Tag: PHIPA

IPC decision highlights issues about threat assessment and PHIPA application

On January 31, 2024, the IPC/Ontario ordered the Ontario Medical Association’s Physician Health Program to provide a complainant with access to a draft assessment report, though it permitted the OMA to withhold behavioral information collected in preparing the report.

Many institutions have processes that support behavioral threat assessment – a process by which multi-disciplinary teams (often including medical clinicians) conduct a threat inquiry to gather behavioral information (usually indirectly), assess behaviors and determine whether someone poses a threat to themselves and/or others. The assessment can lead to interventions, medical and otherwise, that are of benefit to the person being assessed.

The OMA’s Physician Health Program appears to be a threat assessment program, though its mandate is vague, and involves “education; support and referral; assessment; and monitoring and advocacy.” And in responding to an IPC complaint about its access request denial, the OMA argued it was a health information custodian engaged primarily in the provision of health care. The IPC re-articulated the position as follows:

[16]      The OMA PHP describes its monitoring function as “first and foremost a clinical service provided to an individual physician or learner to assist in the maintenance of their health in the context of recovery from a mental health or substance use disorder.” This may involve collecting clinical information, providing clinical opinions, and reviewing urine, hair, blood, or other toxicological tests.

[17]      Overall, the OMA PHP states that its employees provide services “to maintain an individual’s mental condition, … to promote health, and in the case of clients already diagnosed, to prevent disease in the form of recurrence, all of which it states fall under the definition of “health care.”

This position drove the outcome given PHIPA has a very broad right of access to personal health information. The OMA was left with no valid basis to shield its draft report, even though the IPC has held that assessment is different than providing health care. The IPC did find that the (critical and sensitive) behavioral reports made to the OMA could be withheld on the basis of section 52(3), which applies to records “not… dedicated primarily to personal health information about the individual requesting access” and permits reasonable severance.

Threat assessment can and should be framed as beneficial to the person being assessed, which is important because it aligns threat assessment with the duty not to discriminate against individuals with disabilities. In other words, threat assessment is an aspect of accommodating disability and meeting institutional health and safety duties. Threat assessment is both a lawful and critical process.

This framing does not make threat assessment health care, nor should it ever be treated as health care in my view. The interventions that threat assessment invites are meant to help in the long and medium term, but in the short term they are about the restriction privileges (e.g., of practicing, working, attending school) based on the assessed risk. There is therefore a conflict in striving to be both a heath care provider and a threat assessor, and individuals under assessment must know the true nature of the process with which they are engaged. Are you my doctor? Or are you working for the institution? If threat assessment is framed as assessment, even if it is conducted by medical clinicians, PHIPA will not apply.

Ontario Medical Association Physician Health Program (Re), 2025 CanLII 9695 (ON IPC), <https://canlii.ca/t/k9ftg>, retrieved on 2025-07-17.

Ontario (M)FIPPA institutions, file encryption, and breach notification – a hint

As most of you know, the Ontario IPC released four decisions in the summer relating to breach reporting and notification obligations under PHIPA and the CYSFA. One controversial finding (which is subject to a judicial review application) is that the encryption of files by ransomware actors triggers an unauthorized use and a loss of personal and personal health information. Given there is no risk-based threshold for reporting and notification in PHIPA, custodians and service providers must report and notify in respect of this particular kind of breach, even if the threat actors have not stolen or laid eyes on information.

Leaving legal analysis aside, I’ll say that this is odd policy that has led to odd questions about who is affected by file encryption. Do we really care? Does this have any meaning to “affected” individuals?

The negative impact is that it threatens the clarity of communications about matters that institutions need to communicate clearly: “Yes there’s been a privacy breach, but the threat actor(s) didn’t steal or view your information. And information has been “lost,” but not lost as in “stolen.” 🤦🏽‍♂️

One can honestly question whether there is any public good in this garble. The IPC has lobbied for cyber incident reporting, which this interpretation of PHIPA and the CYFSA effectively achieves. Cyber incident reporting should be brought in properly, through legislation, and leave out the notification obligation.

