Here is the paper I submitted in participating on a panel at the LSO’s Human Rights Summit last week. The title speaks to the content, which is about the wart that is the Divisional Court finding in Hooper v. College of Nurses of Ontario. Time for Hooper to go.
On October 29th, the Information and Privacy Commissioner/Ontario held that an organization operating as service agency under the Services and Supports to Promote the Social Inclusion of Persons with Developmental Disabilities Act is not a health information custodian under the Personal Health Information Protection Act.
The issue of the organization’s status came up in an appeal of its access decision. The organization acted as if subject to PHIPA, but the adjudicator raised its status as a preliminary issue, and ultimately held that PHIPA did not govern the request because the organization was not providing a service for community health “whose primary purpose is the provision of ‘health care’.”
Although the organization both handles medical information in providing its services and contributes to the enhancement of individual health, the IPC held that its primary role is the coordination of service and not the provision of health care. It explained:
 In my view, what is common to each of the six services offered by SCS is SCS’ role as a coordinator for, or link to, a wide range of services offered by third parties to individuals with developmental disabilities and/or autism. It is a role of coordination between these individuals (or their family members) and third-party services, which may include assessing each individual’s needs and/or preferences, and matching them to various types of programs in the community. The effect of the individuals’ participation in those third-party programs may well be that it enhances their health, but that does not transform SCS’ role into one that can be described as having a primary purpose of providing health care. In my view, it would be too broad a reading of “health care” to find that SCS’ primary purpose is the provision of health care.
 It is true that SCS serves members of the community who have health challenges. The complainant states that these individuals “have other health issues including mental and neurological diagnoses, speech-language impairments and complex health needs often requiring 24 hours supervision.” However, the fact SCS’ client base has health challenges does not mean that SCS’ primary purpose is the delivery of health care. With respect to the status of third party entities to whom SCS refers for services, I am not satisfied that their status is relevant to the question of whether SCS itself is a HIC. Assuming, without deciding, that at least some of those third party entities are HICs under PHIPA, that does not mean that SCS itself, as a coordinating agency, is a HIC.
This is a good reminder that organizations do not become health information custodians merely by handling medical information or by employing regulated health professionals. They must engage in the provision of “health care,” which the IPC has defined narrowly in this decision and others.
The Information and Privacy Commissioner/Ontario issued a decision about a security incident on July 9th in which it made clear, after participating in a health information custodians’ efforts to recover lost data, that this burden falls on custodians alone.
The incident involved a clinician at an unnamed rehabilitation clinic and her estranged spouse, who reported to the clinic that he possessed 164 unique files containing the personal health information of 46 clinic clients on two computers that belonged to the clinician. The clinician explained the existence of the files as a by-product of secure access and inadvertent, though the the files appear to have been purposely moved from temporary storage to a Google drive at some point, possibly by the spouse
The spouse was not particularly cooperative. This led the IPC, who the clinic had notified, to engage with the spouse together with the clinic over a several month period. The IPC took the (questionable) position that the spouse was in breach of duties under section 49(1) of PHIPA.
In the course of these dealings the spouse reported he had also received e-mails with attached assessment reports from the clinician for printing purposes. The clinician said she had thought she had adequately de-identified the reports, though one included a full patient name and others (as the IPC held) contained ample data to render patients identifiable.
All of the detritus was eventually deleted to the satisfaction of the clinic and IPC. The clinic reconfigured its means of providing secure remote access to adresses the risk of local storage and beefed up its administrative policies and training. There is no mention of implementing a digital loss prevention solution.
The IPC decision is notable for two points.
First, the IPC made clear that custodians should not rely on the IPC to help with data recovery (which can be very expensive):
It is clear that interactions between the Clinic and the Spouse had been very challenging, chiefly due to the Spouse’s changing positions throughout this investigation. However, the obligations on a health information custodian to contain the breach remain, even in the face of challenging circumstances. The Privacy Breach Guidelines are clear that there is an obligation on the health information custodian to retrieve any copies of personal health information that have been disclosed and ensure that no copies of personal health information have been made or retained by anyone who was not authorized to receive the information. Nothing in the legislation or these guidelines transfers this obligation to the IPC.
