangement of powers? why this direction or rule? why this turn of phrase? In purposive analysis every feature of legislation from the overall conception to the smallest linguistic detail is presumed to be there for a reason. It is presumed to address a concern, anticipate a difficulty, or in some way promote the legislature’s goals.

[43] In short, in a case like this, the interpreter must have regard not only to the purpose of the legislation as a means to extend rights of access to information but also must be mindful of the objectives that stand behind the exceptions themselves. This is because exemptions, such as found in s. 38(1)(f), are the mechanism chosen by the Legislature to achieve the balance between, on the one hand, rights of access and, on the other hand, society’s interest in maintaining the confidentiality of some types of information. In this case, the judge’s singular focus on the purpose that lies behind the right of access found in s. 32 of HIPA was therefore too narrow.

The court also interpreted the word “could” in the applicable exemption to impose an “objective possibility” proof of harm standard, a lower standard than the standard that arises from the words “could reasonably expected to” (which the Supreme Court of Canada said in Merck requires proof of harm that is “more than a mere possibility”).

The question for privacy lawyers, then, is whether a “real risk” (as in “real risk of significant harm”) requires proof of an “objective possibility” of harm or proof of harm that is “more than a mere possibility.” The text might go either way in my view, and as in this case, one ought not let the purpose of breach notification eclipse the purpose the standard itself, which is to set a threshold and protect against notification fatigue and other harms associated with over notification.

Saskatchewan Government Insurance v Giesbrecht, 2025 SKCA 10 (CanLII).

Ontario (M)FIPPA institutions, file encryption, and breach notification – a hint

As most of you know, the Ontario IPC released four decisions in the summer relating to breach reporting and notification obligations under PHIPA and the CYSFA. One controversial finding (which is subject to a judicial review application) is that the encryption of files by ransomware actors triggers an unauthorized use and a loss of personal and personal health information. Given there is no risk-based threshold for reporting and notification in PHIPA, custodians and service providers must report and notify in respect of this particular kind of breach, even if the threat actors have not stolen or laid eyes on information.

Leaving legal analysis aside, I’ll say that this is odd policy that has led to odd questions about who is affected by file encryption. Do we really care? Does this have any meaning to “affected” individuals?

The negative impact is that it threatens the clarity of communications about matters that institutions need to communicate clearly: “Yes there’s been a privacy breach, but the threat actor(s) didn’t steal or view your information. And information has been “lost,” but not lost as in “stolen.” 🤦🏽‍♂️

One can honestly question whether there is any public good in this garble. The IPC has lobbied for cyber incident reporting, which this interpretation of PHIPA and the CYFSA effectively achieves. Cyber incident reporting should be brought in properly, through legislation, and leave out the notification obligation.

But how far does the finding extend?

The four decisions released in the summer left a question about how the encryption finding would apply to MFIPPA and FIPPA institutions, who are encouraged (but not yet legally required) to report and notify based on the “real risk of signficant harm” standard. This standard will become a legal imperative when the provisions of Bill 194 come into force.

On December 10, the IPC issued a privacy complaint report that addressed file encryption at an MFIPPA institution and (in qualified terms) held that notification was not required. Mr. Gayle explained:

As the affected personal information remains encrypted and the police’s investigation found no evidence of exfiltration, it is not clear whether the breach “poses a real risk of significant harm to [these individuals], taking into consideration the sensitivity of the information and whether it is likely to be misused”. As such, it is not clear whether the police should have given direct notice of the breach to affected individuals in accordance with the IPC’s Privacy Breach Guidelines.

However, I am mindful of the fact that the police provided some notice to the public about the extent of the ransomware attack, and of the investigative and remedial steps they took to address it. I am also mindful of the fact that the breach occurred more than three years ago.

For these reasons, I find that it would serve no useful purpose in recommending that the police renotify affected individuals of the breach in accordance with the IPC’s Privacy Breach Guidelines and, as a result, do not need to decide whether the breach in this case met the threshold of “real risk of significant harm to the individual”.

This is helpful guidance, and should allow MFIPPA and FIPPA institutions to respond to matters with the clearest possible communication.