But how far does the finding extend?

The four decisions released in the summer left a question about how the encryption finding would apply to MFIPPA and FIPPA institutions, who are encouraged (but not yet legally required) to report and notify based on the “real risk of signficant harm” standard. This standard will become a legal imperative when the provisions of Bill 194 come into force.

On December 10, the IPC issued a privacy complaint report that addressed file encryption at an MFIPPA institution and (in qualified terms) held that notification was not required. Mr. Gayle explained:

As the affected personal information remains encrypted and the police’s investigation found no evidence of exfiltration, it is not clear whether the breach “poses a real risk of significant harm to [these individuals], taking into consideration the sensitivity of the information and whether it is likely to be misused”. As such, it is not clear whether the police should have given direct notice of the breach to affected individuals in accordance with the IPC’s Privacy Breach Guidelines.

However, I am mindful of the fact that the police provided some notice to the public about the extent of the ransomware attack, and of the investigative and remedial steps they took to address it. I am also mindful of the fact that the breach occurred more than three years ago.

For these reasons, I find that it would serve no useful purpose in recommending that the police renotify affected individuals of the breach in accordance with the IPC’s Privacy Breach Guidelines and, as a result, do not need to decide whether the breach in this case met the threshold of “real risk of significant harm to the individual”.

This is helpful guidance, and should allow MFIPPA and FIPPA institutions to respond to matters with the clearest possible communication.

Sault Ste. Marie Police Services Board (Re), 2024 CanLII 124986 (ON IPC).

US court finds that visitors to health care provider web pages don’t leave a trail of their protected health information behind

On June 20, the U.S. District Court for the Northern District of Texas held that the US Department of Health and Human Services exceeded its authority by issuing a guidance bulletin that warned HIPAA regulated entries that tracking visitors to web pages with content about health conditions or health care providers is governed by the HIPAA privacy rule.

The HHS concern is focused on the disclosure of “protected health information” or “PHI” to tracking vendors given such disclosures are subject to particular legal requirements. Similar to the law in Ontario, PHI is only information about an identifiable individual that “relates to” the provision of health care.

The HSS bulletin distinguishes the following two scenarios to explain when the HIPAA privacy rule does and does not apply:

  • For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.
  • However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.

The Court held that the required connection between the information and the provision of health care can not be based on the subjective intent of visitors if the website does not collect any information about subject intent. Without such a collection, the Court held, there is only a “speculative inference” about the visitor’s health and interest in or need for health care, too weak of a connection to meet the “relates to” criterion.

American Hospital Association v Becerra, 2024 WL 3075865.

Arbitrator distinguishes Hooper, gives counsel direct access to disability management file

The Ontario law governing disability management and occupational health records is in disarray, though it did not stop an Ontario arbitrator from reaching the correct outcome in a decision released in November of last year. Arbitrator Colin Johnston held that neither the Personal Health Information Act nor the Occupational Health and Safety Act precluded a hospital from providing its disability management file to its legal counsel so counsel could review it for production purposes.

Although the right outcome, Arbitrator Johnston reached it through (understandably) conservative means, distinguishing the Orillia Soldiers’ Memorial Hospital case which precluded such a disclosure and the Divisional Court decision in Hooper. Further correction is required, as I argue here.

Health Sciences North v Ontario Nurses’ Association, 2022 CanLII 106545 (ON LA).

Court says access parent’s right to information limited by children’s privacy rights

On October 12th of last year the Ontario Superior Court of Justice considered the interplay between an access parent’s right to information under section 20(5) of the Children’s Law Reform Act and the privacy rights granted by Personal Health Information Protection Act. It held that the right to information is qualified by a child’s best interest, and a privacy right claimed by a child with capacity under PHIPA is a relevant factor.

Section 20(5) of the CLRA says:

The entitlement to parenting time with respect to a child includes the right to visit with and be visited by the child, and includes the same right as a parent to make inquiries and to be given information about the child’s well-being, including in relation to the child’s health and education.