Second, the clinic was less skeptical of the clinician than it might otherwise have been, and did not issue discipline. The IPC accepted this, and re-stated its deferential position on employee discipline as follows:
With respect to the Clinic’s decision, I am satisfied that it was reasonable in the circumstances. This office has stated that its role is not to judge the severity or appropriateness of sanctions taken by a custodian against its agents (see PHIPA Decision 74). However, the IPC can taken into account a custodian’s disciplinary response as part of its assessment of whether the custodian has taken reasonable steps to protect personal health information against unauthorized access.
On April 20th, the IPC/Ontario held that it is reasonable to include a patient’s first and last name, address, telephone number and date of birth on an Ontario drug prescription.
First name, last name, address and telephone number can be included as primary identifiers, with the telephone number element also enabling communication. The IPC accepted that date of birth can also be included because it is an immutable identifier (unlike address and phone number) and also contributes the prevention of dosing errors (because dosage can depend on age).
The IPC also held that OHIP number can be included on prescriptions for controlled substances because it is required by section 5 of Ontario Regulation 381/11.
The IPC/Ontario has issued a significant decision about information governance under the Personal Health Information Protection Act. Specifically, it held that a hospital that gives a physician access to an electronic medical record for use in private practice is a health information custodian together with the physician, but that it can retain a duty to notify of a breach arising out of the private practice.
The hospital maintained an EMR system and gave access to its credentialed physicians and their employees for use in private practice. Employees in two such private practices accessed EMRs without authorization. The hospital notified affected patients and reported the breach to the IPC, which led the IPC to investigate.
In the course of investigation it came to light that some of the employees had shared their login credentials with others outside of the hospital, but apparently to enable health care. The employees also apparently accessed some records (for non-health care purposes) with the consent of friends of family members. Both of these actions violated hospital policy.
The IPC held that the access enabled by credential sharing and the access made with the consent of family members was made in breach of PHIPA. Although a more benign form of unauthorized access, the IPC found a breach based on section 10(2) of PHIPA, which states, “A health information custodian shall comply with its information practices.”
Regarding the identity of the custodian, the IPC held that both the hospital and the two private practice physicians were custodians in the circumstances – the physicians being custodians “when they access patient information in [the EMR] for the purpose of privatizing health care to their private practice patients.” Such access, the IPC explained, invites a disclosure by the hospital and a collection by the physicians; in this context the physicians were not the hospitals’ agents.
Despite the physicians’ custodianship, the IPC held it was appropriate for the hospital to notify in the circumstances. It said:
 In the cases under review, THP and the private practice physicians also treated THP as the health information custodian responsible for notifying affected individuals of the private practice employees’ unauthorized accesses in THP’s EMR. In these circumstances, I agree that THP was the appropriate party to give notice under section 12(2) of PHIPA. As the health information custodian who maintains the EMR, THP was best placed to discover and investigate the extent of the employees’ activity in the EMR, identify all the parties whose personal health information had been accessed without authority, and initiate contact with these individuals, all of whom are THP patients, but some of whom may not have any relationship with the particular private practice physician for whom the employee worked. In these cases, notification by THP was appropriate, taking into account not only the language of section 12(2) but also the interests of the affected individuals.
 I also agree with THP that in some circumstances, notification by the collecting custodian may be more appropriate, and a reasonable approach to fulfilling the notice obligation in section 12(2). For example, in a case where the private practice physician has a more significant relationship with the patient whose privacy was breached, notice from that physician (rather than from the custodian who disclosed the information) may be prudent. So long as the notice is given as required upon the events described in section 12(2) (and complies with the other requirements of that section), I agree with THP that circumstances such as the patient’s interests and the relationships between the patients and the various custodians involved may be relevant factors in deciding how best to fulfil the notification obligation. I am not persuaded that applying such an approach to notification in future cases would have the consequences of discouraging hospitals from adopting EMR technologies, or from participating in broader initiatives like a provincial electronic health record system.
The kind of shared accountability invited by this decision can cause confusion and risk. It will behoove hospitals and other custodians who provide shared access to their EMR systems to be very clear and detailed in establishing who is responsible for what. The hospital in this case, for example, decided post-incident to make more clear that physicians who are given outside access are responsible for training and supervising their employees. It also expressly obligated physicians to participate in privacy investigations arising from the actions of an employee.
The IPC’s finding on who provides notification is very qualified, and rests partly on the fact that the hospital in this case voluntarily provided notification to affected individuals. While taking control of notification may be beneficial to hospitals who maintain and provide third-party access to EMR systems, providing notification may also signal responsibility for a breach and for the related risks for which hospitals have little or no ability to control. The hospital in this case dealt with this tension by stipulating to its physicians that they may be named in hospital notification letters “as being responsible for the breach.” Other hospitals, may wish to require physicians to notify themselves in certain circumstances. The IPC’s decision does not appear to preclude such alternatives.
