Tag Archives: PHIPA

In snooping investigations, disclose the logs

21 Dec

When an employer confronts an employee with an allegation of improper access to personal information, it is important to give the employee the event log data that proves the allegation. It may often be voluminous and difficult to interpret, but presenting a general allegation or summarizing events without particulars will give the employee a good reason to deny the allegation.

This is what happened in this very illustrative British Columbia case in which an arbitrator held he could not infer dishonesty from the grievor’s initial failure to admit wrongdoing because the grievor had not been given log data. Also, if an employee continues to deny responsibility, log data can be difficult to rely upon; even if it can be established to be authentic, there are issues about presenting log data in a meaningful and privacy-protective way. An early admission can go a long way.

Fraser Health Authority (Royal Columbian Hospital) v British Columbia Nurses’ Union, 2017 CanLII 72384 (BC LA).


IPC addresses PHIPA request for raw data

20 Dec

On September 29th, the IPC/Ontario held that PHIPA governs and provides a right of access to “raw data” about an identifiable individual. It also held that raw data is not subject to the right of access unless it can reasonably be severed from the repositories in which it is retained. The IPC said:

Having regard to the evidence before me, I conclude that where the extraction of the complainant’s information can be done through the development of conventional custom queries by hospital staff, based on information in reporting views available to the hospital, the complainant’s information can be reasonably severed for the purpose of section 52(3) of the Act.  The hospital’s obligation to provide access to this information, if the complainant wishes to pursue it, is met by providing him with the results of such queries.  The information need not be in native format, but can be in the format in which those results are generated through such queries.

“Reporting views” are tools that make generating certain types of reports from databases easier. The IPC has suggested that hospitals must provide access to data that can be extracted based on such tools together with “conventional queries”. Hospitals can charge a requesters a fee that represents reasonable cost recovery.

St. Michael’s Hospital (Re), 2017 CanLII 70006 (ON IPC).

IPC interprets prohibition on collecting health card numbers

20 Dec

Section 34(2) of PHIPA prohibits persons other than health information custodians or agents of health information custodians from collecting, using and disclosing health card numbers. There are some narrow exceptions, one of which applies when the collection, use or disclosure is “for purposes related to the provision of provincially funded health resources to [the] person [whose health card number is collected…].”

In a decision issued October 10th, the IPC said the following about the exception:

 Having regard to the above, I find the proper interpretation of section 34(2)(a) is that a collection or use of a health number will only be “related to the provision of provincially funded health resources” where the health number is collected or used for the purposes of the provincial funding of health resources, or directly obtaining those health resources.

The IPC therefore held that an insurance company could not routinely collect health card numbers on an application form for supplementary health insurance benefits. Although related in the broad sense, the insurance company did not routinely use the number to coordinate benefits. The IPC permitted the company to continue to collect health card numbers to obtain reimbursement for payments made under plans that provide for emergency medical travel coverage.

An insurance company (Re), 2017 CanLII 70023 (ON IPC).

Who’s the HIC?

28 Sep

Who is the “health information custodian” when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here’s a presentation I gave yesterday in which I argue that the institution (and not its employed practitioners) should assume the role of the HIC. Also includes some simple content on the new PHIPA breach notification amendment.

Consent form decision imposes strict transparency requirement for handling employee medical information

9 Aug

Disputes about employer medical information consent forms are now common. It’s not hard to pick apart a form, and employers tend to suffer “cuts and bruises.” In once such case an arbitrator has recently held that an employer must identify “anyone with whom the information would be shared” in a consent form. The arbitrator also held that an employer must subsequently (and seemingly proactively) give notice of who is handling information:

I agree with the employer that it is not practical to obtain a new consent every time a manager or HR Specialist who is absent is temporarily replaced. However, the employer must advise the employee of the employer’s need and intention to share health information with a replacement and identify that individual by name and title. This would enable the employee to revoke the consent if he/she does not wish the health information to be shared with the individual replacing the manager or HR Specialist. If and when it becomes necessary to share health information with HR or legal services in order to seek advice, or to obtain approval from senior management with delegated authority, the employee should be informed of the title or office only of the person with whom information will be shared. The employee’s consent would not be required for the employer to be able to do so.

While there’s no debating an employee’s right of control, the degree of transparency required here is very high and operationally challenging in the least. “Person-based consents” (as opposed to “purpose-based consents”) can also restrict important flows of information in subtle yet problematic ways.

The best argument against person-based consents is one that refers to the public policy that is reflected in the Personal Health Information and Protection Act (which does not govern employers acting as employers except via section 49). Even in the health care context – where the standard should be higher, not lower than in the employment context given the limited range of information processed by employers – consent is deemed to exist for a certain purpose and information can flow to any health care provider for that purpose. This is subject to a “lock box” that gives patients the ability to shield their information from specific individuals, but the lock box essentially functions as an opt out. (For the nuances of how PHIPA’s “circle of care” concept works, see here.) Transparency is satisfied by the publication of a “written public statement” (a policy really) that “provides a general description of the custodian’s information practices.” There’s no reason to require more of employers.

OPSEU and Ontario (Treasury Board Secretariat), Re, 2017 CarswellOnt 11994.

IPC says a physician acting as assessor is not a health information custodian

5 Sep

On August 25th the IPC/Ontario held that a physician retained to complete a Custody and Access Assessment Report was not acting as a health information custodian, thereby giving helpful guidance on an issue that has been subject to great confusion.