Sault Ste. Marie Police Services Board (Re), 2024 CanLII 124986 (ON IPC).

Perspectives on anonymization report released

On December 18, Khaled El Emam, Anita Fineberg, Elizabeth Jonker and Lisa Pilgram published Perspectives of Canadian privacy regulators on anonymization practices and anonymization information: a qualitative study. It is based on input from all but one Canadian privacy regulator, and includes a great discussion of one of the most important policy issues in Canadian privacy law – What do we do about anonymization given the massive demand for artificial intelligence training data?

The authors stress a lack of precision and consistency in Canadian law. True that the fine parameters of Canadian privacy law are yet to be articulated, but the broad parameters of our policy are presently clear:

First, there must be authorization to de-identify personal information. The Canadian regulators who the authors spoke with were mostly aligned against a consent requirement, though not without qualification. If there’s no express authorization to de-identify without consent (as in Ontario PHIPA), one gets the impression that a regulator will not imply consent to de-identify data for all purposes and all manner of de-dentification.
Second, custodians of personal information must be transparent. One regulator said, “I have no sympathy for the point of view that it’s better not to tell people so as not to create any noise. I do not believe that that’s an acceptable public policy stance.” So, if you’re going to sell a patient’s health data to a commercial entity, okay, but you better let patients know.
Third, the information must be de-identified in a manner that renders the re-identification risk very low in the context. Lots can be said about the risk threshold and the manner of de-identification, and lots that will be said over the next while. The authors recommend that legislators adopt a “code of practice” model for establishing specific requirements for de-dentification.

The above requirements can all be derived from existing legislation, as is illustrated well by PHIPA Decision 175 in Ontario, about a custodian’s sale of anonymized personal health information. Notably, the IPC imposed a requirement on the disclosing custodian to govern the recipient entity by way of the data sale agreement, rooting its jurisdiction in the provision that requires safeguarding of personal health information a custodian’s control. One can question this root, though it is tied to re-identification risk and within jurisdiction in my view.

What’s not in current Canadian privacy legislation is any restriction on the purpose of de-dentification, the identity of recipients, or the nature of the recipient’s secondary use. This is a BIG issue that is tied to data ethics. Should a health care provider ever be able to sell its data to an entity for commercial use? Should custodians be responsible for determining whether the secondary use is likely to harm individuals or groups – e.g., based on the application of algorithmic bias?

Bill C-27 (the PIPEDA replacement bill) permits the non-consensual disclosure of de-identified personal information to specific entities for a “socially beneficial purpose” – “a purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.” Given C-27 looks fated to die, Alberta’s Bill 33 may lead the way, and if passed will restrict Alberta public bodies from disclosing “non-personal information” outside of government for any purpose other than “research and analysis” and “planning, administering, delivering, managing, monitoring or evaluating a program or service” (leaving AI model developers wondering how far they can stretch the concept of “research”).

Both C-27 and Bill 33 impose a contracting requirement akin to that imposed by the IPC in Decision 175. Bill 33, for example, only permits disclosure outside of government if:

(ii) the head of the public body has approved conditions relating to the following: (A) security and confidentiality; (B) the prohibition of any actual or attempted re-identification of the non-personal data; (C) the prohibition of any subsequent use or disclosure of the non-personal data without the express authorization of the public body; (D) the destruction of the non-personal data at the earliest reasonable time after it has served its purpose under subclause (i), unless the public body has given the express authorization referred to in paragraph (C),

and

(iii) the person has signed an agreement to comply with the approved conditions, this Act, the regulations and any of the public body’s policies and procedures
relating to non-personal data.

Far be it from me to solve this complex policy problem, but here are my thoughts:

Let’s aim for express authorization to-de identify rather than continuing to rely on a warped concept of implied consent. Express authorization best promotes transparency and predictability.
I’m quite comfortable with a generally stated re-identification risk threshold, and wary of a binding organizations to a detailed and inaccessible code of practice.
Any foray into establishing ethical or other requirements for “research” should respect academic freedom, and have an appropriate exclusion.
We need to eliminate downstream accountability for de-identified data of the kind that is invited by the Bill 33 provision quoted above. Custodians don’t have the practical ability to enforce these agreements, and the agreements will therefore invite huge potential liability. Statutes should bind recipients and immunize organizations who disclose de-identified information for a valid purpose from downstream liability.

