IPC interprets prohibition on collecting health card numbers

Section 34(2) of PHIPA prohibits persons other than health information custodians or agents of health information custodians from collecting, using and disclosing health card numbers. There are some narrow exceptions, one of which applies when the collection, use or disclosure is “for purposes related to the provision of provincially funded health resources to [the] person [whose health card number is collected…].”

In a decision issued October 10th, the IPC said the following about the exception:

Having regard to the above, I find the proper interpretation of section 34(2)(a) is that a collection or use of a health number will only be “related to the provision of provincially funded health resources” where the health number is collected or used for the purposes of the provincial funding of health resources, or directly obtaining those health resources.

The IPC therefore held that an insurance company could not routinely collect health card numbers on an application form for supplementary health insurance benefits. Although related in the broad sense, the insurance company did not routinely use the number to coordinate benefits. The IPC permitted the company to continue to collect health card numbers to obtain reimbursement for payments made under plans that provide for emergency medical travel coverage.

An insurance company (Re), 2017 CanLII 70023 (ON IPC).

Consent form decision imposes strict transparency requirement for handling employee medical information

Disputes about employer medical information consent forms are now common. It’s not hard to pick apart a form, and employers tend to suffer “cuts and bruises.” In once such case an arbitrator has recently held that an employer must identify “anyone with whom the information would be shared” in a consent form. The arbitrator also held that an employer must subsequently (and seemingly proactively) give notice of who is handling information:

I agree with the employer that it is not practical to obtain a new consent every time a manager or HR Specialist who is absent is temporarily replaced. However, the employer must advise the employee of the employer’s need and intention to share health information with a replacement and identify that individual by name and title. This would enable the employee to revoke the consent if he/she does not wish the health information to be shared with the individual replacing the manager or HR Specialist. If and when it becomes necessary to share health information with HR or legal services in order to seek advice, or to obtain approval from senior management with delegated authority, the employee should be informed of the title or office only of the person with whom information will be shared. The employee’s consent would not be required for the employer to be able to do so.

While there’s no debating an employee’s right of control, the degree of transparency required here is very high and operationally challenging in the least. “Person-based consents” (as opposed to “purpose-based consents”) can also restrict important flows of information in subtle yet problematic ways.

The best argument against person-based consents is one that refers to the public policy that is reflected in the Personal Health Information and Protection Act (which does not govern employers acting as employers except via section 49). Even in the health care context – where the standard should be higher, not lower than in the employment context given the limited range of information processed by employers – consent is deemed to exist for a certain purpose and information can flow to any health care provider for that purpose. This is subject to a “lock box” that gives patients the ability to shield their information from specific individuals, but the lock box essentially functions as an opt out. (For the nuances of how PHIPA’s “circle of care” concept works, see here.) Transparency is satisfied by the publication of a “written public statement” (a policy really) that “provides a general description of the custodian’s information practices.” There’s no reason to require more of employers.

OPSEU and Ontario (Treasury Board Secretariat), Re, 2017 CarswellOnt 11994.

Saskatchewan health authority criticized for slow incident response

Good incident response involves nailing your timing – not going too fast or too slow.

On August 17th the Saskstchewan Information and Privacy Commissioner held that a health authority breached the Saskatchewan Health Information Privacy Act by failing to respond to an incident in a timely manner.

The Commissioner’s report does describe a dilatory response – with a discovery of “snooping” in mid October 2015, an investigation that led to a paid suspension at the end of January 2016, notification to the Commissioner at the end of February 2016, notification to the Commissioner towards the end of March that the breach was bigger than first reported and eventual notification to affected individuals in July 2016.

Think and don’t react, and you can even pause to momentarily to gain confidence in a next critical step, but always keep the ball moving.

Investigation Report 030-2016 (17 August 2016, Sask OIPC).

The Saskatchewan OIPC okays health authority’s incident response

On June 8th, the Office of the Saskatchewan Information and Privacy Commissioner issued an investigation report in which it held that a regional health authority responded appropriately to a privacy breach. Most notably, the OIPC reinforced a recommendation about notification included in its 2015 publication, Privacy Breach Guidelines. The recommendation:

Unless there is a compelling reason not to, [health information] trustees should always notify affected individuals.