On January 24th, the IPC/Ontario held that a health information custodian has no obligation to correct a health care record of a child whose joint custody parents (with equal decision-making authority) are in dispute about whether a correction should be made. It made clear that custodians are not required to canvass both equally ranking parents, but held that a correction request should be denied when a conflict is apparent.
On January 6th, Justice Morgan certified a class proceeding that was based on a nurse’s unauthorized access to very basic personal health information – patient status and allergy information – so she could obtain prescription drugs.
Although there were no damages to support a negligence claim, Justice Morgan held that the cause of action criterion for certification of a privacy breach claim was met because, “an infringement of privacy can be ‘highly offensive’ without being otherwise harmful in the sense of leading to substantial damages.” (IMHO, this is correct.)
In otherwise assessing the quality the nurse’s infringement, Justice Morgan distinguished Broutzas, in which Justice Perell declined to certify an action, in part, because the theft of address information from patients who had given birth at a hospital was not “highly offensive.” Justice Morgan said:
Counsel for the Plaintiff takes issue with this analysis. In the first place, he points out that the factual context of the Rouge Valley case is distinguishable from the case at bar in one important way: the patients/claimants in [Broutzas] were all in the hospital for the birth of a baby, which is perhaps the least confidential of reasons. Indeed, Perell J. recited the factual background of each patient making a claim in that case, and observed that one had announced their child’s birth and circulated photos of the new baby on social media, while another had done a Facebook posting in celebration of the birth of their new baby at the defendant hospital: Ibid, paras. 97, 106. As Plaintiff’s counsel here points out, the expectation of privacy in such circumstances is negligible.
Fair enough, but it’s nonetheless quite clear that not all judges value privacy the same way. The uncertainty in judge-made privacy law is palpable.
When an employer confronts an employee with an allegation of improper access to personal information, it is important to give the employee the event log data that proves the allegation. It may often be voluminous and difficult to interpret, but presenting a general allegation or summarizing events without particulars will give the employee a good reason to deny the allegation.
This is what happened in this very illustrative British Columbia case in which an arbitrator held he could not infer dishonesty from the grievor’s initial failure to admit wrongdoing because the grievor had not been given log data. Also, if an employee continues to deny responsibility, log data can be difficult to rely upon; even if it can be established to be authentic, there are issues about presenting log data in a meaningful and privacy-protective way. An early admission can go a long way.
On September 29th, the IPC/Ontario held that PHIPA governs and provides a right of access to “raw data” about an identifiable individual. It also held that raw data is not subject to the right of access unless it can reasonably be severed from the repositories in which it is retained. The IPC said:
Having regard to the evidence before me, I conclude that where the extraction of the complainant’s information can be done through the development of conventional custom queries by hospital staff, based on information in reporting views available to the hospital, the complainant’s information can be reasonably severed for the purpose of section 52(3) of the Act. The hospital’s obligation to provide access to this information, if the complainant wishes to pursue it, is met by providing him with the results of such queries. The information need not be in native format, but can be in the format in which those results are generated through such queries.
“Reporting views” are tools that make generating certain types of reports from databases easier. The IPC has suggested that hospitals must provide access to data that can be extracted based on such tools together with “conventional queries”. Hospitals can charge a requesters a fee that represents reasonable cost recovery.
Section 34(2) of PHIPA prohibits persons other than health information custodians or agents of health information custodians from collecting, using and disclosing health card numbers. There are some narrow exceptions, one of which applies when the collection, use or disclosure is “for purposes related to the provision of provincially funded health resources to [the] person [whose health card number is collected…].”
In a decision issued October 10th, the IPC said the following about the exception:
Having regard to the above, I find the proper interpretation of section 34(2)(a) is that a collection or use of a health number will only be “related to the provision of provincially funded health resources” where the health number is collected or used for the purposes of the provincial funding of health resources, or directly obtaining those health resources.
The IPC therefore held that an insurance company could not routinely collect health card numbers on an application form for supplementary health insurance benefits. Although related in the broad sense, the insurance company did not routinely use the number to coordinate benefits. The IPC permitted the company to continue to collect health card numbers to obtain reimbursement for payments made under plans that provide for emergency medical travel coverage.