Do have a read of the report, and keep thinking and talking about these important issues.

US court finds that visitors to health care provider web pages don’t leave a trail of their protected health information behind

On June 20, the U.S. District Court for the Northern District of Texas held that the US Department of Health and Human Services exceeded its authority by issuing a guidance bulletin that warned HIPAA regulated entries that tracking visitors to web pages with content about health conditions or health care providers is governed by the HIPAA privacy rule.

The HHS concern is focused on the disclosure of “protected health information” or “PHI” to tracking vendors given such disclosures are subject to particular legal requirements. Similar to the law in Ontario, PHI is only information about an identifiable individual that “relates to” the provision of health care.

The HSS bulletin distinguishes the following two scenarios to explain when the HIPAA privacy rule does and does not apply:

For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.

The Court held that the required connection between the information and the provision of health care can not be based on the subjective intent of visitors if the website does not collect any information about subject intent. Without such a collection, the Court held, there is only a “speculative inference” about the visitor’s health and interest in or need for health care, too weak of a connection to meet the “relates to” criterion.

American Hospital Association v Becerra, 2024 WL 3075865.

BCCA finds statutory right of access to personal health information too broad

On April 24th, the Court of Appeal for British Columbia held that section 96(1) of the British Columbia Child, Family and Community Service Act infringes the Charter right against unreasonable search and seizure.

Section 96(1) gives British Columbia directors of child protection a right of access to information in the custody or control of public bodies, including health care bodies. Although for child protection purposes in the main, section 96(1) is worded broadly as follows:

96 (1)   A director has the right to any information that

(a)     is in the custody or control of a public body as defined in the Freedom of Information and Protection of Privacy Act, and

(b)     is necessary to enable the director to exercise [their] powers or perform [their] duties or functions under this Act.

The Court held that “necessity,” in particular given section 96(1)’s child protection purpose, imposes only a limited restriction – confining the right of access to “any information in the custody or control of a public body that the ‘“’Director considers necessary.'”

Interpreted as such, and based on a balancing of parents’ interest in informational privacy against the competing state interest in protecting children from harm, the Court held that section 96(1) was unreasonable.

The Court held that the application judge erred by focusing to heavily on the manner of intrusion – which does not invite an intrusion upon the body, entry into a private dwelling or ongoing surveillance – without giving due weight to the sensitivity of the information at issue. It said:

In applying the second Goodwin factor, a judge must consider not only the extent to which a particular methodology directly engages with the target of the search or seizure and interferes with their bodily integrity or personal surroundings, but the impact of the state action on their reasonable expectations of privacy in light of the nature of the items or information involved. In his earlier-cited article, Professor Penney describes the intrusiveness analysis in this manner: it is an assessment of the “degree to which [the search or seizure] discloses intimate personal information or compromises dignity, autonomy, or bodily integrity”: at p. 96, emphasis added. I agree.

The Court also held that the application judge erred in finding that section 96(1) has sufficient safeguards. Importantly, it said that prior judicial authorization or prior notice is not required to meet section 8’s standard of reasonableness, but held that section 96(1) lacks other features that renders it unreasonable. The Court (oddly) criticized the clarity of section 96(1) and suggested that the province replace the necessity requirement with a reasonableness requirement (?). More plainly, the Court said that the province must at least provide for after the fact notice and a meaningful oversight mechanism.

The Court declared section 96(1) to be of no force an effect to the extent that it authorizes the production of personal information, suspended the declaration for 12 months and ordered that the declaration be prospective only.

T.L. v. British Columbia (Attorney General), 2023 BCCA 167 (CanLII).

Hat tip to Ian Mackenzie.