This is a novel and conservative variation on the normal harms-related principle that guides notification. It is simply a recommendation – and one directed only at public agencies and health information trustees in Saskatchewan. It is notable nonetheless, however, in that it reflects an arguably developing public sector norm. Right or wrong, there is a unique pressure on public sector institutions to notify that should always be considered as part of a public sector institution’s careful response to a data handling incident.

Investigation Report 101-2016 (8 June 2016).

Cybersecurity and data loss (short presentation)

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

IPC says a physician acting as assessor is not a health information custodian

On August 25th the IPC/Ontario held that a physician retained to complete a Custody and Access Assessment Report was not acting as a health information custodian, thereby giving helpful guidance on an issue that has been subject to great confusion.

The IPC explained:

The definition of “health care practitioner” in section 3(1) is premised on the fact that the health care practitioner must be providing health care. Further, “health care” as defined in section 2 of PHIPA must be for a “health-related purpose.” In my view, on the facts of this particular case, the service provided by Dr. Morris was not provided for a health-related purpose, but rather for the purpose of assisting the parents, and possibly the courts, to develop a parenting plan which would function in the best interests of the child. Therefore, and for the further reasons set out below, I find that Dr. Morris was not providing health care when he provided a service in this capacity. Consequently, I find that Dr. Morris was not a “health information custodian” as defined in section 3(1) for the purpose preparing the Custody and Access Assessment Report. As set out below, this interpretation of PHIPA is consistent with the decision of this office in complaint number HC-050014-1, with the policy behind subsection 20(2) of PHIPA, with the decision of the Federal Court of Appeal in Wyndowe v. Rousseau, and with public guidance provided by the Ministry of Health and Long-Term Care in relation to the definition of “health care.”

The IPC also dealt with the Divisional Court decision that has contributed to the confusion – Hooper v College of Nurses of Ontario. The IPC said:

The Divisional Court held that pursuant to section 76 of the Health Professions Procedural Code, being Schedule 2 to the Regulated Health Professions Act, 1991, the investigator appointed by the College of Nurses of Ontario had the jurisdiction to request and use the records from the Sunnybrook and Women’s College Health Sciences Centre. The Divisional Court further held that the Sunnybrook and Women’s College Health Sciences Centre had the jurisdiction to disclose these records to the College of Nurses of Ontario. The Divisional Court stated that the Occupational Health and Safety Department was providing health care and therefore the information contained in the records at issue was personal health information as defined in section 4 of PHIPA. This decision does not discuss how this interpretation of “health care” would more broadly affect the collection, use, and disclosure of personal health information on the basis of assumed implied consent pursuant to section 20(2) of PHIPA.

On my review of this decision, it was not necessary for the Divisional Court to decide whether or not the Occupational Health and Safety Department was providing health care and therefore that the information contained in the records was personal health information. If they were not records of personal health information, the disclosure would not be subject to PHIPA. Alternatively, if they were records of personal health information, the disclosure would be permitted, as the Divisional Court noted, pursuant to sections 9(2)(e) and 43(1)(b) of PHIPA. As a result, the statement by the Divisional Court that the Occupational Health and Safety Department was providing health care and that the information in the records was personal health information is obiter dicta as it was unnecessary to the decision in the case.

The decision in Hooper is difficult to reconcile with that in Wyndowe, where the Federal Court of Appeal confirmed that physicians performing an independent medical examination are not “health information custodians” for the purpose of PHIPA. I note that in the Hooper case, the Divisional Court did not have this office’s interpretation of section 20(2) of PHIPA or the findings in HC-050014-1 before it. In all these circumstances, I am satisfied that the decision in Hooper, as it relates to what constitutes health care and personal health information, is not binding on me.

This is very helpful, in particular to employers who often face an argument that the health care practitioners they retain as assessors and consultants as subject to the “custodial” duties in PHIPA. The only section of PHIPA that typically binds employers and their assessor/consultants is section 49.

Morris (Re), 2015 CanLII 54751 (ON IPC).