Sask CA says how to interpret access rights, and addresses various standards for proof of harm

On January 28, 2025, the Court of Appeal for Saskatchewan held that Saskatchewan Government Insurance could rightly withhold a report that questioned an individual’s fitness to drive based on a Health Information Protection Act discretionary exemption that permits a trustee to refuse access if “disclosure of the information could interfere with a lawful investigation or be injurious to the enforcement of an Act or regulation.”

The Court firstly held that the lower court erred in reading the exemption to apply only if the disclosure could interfere with “an existing or identifiable prospective investigation.” In doing so, the Court made an important point about purposive analysis and access-granting statutes, finding that one ought not give weight to the purpose of an access-granting statute without also giving weight to the purpose of the applicable exception to the granted right of access. It said:

[45] …in a case pitting a right of access against an exception to it, a court must not let the broad purpose of legislation granting rights of access overtake the exercise of properly interpreting provisions that provide exemptions. As always, the modern approach demands that the court must begin the interpretative exercise with attention to the words of the statute, as used in the context of the statute. It also requires that the interpreter consider statutory purpose in a somewhat broader sense than did the judge in this case. This idea is explained in Sullivan, as follows:

§9.02[1] Introduction. In its broadest sense, legislative purpose refers not only to the material goals the legislature hoped to achieve but also to the reasons underlying each feature of the implementing scheme. It asks the question why: why this legislation? why this arrangement of powers? why this direction or rule? why this turn of phrase? In purposive analysis every feature of legislation from the overall conception to the smallest linguistic detail is presumed to be there for a reason. It is presumed to address a concern, anticipate a difficulty, or in some way promote the legislature’s goals.

[43] In short, in a case like this, the interpreter must have regard not only to the purpose of the legislation as a means to extend rights of access to information but also must be mindful of the objectives that stand behind the exceptions themselves. This is because exemptions, such as found in s. 38(1)(f), are the mechanism chosen by the Legislature to achieve the balance between, on the one hand, rights of access and, on the other hand, society’s interest in maintaining the confidentiality of some types of information. In this case, the judge’s singular focus on the purpose that lies behind the right of access found in s. 32 of HIPA was therefore too narrow.

The court also interpreted the word “could” in the applicable exemption to impose an “objective possibility” proof of harm standard, a lower standard than the standard that arises from the words “could reasonably expected to” (which the Supreme Court of Canada said in Merck requires proof of harm that is “more than a mere possibility”).

The question for privacy lawyers, then, is whether a “real risk” (as in “real risk of significant harm”) requires proof of an “objective possibility” of harm or proof of harm that is “more than a mere possibility.” The text might go either way in my view, and as in this case, one ought not let the purpose of breach notification eclipse the purpose the standard itself, which is to set a threshold and protect against notification fatigue and other harms associated with over notification.

Saskatchewan Government Insurance v Giesbrecht, 2025 SKCA 10 (CanLII).

US court finds that visitors to health care provider web pages don’t leave a trail of their protected health information behind

On June 20, the U.S. District Court for the Northern District of Texas held that the US Department of Health and Human Services exceeded its authority by issuing a guidance bulletin that warned HIPAA regulated entries that tracking visitors to web pages with content about health conditions or health care providers is governed by the HIPAA privacy rule.

The HHS concern is focused on the disclosure of “protected health information” or “PHI” to tracking vendors given such disclosures are subject to particular legal requirements. Similar to the law in Ontario, PHI is only information about an identifiable individual that “relates to” the provision of health care.

The HSS bulletin distinguishes the following two scenarios to explain when the HIPAA privacy rule does and does not apply:

For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.

The Court held that the required connection between the information and the provision of health care can not be based on the subjective intent of visitors if the website does not collect any information about subject intent. Without such a collection, the Court held, there is only a “speculative inference” about the visitor’s health and interest in or need for health care, too weak of a connection to meet the “relates to” criterion.