IPC/Ontario issues basic cyber hygiene decision

On July 5th, the IPC/Ontario held that an Ontario medical clinic breached its PHIPA safeguarding duties by:

Allowing staff to use personal e-mail accounts to send patient information provided staff referred to patients only by by initials, medical reference numbers or accession numbers
Allowing the posting of login credentials (on sticky notes or the equivalent) to enable shared access to two computers
Failing to abide by the IPCs model for agent information and instruction, which requires annual privacy training and the re-signing of confidentiality agreements on an annual basis

The clinic self-corrected upon receiving the complaint, but not without defending its posting of login credentials by explaining that the two computers were physically secure and did not contain patient information. It shouldn’t have bothered. Its information and instruction failure aside, the clinic committed plain and basic network security wrongs. The IPC’s decision is notable for calling them out.

A Medical Clinic (Re), 2022 CanLII 61410 (ON IPC).

Manitoba Ombudsman blesses response to e-mail incident

Manitoba Ombudsman Jill Perron has issued her report into Manitoba Families’ 2020 e-mail incident. The incident involved the inadvertent e-mailing of personal health information belonging to 8,900 children in receipt of disability services to approximately 100 external agencies and community advocates. It is such a common incident that it is worth outlining the Ombudsman’s incident response findings.

Manitoba Families meant to transfer the information to the Manitoba Advocate for Children and Youth to support a program review. It included information about services received. Some records included diagnoses.

Manitoba Families mistakenly blind copied the external agencies and advocates on an e-mail that included the information in an encrypted file and a follow-up e-mail that included the password to the file. It had made the same mistake about a week earlier. Several agencies alerted Manitoba Families to its error, and it began containment within a half hour.

The Ombudsman held that Manitoba Families’ containment effort was reasonable. She described it as follows.

Attempts at recalling the email began minutes later at 8:29 a.m. and continued at various intervals. Also, at 8:35 a.m., CDS sent an email to all unintended recipients noting in bold that they were incorrectly included on a confidential email from Children’s disAbility Services and requested immediate deletion of the email and any attachments. Follow up calls to the unintended recipients by CDS program staff began to occur that morning to request deletion of the emails and a list was created to track these calls and the outcomes. A communication outline was created for these calls which included a request to delete emails, a further request that emails be deleted from the deleted folder and that any emails that went to a junk email folder also be deleted…

In January 2021, we received additional written communication from the program stating that all agency service providers and advocates were contacted and verified deletion of the personal health information received in error. The log form created to track and monitor the name of the organization, the date and details of the contact was provided to our office.

The Ombudsman reached a similar finding regarding Manitoba Families’ notification effort, though she needed to recommend that Manitoba Families identify the agencies and advocates to affected individuals, which Manitoba Families agreed to do upon request.

What’s most significant – especially given class action proceedings have been commenced – is a point the Ombudsman made about evidence that Manitoba Families appears not to have gathered.

In addition to assuring families about the deletion of the email, additional information such as who viewed the email, if the attachment was opened and read, whether it was forwarded to anyone else or printed, whether it was stored in any other network drive or paper file or, conversely, that no records exist – can be helpful information to provide those affected by a privacy breach. It is best practice, therefore, to provide families with as much assurance as possible about the security of their child’s health information.

The question is, what is one to make of an arguable shortcoming in an incident response investigation? I say “arguable” because the probability of any of these actions occurring is very low in the unique circumstances of this incident, which involved trusted individuals receiving a password-protected and encrypted file. Manitoba Families ought to have collected this evidence because they called the e-mail recipients anyway, it is helpful and was probably available for collection. If it did not do so, however, I believe it is perfectly acceptable to for Manitoba Families to stand by the scope of a narrower investigation and and put the plaintiff to proof.

PHIA Case 2020-1304

IPC/Ontario determines what’s reasonable to include in a drug prescription

On April 20th, the IPC/Ontario held that it is reasonable to include a patient’s first and last name, address, telephone number and date of birth on an Ontario drug prescription.

First name, last name, address and telephone number can be included as primary identifiers, with the telephone number element also enabling communication. The IPC accepted that date of birth can also be included because it is an immutable identifier (unlike address and phone number) and also contributes the prevention of dosing errors (because dosage can depend on age).

The IPC also held that OHIP number can be included on prescriptions for controlled substances because it is required by section 5 of Ontario Regulation 381/11.

