Archive | Health privacy RSS feed for this section

In snooping investigations, disclose the logs

21 Dec

When an employer confronts an employee with an allegation of improper access to personal information, it is important to give the employee the event log data that proves the allegation. It may often be voluminous and difficult to interpret, but presenting a general allegation or summarizing events without particulars will give the employee a good reason to deny the allegation.

This is what happened in this very illustrative British Columbia case in which an arbitrator held he could not infer dishonesty from the grievor’s initial failure to admit wrongdoing because the grievor had not been given log data. Also, if an employee continues to deny responsibility, log data can be difficult to rely upon; even if it can be established to be authentic, there are issues about presenting log data in a meaningful and privacy-protective way. An early admission can go a long way.

Fraser Health Authority (Royal Columbian Hospital) v British Columbia Nurses’ Union, 2017 CanLII 72384 (BC LA).


IPC addresses PHIPA request for raw data

20 Dec

On September 29th, the IPC/Ontario held that PHIPA governs and provides a right of access to “raw data” about an identifiable individual. It also held that raw data is not subject to the right of access unless it can reasonably be severed from the repositories in which it is retained. The IPC said:

Having regard to the evidence before me, I conclude that where the extraction of the complainant’s information can be done through the development of conventional custom queries by hospital staff, based on information in reporting views available to the hospital, the complainant’s information can be reasonably severed for the purpose of section 52(3) of the Act.  The hospital’s obligation to provide access to this information, if the complainant wishes to pursue it, is met by providing him with the results of such queries.  The information need not be in native format, but can be in the format in which those results are generated through such queries.

“Reporting views” are tools that make generating certain types of reports from databases easier. The IPC has suggested that hospitals must provide access to data that can be extracted based on such tools together with “conventional queries”. Hospitals can charge a requesters a fee that represents reasonable cost recovery.

St. Michael’s Hospital (Re), 2017 CanLII 70006 (ON IPC).

IPC interprets prohibition on collecting health card numbers

20 Dec

Section 34(2) of PHIPA prohibits persons other than health information custodians or agents of health information custodians from collecting, using and disclosing health card numbers. There are some narrow exceptions, one of which applies when the collection, use or disclosure is “for purposes related to the provision of provincially funded health resources to [the] person [whose health card number is collected…].”

In a decision issued October 10th, the IPC said the following about the exception:

 Having regard to the above, I find the proper interpretation of section 34(2)(a) is that a collection or use of a health number will only be “related to the provision of provincially funded health resources” where the health number is collected or used for the purposes of the provincial funding of health resources, or directly obtaining those health resources.

The IPC therefore held that an insurance company could not routinely collect health card numbers on an application form for supplementary health insurance benefits. Although related in the broad sense, the insurance company did not routinely use the number to coordinate benefits. The IPC permitted the company to continue to collect health card numbers to obtain reimbursement for payments made under plans that provide for emergency medical travel coverage.

An insurance company (Re), 2017 CanLII 70023 (ON IPC).

Consent form decision imposes strict transparency requirement for handling employee medical information

9 Aug

Disputes about employer medical information consent forms are now common. It’s not hard to pick apart a form, and employers tend to suffer “cuts and bruises.” In once such case an arbitrator has recently held that an employer must identify “anyone with whom the information would be shared” in a consent form. The arbitrator also held that an employer must subsequently (and seemingly proactively) give notice of who is handling information:

I agree with the employer that it is not practical to obtain a new consent every time a manager or HR Specialist who is absent is temporarily replaced. However, the employer must advise the employee of the employer’s need and intention to share health information with a replacement and identify that individual by name and title. This would enable the employee to revoke the consent if he/she does not wish the health information to be shared with the individual replacing the manager or HR Specialist. If and when it becomes necessary to share health information with HR or legal services in order to seek advice, or to obtain approval from senior management with delegated authority, the employee should be informed of the title or office only of the person with whom information will be shared. The employee’s consent would not be required for the employer to be able to do so.

While there’s no debating an employee’s right of control, the degree of transparency required here is very high and operationally challenging in the least. “Person-based consents” (as opposed to “purpose-based consents”) can also restrict important flows of information in subtle yet problematic ways.

The best argument against person-based consents is one that refers to the public policy that is reflected in the Personal Health Information and Protection Act (which does not govern employers acting as employers except via section 49). Even in the health care context – where the standard should be higher, not lower than in the employment context given the limited range of information processed by employers – consent is deemed to exist for a certain purpose and information can flow to any health care provider for that purpose. This is subject to a “lock box” that gives patients the ability to shield their information from specific individuals, but the lock box essentially functions as an opt out. (For the nuances of how PHIPA’s “circle of care” concept works, see here.) Transparency is satisfied by the publication of a “written public statement” (a policy really) that “provides a general description of the custodian’s information practices.” There’s no reason to require more of employers.

OPSEU and Ontario (Treasury Board Secretariat), Re, 2017 CarswellOnt 11994.

Saskatchewan health authority criticized for slow incident response

26 Aug

Good incident response involves nailing your timing – not going too fast or too slow. 

On August 17th the Saskstchewan Information and Privacy Commissioner held that a health authority breached the Saskatchewan Health Information Privacy Act by failing to respond to an incident in a timely manner. 

The Commissioner’s report does describe a dilatory response – with a discovery of “snooping” in mid October 2015, an investigation that led to a paid suspension at the end of January 2016, notification to the Commissioner at the end of February 2016, notification to the Commissioner towards the end of March that the breach was bigger than first reported and eventual notification to affected individuals in July 2016. 

Think and don’t react, and you can even pause to momentarily to gain confidence in a next critical step, but always keep the ball moving.

Investigation Report 030-2016 (17 August 2016, Sask OIPC).  

The Saskatchewan OIPC okays health authority’s incident response

14 Jun

On June 8th, the Office of the Saskatchewan Information and Privacy Commissioner issued an investigation report in which it held that a regional health authority responded appropriately to a privacy breach. Most notably, the OIPC reinforced a recommendation about notification included in its 2015 publication, Privacy Breach Guidelines. The recommendation:

Unless there is a compelling reason not to, [health information] trustees should always notify affected individuals.

This is a novel and conservative variation on the normal harms-related principle that guides notification. It is simply a recommendation – and one directed only at public agencies and health information trustees in Saskatchewan. It is notable nonetheless, however, in that it reflects an arguably developing public sector norm. Right or wrong, there is a unique pressure on public sector institutions to notify that should always be considered as part of a public sector institution’s careful response to a data handling incident.

Investigation Report 101-2016 (8 June 2016).

Cybersecurity and data loss (short presentation)

8 Nov

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of  “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.