The Court addressed a motion brought by a father for access to his children’s health and counselling files. He had sought access under PHIPA and was denied because the children – both deemed to have capacity – withheld their consent. The father brought a motion in Family Court, relying both on Section 20(5) and seeking production of third-party records under the Family Law Rules, arguing the records were relevant to his claims of parental alienation and other parenting issues to be determined by the Court.

The Court read section 20(5) together with section 28(8), a new provision of the CLRA that qualifies the right information as being “subject to any applicable laws.” It said:

This new statutory reference to a Court being able to “order otherwise” is a specific reminder that the right in 20(5) is not absolute.  Internally, the right must be interpreted through the lens of the best interest principle, as all decisions affecting children are:  see again section 19(a) of the Children’s Law Reform Act; see 24(1); and see also Children’s Lawyer for Ontario v. Ontario (Information and Privacy Commissioner), 2018 ONCA 559 ¶58-61.  

The new, statutory subjugation of the right in section 20(5) externally “to any applicable laws” codifies what was already happening, namely that courts should consider the operation of other laws, like the PHIPAwhen considering the scope of the right.  Another example of another “applicable law” that can interact with the right in section 20(5) would be the common law of privilege:  see M.(A.) v. Ryan, 1997 CanLII 403 (SCC)[1997] 1 S.C.R. 157.

The reference to “subjugation” is somewhat misleading given the Court affirmed its power to make an order under the CLRA based on the best interests principle and affirmed that such an order would bind health information custodians despite PHIPA. Section 20(5) is only subjugated to PHIPA in that PHIPA rights are a factor (and arguably a strong factor) in the best interests analysis.

On the facts, the Court held there was no basis for an order under section 20(5) but there was a basis for a limited production order (based on fairness considerations) under the Family Law Rules.

L.S. v. B.S., 2022 ONSC 5796 (CanLII).

IPC/Ontario issues basic cyber hygiene decision

On July 5th, the IPC/Ontario held that an Ontario medical clinic breached its PHIPA safeguarding duties by:

  • Allowing staff to use personal e-mail accounts to send patient information provided staff referred to patients only by by initials, medical reference numbers or accession numbers
  • Allowing the posting of login credentials (on sticky notes or the equivalent) to enable shared access to two computers
  • Failing to abide by the IPCs model for agent information and instruction, which requires annual privacy training and the re-signing of confidentiality agreements on an annual basis

The clinic self-corrected upon receiving the complaint, but not without defending its posting of login credentials by explaining that the two computers were physically secure and did not contain patient information. It shouldn’t have bothered. Its information and instruction failure aside, the clinic committed plain and basic network security wrongs. The IPC’s decision is notable for calling them out.

A Medical Clinic (Re), 2022 CanLII 61410 (ON IPC).

Developmental service agency not a health information custodian

On October 29th, the Information and Privacy Commissioner/Ontario held that an organization operating as service agency under the Services and Supports to Promote the Social Inclusion of Persons with Developmental Disabilities Act is not a health information custodian under the Personal Health Information Protection Act.

The issue of the organization’s status came up in an appeal of its access decision. The organization acted as if subject to PHIPA, but the adjudicator raised its status as a preliminary issue, and ultimately held that PHIPA did not govern the request because the organization was not providing a service for community health “whose primary purpose is the provision of ‘health care’.”

Although the organization both handles medical information in providing its services and contributes to the enhancement of individual health, the IPC held that its primary role is the coordination of service and not the provision of health care. It explained:

[34]      In my view, what is common to each of the six services offered by SCS is SCS’ role as a coordinator for, or link to, a wide range of services offered by third parties to individuals with developmental disabilities and/or autism. It is a role of coordination between these individuals (or their family members) and third-party services, which may include assessing each individual’s needs and/or preferences, and matching them to various types of programs in the community. The effect of the individuals’ participation in those third-party programs may well be that it enhances their health, but that does not transform SCS’ role into one that can be described as having a primary purpose of providing health care. In my view, it would be too broad a reading of “health care” to find that SCS’ primary purpose is the provision of health care.