American Hospital Association v Becerra, 2024 WL 3075865.

IPC/Ontario issues basic cyber hygiene decision

On July 5th, the IPC/Ontario held that an Ontario medical clinic breached its PHIPA safeguarding duties by:

Allowing staff to use personal e-mail accounts to send patient information provided staff referred to patients only by by initials, medical reference numbers or accession numbers
Allowing the posting of login credentials (on sticky notes or the equivalent) to enable shared access to two computers
Failing to abide by the IPCs model for agent information and instruction, which requires annual privacy training and the re-signing of confidentiality agreements on an annual basis

The clinic self-corrected upon receiving the complaint, but not without defending its posting of login credentials by explaining that the two computers were physically secure and did not contain patient information. It shouldn’t have bothered. Its information and instruction failure aside, the clinic committed plain and basic network security wrongs. The IPC’s decision is notable for calling them out.

A Medical Clinic (Re), 2022 CanLII 61410 (ON IPC).

Developmental service agency not a health information custodian

On October 29th, the Information and Privacy Commissioner/Ontario held that an organization operating as service agency under the Services and Supports to Promote the Social Inclusion of Persons with Developmental Disabilities Act is not a health information custodian under the Personal Health Information Protection Act.

The issue of the organization’s status came up in an appeal of its access decision. The organization acted as if subject to PHIPA, but the adjudicator raised its status as a preliminary issue, and ultimately held that PHIPA did not govern the request because the organization was not providing a service for community health “whose primary purpose is the provision of ‘health care’.”

Although the organization both handles medical information in providing its services and contributes to the enhancement of individual health, the IPC held that its primary role is the coordination of service and not the provision of health care. It explained:

[34] In my view, what is common to each of the six services offered by SCS is SCS’ role as a coordinator for, or link to, a wide range of services offered by third parties to individuals with developmental disabilities and/or autism. It is a role of coordination between these individuals (or their family members) and third-party services, which may include assessing each individual’s needs and/or preferences, and matching them to various types of programs in the community. The effect of the individuals’ participation in those third-party programs may well be that it enhances their health, but that does not transform SCS’ role into one that can be described as having a primary purpose of providing health care. In my view, it would be too broad a reading of “health care” to find that SCS’ primary purpose is the provision of health care.
[35] It is true that SCS serves members of the community who have health challenges. The complainant states that these individuals “have other health issues including mental and neurological diagnoses, speech-language impairments and complex health needs often requiring 24 hours supervision.” However, the fact SCS’ client base has health challenges does not mean that SCS’ primary purpose is the delivery of health care. With respect to the status of third party entities to whom SCS refers for services, I am not satisfied that their status is relevant to the question of whether SCS itself is a HIC. Assuming, without deciding, that at least some of those third party entities are HICs under PHIPA, that does not mean that SCS itself, as a coordinating agency, is a HIC.

This is a good reminder that organizations do not become health information custodians merely by handling medical information or by employing regulated health professionals. They must engage in the provision of “health care,” which the IPC has defined narrowly in this decision and others.

Service Coordination Support (Re), 2020 CanLII 85021 (ON IPC).

In snooping investigations, disclose the logs

When an employer confronts an employee with an allegation of improper access to personal information, it is important to give the employee the event log data that proves the allegation. It may often be voluminous and difficult to interpret, but presenting a general allegation or summarizing events without particulars will give the employee a good reason to deny the allegation.

This is what happened in this very illustrative British Columbia case in which an arbitrator held he could not infer dishonesty from the grievor’s initial failure to admit wrongdoing because the grievor had not been given log data. Also, if an employee continues to deny responsibility, log data can be difficult to rely upon; even if it can be established to be authentic, there are issues about presenting log data in a meaningful and privacy-protective way. An early admission can go a long way.

Fraser Health Authority (Royal Columbian Hospital) v British Columbia Nurses’ Union, 2017 CanLII 72384 (BC LA).