Women’s College Hospital (Re), 2020 CanLII 31115 (ON IPC).

IPC/Ontario – Appropriate for hospital to notify of breach because it maintained a shared EMR

The IPC/Ontario has issued a significant decision about information governance under the Personal Health Information Protection Act. Specifically, it held that a hospital that gives a physician access to an electronic medical record for use in private practice is a health information custodian together with the physician, but that it can retain a duty to notify of a breach arising out of the private practice.

Background

The hospital maintained an EMR system and gave access to its credentialed physicians and their employees for use in private practice. Employees in two such private practices accessed EMRs without authorization. The hospital notified affected patients and reported the breach to the IPC, which led the IPC to investigate.

In the course of investigation it came to light that some of the employees had shared their login credentials with others outside of the hospital, but apparently to enable health care. The employees also apparently accessed some records (for non-health care purposes) with the consent of friends of family members. Both of these actions violated hospital policy.

Decision

The IPC held that the access enabled by credential sharing and the access made with the consent of family members was made in breach of PHIPA. Although a more benign form of unauthorized access, the IPC found a breach based on section 10(2) of PHIPA, which states, “A health information custodian shall comply with its information practices.”

Regarding the identity of the custodian, the IPC held that both the hospital and the two private practice physicians were custodians in the circumstances – the physicians being custodians “when they access patient information in [the EMR] for the purpose of privatizing health care to their private practice patients.” Such access, the IPC explained, invites a disclosure by the hospital and a collection by the physicians; in this context the physicians were not the hospitals’ agents.

Despite the physicians’ custodianship, the IPC held it was appropriate for the hospital to notify in the circumstances. It said:

[122] In the cases under review, THP and the private practice physicians also treated THP as the health information custodian responsible for notifying affected individuals of the private practice employees’ unauthorized accesses in THP’s EMR. In these circumstances, I agree that THP was the appropriate party to give notice under section 12(2) of PHIPA. As the health information custodian who maintains the EMR, THP was best placed to discover and investigate the extent of the employees’ activity in the EMR, identify all the parties whose personal health information had been accessed without authority, and initiate contact with these individuals, all of whom are THP patients, but some of whom may not have any relationship with the particular private practice physician for whom the employee worked. In these cases, notification by THP was appropriate, taking into account not only the language of section 12(2)[29] but also the interests of the affected individuals.

[123] I also agree with THP that in some circumstances, notification by the collecting custodian may be more appropriate, and a reasonable approach to fulfilling the notice obligation in section 12(2). For example, in a case where the private practice physician has a more significant relationship with the patient whose privacy was breached, notice from that physician (rather than from the custodian who disclosed the information) may be prudent. So long as the notice is given as required upon the events described in section 12(2) (and complies with the other requirements of that section), I agree with THP that circumstances such as the patient’s interests and the relationships between the patients and the various custodians involved may be relevant factors in deciding how best to fulfil the notification obligation. I am not persuaded that applying such an approach to notification in future cases would have the consequences of discouraging hospitals from adopting EMR technologies, or from participating in broader initiatives like a provincial electronic health record system.

Implications

The kind of shared accountability invited by this decision can cause confusion and risk. It will behoove hospitals and other custodians who provide shared access to their EMR systems to be very clear and detailed in establishing who is responsible for what. The hospital in this case, for example, decided post-incident to make more clear that physicians who are given outside access are responsible for training and supervising their employees. It also expressly obligated physicians to participate in privacy investigations arising from the actions of an employee.

The IPC’s finding on who provides notification is very qualified, and rests partly on the fact that the hospital in this case voluntarily provided notification to affected individuals. While taking control of notification may be beneficial to hospitals who maintain and provide third-party access to EMR systems, providing notification may also signal responsibility for a breach and for the related risks for which hospitals have little or no ability to control. The hospital in this case dealt with this tension by stipulating to its physicians that they may be named in hospital notification letters “as being responsible for the breach.” Other hospitals, may wish to require physicians to notify themselves in certain circumstances. The IPC’s decision does not appear to preclude such alternatives.

Trillium Health Partners (Re), 2020 CanLII 15333 (ON IPC).