The IPC explained:

The definition of “health care practitioner” in section 3(1) is premised on the fact that the health care practitioner must be providing health care. Further, “health care” as defined in section 2 of PHIPA must be for a “health-related purpose.” In my view, on the facts of this particular case, the service provided by Dr. Morris was not provided for a health-related purpose, but rather for the purpose of assisting the parents, and possibly the courts, to develop a parenting plan which would function in the best interests of the child. Therefore, and for the further reasons set out below, I find that Dr. Morris was not providing health care when he provided a service in this capacity. Consequently, I find that Dr. Morris was not a “health information custodian” as defined in section 3(1) for the purpose preparing the Custody and Access Assessment Report. As set out below, this interpretation of PHIPA is consistent with the decision of this office in complaint number HC-050014-1, with the policy behind subsection 20(2) of PHIPA, with the decision of the Federal Court of Appeal in Wyndowe v. Rousseau, and with public guidance provided by the Ministry of Health and Long-Term Care in relation to the definition of “health care.”

The IPC also dealt with the Divisional Court decision that has contributed to the confusion – Hooper v College of Nurses of Ontario. The IPC said:

The Divisional Court held that pursuant to section 76 of the Health Professions Procedural Code, being Schedule 2 to the Regulated Health Professions Act, 1991, the investigator appointed by the College of Nurses of Ontario had the jurisdiction to request and use the records from the Sunnybrook and Women’s College Health Sciences Centre.  The Divisional Court further held that the Sunnybrook and Women’s College Health Sciences Centre had the jurisdiction to disclose these records to the College of Nurses of Ontario.  The Divisional Court stated that the Occupational Health and Safety Department was providing health care and therefore the information contained in the records at issue was personal health information as defined in section 4 of PHIPA. This decision does not discuss how this interpretation of “health care” would more broadly affect the collection, use, and disclosure of personal health information on the basis of assumed implied consent pursuant to section 20(2) of PHIPA.

On my review of this decision, it was not necessary for the Divisional Court to decide whether or not the Occupational Health and Safety Department was providing health care and therefore that the information contained in the records was personal health information.  If they were not records of personal health information, the disclosure would not be subject to PHIPA.  Alternatively, if they were records of personal health information, the disclosure would be permitted, as the Divisional Court noted, pursuant to sections 9(2)(e) and 43(1)(b) of PHIPA.  As a result, the statement by the Divisional Court that the Occupational Health and Safety Department was providing health care and that the information in the records was personal health information is obiter dicta as it was unnecessary to the decision in the case.

The decision in Hooper is difficult to reconcile with that in Wyndowe, where the Federal Court of Appeal confirmed that physicians performing an independent medical examination are not “health information custodians” for the purpose of PHIPA.  I note that in the Hooper case, the Divisional Court did not have this office’s interpretation of section 20(2) of PHIPA or the findings in HC-050014-1 before it.  In all these circumstances, I am satisfied that the decision in Hooper, as it relates to what constitutes health care and personal health information, is not binding on me.

This is very helpful, in particular to employers who often face an argument that the health care practitioners they retain as assessors and consultants as subject to the “custodial” duties in PHIPA. The only section of PHIPA that typically binds employers and their assessor/consultants is section 49.

Morris (Re), 2015 CanLII 54751 (ON IPC).

IPC tweaks data security guidance from HO-013

30 Jan

Yesterday the Information & Privacy Commissioner/Ontario issued a paper called “Detecting and Deterring Unauthorized Access to Personal Health Information.” The paper adjusts and augments the detailed guidance on hospital data security the IPC provided in December when it issued HO-013.

In issuing HO-013 the IPC articulated numerous requirements in near checklist form. The IPC adds new requirements in Detecting and Deterring. Hospitals that are currently using HO-013 to conduct a gap analysis should now refer to Detecting and Deterring.

One exception to the augmentation is the IPC’s handing of “search controls” – controls that rest on limiting the search functionality of patient record systems. The IPC has backed off noticeably from HO-013 in Detecting and Deterring, which states:

With respect to search controls, it is important to note that open-ended search functionality may facilitate unauthorized access to personal health information in electronic information systems. For example, in the privacy breach involving the use and disclosure of personal health information for the purpose of selling or marketing RESPs, agents of the hospital were able to obtain lists of women who had recently given birth by performing open-ended searches of a patient index. To prevent this, custodians should ensure that the amount of personal health information that is displayed as a result of a search query is limited, while still enabling agents to carry out their employment, contractual or other duties. Open-ended searches for individuals should be prohibited by the search functionality and search capabilities of electronic information systems containing personal health information. Ideally, electronic information systems should be configured to ensure that search criteria return only one record of personal health information. If that is not feasible, then electronic information systems should be configured so that no more than five records of personal health information are displayed as a result of a search query.

The withdrawal makes sense. Search controls can put patient safety at risk, yet even rigid search controls are a questionable deterrent to intentional unauthorized access. Are bad actors really more likely to engage in unauthorized access because information is easy to find?

Hospitals should beware of the distinction between prescriptions that are recommendatory and prescriptions the IPC has the power to enforce. This is most important in considering the heavily-augmented breach response section of Deterring and Detecting. The IPC, for example, returns to an accountability-related idea it has pressed since making order HO-010 in 2010 by suggesting that hospitals should provide affected individuals with the name of “the agent that caused the privacy breach” in a breach notification letter. The IPC has the power to enforce breach response requirements that are derived from section 12 of PHIPA. A number of the prescriptions it makes on breach response (not necessarily the one I have identified above) have a tenuous connection to section 12 and can reasonably be viewed as recommendatory.