Tag Archives: PHIPA

HO, HO, HO-013 – Big order for Ontario hospitals lands just before the holidays

20 Dec

On December 16th the Information and Privacy Commissioner/Ontario issued its 13th order under the Personal Health Information Protection Act. It contains very detailed prescriptions pertaining to the PHIPA data security standard in section 12. The standard is contextual – i.e., the standard of care is always based on all the “circumstances.” However, given Ontario hospitals face similar foreseeable risks, hospitals should pay very close heed to the prescriptions in HO-013.

I’ll spare you a description of the background and get to the point. Here is a bulleted summary of the data security prescriptions in HO-13. Rather than describe each in detail I will give you very short (synthesized) descriptions and page references.

  1. Ensure that patient information systems support audits and investigations of system misuse. Collect reliable data on all access, copying, disclosure, modification and disposal of patient records. Retain data for a reasonable period of time. Pages 23 to 29.
  2. Conduct periodic audits for patient information system misuse: “Audits are essential technical safeguards for electronic information systems.” Conduct random audits on all system activity. Run a special audit program for “high profile” patients. Pages 32 to 34.
  3. Ensure that patient information systems feature reasonable search controls. Search controls should limit the ability of agents to perform “open-ended” searches. Pages 29 to 32.
  4. Ensure that patient information systems feature a login notice that appears on its own screen and requires express acknowledgement. Page 22.
  5. Conduct regular and comprehensive privacy training pursuant to a privacy training program policy. Require pre-authorization training and annual re-training. Training materials should be detailed and contain certain information prescribed in HO-013. Pages 34 to 36.
  6. Communicate regularly about privacy compliance and compliance duties pursuant to a privacy awareness program policy. Page 36.
  7. Administer a “pledge of confidentiality” that contains certain information prescribed in HO-013. Require agents to sign pre-authorization and annually. Pages 37 and 38.
  8. Maintain and administer a privacy breach management policy that meets particular requirements specified in HO-013. Pages 40 and 41.

Most hospitals will already have data security programs that feature many of the elements in the list above. Regardless, there are detailed requirements in HO-013 (not included in the summary above) that invite hospitals to conduct a broad gap analysis. Some gaps are likely to be closed easily and others may require the investment of additional ongoing resources – e.g., gaps with respect to training and communication programming. The most problematic prescriptions in HO-013 are those related to the modification of patient information systems. The prescriptions regarding search controls, for example, seem problematic and may create system usability (search) problems. The responding hospital did raise concerns about usability that the IPC dismissed.

Order HO-013 (IPC Ontario).

Ontario arbitrator partly allows medical information management grievance

25 Oct

On October 8th, Arbitrator Goodfellow partly allowed a grievance that challenged various ways in which an employer administered its sick leave program. In doing so, he held that:

  • absent an express prohibition in a collective agreement, an employer is entitled use a third-party disability management administrator; and
  • absent specific collective agreement authorization, an employer cannot deprive employees of sick pay pending proof of entitlement as a matter of routine.

Arbitrator Goodfellow also made the following statement on the application of Ontario PHIPA to employers:

We agree with the Employer that it is not bound by PHIPA in its relationship to its employees. Qua long-term care provider the Employer is a “health information custodian”; qua employer it is not: see e.g. City of Kingston and Canadian Union of Public Employees, Local 109, supra.  The same is therefore true of Acclaim. PHIPA is aimed at health care providers, not employers. Neither of the cases referred to by the Union establish otherwise. While both discuss the statute, and while Sanofi Pasteur appears to accept its application, there is no indication that the matter was the subject of any submissions in those cases as it was here and in City of Kingston. Having said that, like those arbitrators, we would view the terms of PHIPA as reflecting the kinds of privacy interests to which the Employer may be held accountable under the terms of the collective agreement.

This is a helpful statement given the confusion in the case law to which Arbitrator Goodfellow refers.

Revera Long Term Care Inc (Stoneridge Manor) v Canadian Union of Public Employees, Local 2564, 2014 CanLII 58768 (ON LA).

In dispute over custodianship of medical files, balance favours established clinic

5 Jun

On May 22nd the Ontario Superior Court of Justice ordered medical files to be returned to a clinic by a departing doctor who claimed she had an independent practice and was the legal custodian of the files.

Justice Perell dismissed the defendant’s argument that a corporation could not be a “health information custodian” under the Personal Health Information Protection Act and held that the plaintiff clinic had made out a strong prima facie case that it had such status. His suggestion that the defendant was also a health information custodian could best be understood as a function of the qualified burden of proof on an interlocutory motion given, under PHIPA, there can be only one custodian of a record of personal health information.

Justice Perell’s balance of convenience analysis is noteworthy. He said the following about the public interest in providing patients with access to their personal health information pending final resolution of the dispute:

In considering the balance of convenience, it is appropriate to consider the interests of the patients whose health records have been removed from a health clinic to the home of a health care practitioner. In my opinion, a patient will have better access to his or her health records and the health care practitioner who will treat the patient during Dr. Simon’s semi-retirement will have better access to the health records if the records are at professional offices with normal business hours and full-time staff.

A plaintiff in a similar situation could similarly attempt to make a case for return of records based on a claim to relatively superior security measures, though the stakes of pursuing such an approach would be high.

Note that the plaintiff consented to a term permitting the defendant doctor to make copies of any file relating to a patient she had treated. This is a sensible thing to offer in a dispute over custodianship, but again, is inconsistent with the single custodian rule.

1615540 Ontario Inc. carrying on business as Healing Hands Message v Simon, 2013 ONSC 2986 (CanLII).

Court orders safekeeping of medical records held by departed employee

21 Mar

On March 7th, the Ontario Superior Court of Justice issued an order to secure medical records held by a former employee of an addiction clinic.

The employee had copies of urinalysis reports stored on her personal e-mail account at the time of termination because she had used her personal e-mail account for work purposes. She allegedly used her continuing possession of the e-mails to extort the employer into offering reinstatement and later refused to return the e-mails, arguing they were evidence of the employer’s wrongdoing. (It is not clear from the decision what wrongdoing the employee alleges.)

The Court granted an ex parte order after applying the test for an Anton Piller. Notably, the order required the employee to turn control of her e-mail account to an independent supervising solicitor authorized to copy and retain the e-mails, delete the e-mails on the account and return control of the account to the employee. The Court authorized the employer to serve the order by e-mail.

Garber v Robinson, 2013 ONSC 1427 (CanLII).