Who’s the HIC?

Who is the “health information custodian” when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here’s a presentation I gave yesterday in which I argue that the institution (and not its employed practitioners) should assume the role of the HIC. Also includes some simple content on the new PHIPA breach notification amendment.

Privacy and accommodation of disability in Ontario

Last week I sat on a panel about privacy and the accommodation of disability. I sat opposite union counsel Andrew Astritis from Raven Cameron, and Emma Phillips of Goldblatt Partners moderated. Andrew and Emma both know privacy law well, and we had a fun, engaging and even balanced discussion! I’ve put my “paper” and speaking notes below.

View this document on Scribd

Raw test data disclosed over doc’s objection

On July 29th, the Supreme Court of British Columbia ordered raw test data to be produced over the objection of plaintiff’s (neuropsychologist) expert, who claimed her professional obligations restricted her from disclosing the data forming the foundation of her expert’s report to anyone but another neuropsychologist. It said:

Counsel for the applicant defendant correctly submits that there is nothing in the Code of Conduct to substantiate the apparent position of the College of Psychologists of BC that test material cannot be released except to another psychologist or psychological service provider in another jurisdiction. He is correct. That is not what the Code of Conduct states.

The Court noted that not all experts are equal in interpreting data, but held that the quality of interpretation is a matter for trial.

Smith v Rautenberg, 2013 BCSC 1347 (CanLII).

In dispute over custodianship of medical files, balance favours established clinic

On May 22nd the Ontario Superior Court of Justice ordered medical files to be returned to a clinic by a departing doctor who claimed she had an independent practice and was the legal custodian of the files.

Justice Perell dismissed the defendant’s argument that a corporation could not be a “health information custodian” under the Personal Health Information Protection Act and held that the plaintiff clinic had made out a strong prima facie case that it had such status. His suggestion that the defendant was also a health information custodian could best be understood as a function of the qualified burden of proof on an interlocutory motion given, under PHIPA, there can be only one custodian of a record of personal health information.

Justice Perell’s balance of convenience analysis is noteworthy. He said the following about the public interest in providing patients with access to their personal health information pending final resolution of the dispute:

In considering the balance of convenience, it is appropriate to consider the interests of the patients whose health records have been removed from a health clinic to the home of a health care practitioner. In my opinion, a patient will have better access to his or her health records and the health care practitioner who will treat the patient during Dr. Simon’s semi-retirement will have better access to the health records if the records are at professional offices with normal business hours and full-time staff.

A plaintiff in a similar situation could similarly attempt to make a case for return of records based on a claim to relatively superior security measures, though the stakes of pursuing such an approach would be high.

Note that the plaintiff consented to a term permitting the defendant doctor to make copies of any file relating to a patient she had treated. This is a sensible thing to offer in a dispute over custodianship, but again, is inconsistent with the single custodian rule.

1615540 Ontario Inc. carrying on business as Healing Hands Message v Simon, 2013 ONSC 2986 (CanLII).

Court orders safekeeping of medical records held by departed employee

On March 7th, the Ontario Superior Court of Justice issued an order to secure medical records held by a former employee of an addiction clinic.

The employee had copies of urinalysis reports stored on her personal e-mail account at the time of termination because she had used her personal e-mail account for work purposes. She allegedly used her continuing possession of the e-mails to extort the employer into offering reinstatement and later refused to return the e-mails, arguing they were evidence of the employer’s wrongdoing. (It is not clear from the decision what wrongdoing the employee alleges.)

The Court granted an ex parte order after applying the test for an Anton Piller. Notably, the order required the employee to turn control of her e-mail account to an independent supervising solicitor authorized to copy and retain the e-mails, delete the e-mails on the account and return control of the account to the employee. The Court authorized the employer to serve the order by e-mail.

Garber v Robinson, 2013 ONSC 1427 (CanLII).