[35]      It is true that SCS serves members of the community who have health challenges. The complainant states that these individuals “have other health issues including mental and neurological diagnoses, speech-language impairments and complex health needs often requiring 24 hours supervision.” However, the fact SCS’ client base has health challenges does not mean that SCS’ primary purpose is the delivery of health care. With respect to the status of third party entities to whom SCS refers for services, I am not satisfied that their status is relevant to the question of whether SCS itself is a HIC. Assuming, without deciding, that at least some of those third party entities are HICs under PHIPA, that does not mean that SCS itself, as a coordinating agency, is a HIC.

This is a good reminder that organizations do not become health information custodians merely by handling medical information or by employing regulated health professionals. They must engage in the provision of “health care,” which the IPC has defined narrowly in this decision and others.

Service Coordination Support (Re), 2020 CanLII 85021 (ON IPC).

IPC wades into shadow IT mess, may never again

The Information and Privacy Commissioner/Ontario issued a decision about a security incident on July 9th in which it made clear, after participating in a health information custodians’ efforts to recover lost data, that this burden falls on custodians alone.

The incident involved a clinician at an unnamed rehabilitation clinic and her estranged spouse, who reported to the clinic that he possessed 164 unique files containing the personal health information of 46 clinic clients on two computers that belonged to the clinician. The clinician explained the existence of the files as a by-product of secure access and inadvertent, though the the files appear to have been purposely moved from temporary storage to a Google drive at some point, possibly by the spouse

The spouse was not particularly cooperative. This led the IPC, who the clinic had notified, to engage with the spouse together with the clinic over a several month period. The IPC took the (questionable) position that the spouse was in breach of duties under section 49(1) of PHIPA.

In the course of these dealings the spouse reported he had also received e-mails with attached assessment reports from the clinician for printing purposes. The clinician said she had thought she had adequately de-identified the reports, though one included a full patient name and others (as the IPC held) contained ample data to render patients identifiable.

All of the detritus was eventually deleted to the satisfaction of the clinic and IPC. The clinic reconfigured its means of providing secure remote access to adresses the risk of local storage and beefed up its administrative policies and training. There is no mention of implementing a digital loss prevention solution.

The IPC decision is notable for two points.

First, the IPC made clear that custodians should not rely on the IPC to help with data recovery (which can be very expensive):

It is clear that interactions between the Clinic and the Spouse had been very challenging, chiefly due to the Spouse’s changing positions throughout this investigation. However, the obligations on a health information custodian to contain the breach remain, even in the face of challenging circumstances.  The Privacy Breach Guidelines are clear that there is an obligation on the health information custodian to retrieve any copies of personal health information that have been disclosed and ensure that no copies of personal health information have been made or retained by anyone who was not authorized to receive the information.  Nothing in the legislation or these guidelines transfers this obligation to the IPC.

Second, the clinic was less skeptical of the clinician than it might otherwise have been, and did not issue discipline. The IPC accepted this, and re-stated its deferential position on employee discipline as follows:

With respect to the Clinic’s decision, I am satisfied that it was reasonable in the circumstances. This office has stated that its role is not to judge the severity or appropriateness of sanctions taken by a custodian against its agents (see PHIPA Decision 74).  However, the IPC can taken into account a custodian’s disciplinary response as part of its assessment of whether the custodian has taken reasonable steps to protect personal health information against unauthorized access.

A Rehabilitation Clinic (Re), 2020 CanLII 45770 (ON IPC).

IPC/Ontario determines what’s reasonable to include in a drug prescription

On April 20th, the IPC/Ontario held that it is reasonable to include a patient’s first and last name, address, telephone number and date of birth on an Ontario drug prescription.

First name, last name, address and telephone number can be included as primary identifiers, with the telephone number element also enabling communication. The IPC accepted that date of birth can also be included because it is an immutable identifier (unlike address and phone number) and also contributes the prevention of dosing errors (because dosage can depend on age).

The IPC also held that OHIP number can be included on prescriptions for controlled substances because it is required by section 5 of Ontario Regulation 381/11.

Women’s College Hospital (Re), 2020 CanLII 31115 (ON IPC).