Health Information and Privacy

Decision Information

Decision Content

PHIPA Order HO-013

December 16, 2014

Table of Contents EXECUTIVE SUMMARY ........................................................................................1 BACKGROUND ..................................................................................................3 The Hospital .........................................................................................................3 Electronic Information System .................................................................................3 Clerical Staff ........................................................................................................4 Reported Breach 1 ................................................................................................4 Reported Breach 2 ................................................................................................6 Further Notification to Patients ...............................................................................7 REVIEW PROCESS ..............................................................................................7 Other Hospitals ....................................................................................................8 ISSUES ...........................................................................................................9 RESULTS OF THE INVESTIGATION ..........................................................................9 Issue A: Is the information at issue “personal health information” as defined in section 4 of the Act? ...............................................................................9

Issue B: Is the person who operates the Hospital a “health information custodian” as defined in section 3(1) of the Act? ............................................................10

Issue C: Were Employee 1 and Employee 2 “agents” of the Hospital as defined in section 2 of the Act? .............................................................................11

Issue D: Was personal health information “used” and/or “disclosed” in accordance with the Act?............................................................................................18

Issue E: Did the Hospital take steps that are reasonable in the circumstances to ensure that personal health information in its custody or control is protected against theft, loss and unauthorized use or disclosure in accordance with section 12(1) of the Act? ....................................................................21

Issue F: Did the Hospital have in place information practices that comply with the Act and did it comply with its information practices in accordance with section 10(1) and 10(2) of the Act? .............................................................39

SUMMARY OF FINDINGS .....................................................................................42 ORDER ..........................................................................................................42 POSTSCRIPT ...................................................................................................44

EXECUTIVE SUMMARY Personal health information is considered to be among the most sensitive types of personal information, deserving of the highest protection. Yet, in Ontario, we have seen a growing number of cases of agents inappropriately accessing the personal health information of individuals. The type and magnitude of these violations vary. Some involve celebrity “gawkers,” others nosey neighbours, family members or work colleagues. The circumstances of this case involve the unauthorized use and disclosure of personal health information for financial gain. The message to take from all of these cases is clear. Authorized users of electronic information systems can abuse their access privileges they pose a risk to patient privacy. Health information custodians must implement reasonable measures and safeguards to elimi­nate or reduce these risks and to mitigate the harms that may arise from them.

Within the span of less than a year, the Rouge Valley Health System (the Hospital) reported two separate breaches of patient privacy to the Office of the Information and Privacy Commissioner of Ontario. The first reported breach was received by this office in September 2013 and the second, seven months later, in April 2014. Although separate incidents, the breaches were materially similar in that both involved allegations that Hospital employees in clerical positions used and/or disclosed the personal health information of mothers who had recently given birth at the Hospital for the purposes of selling or marketing Registered Education Savings Plans (RESPs).

Given the pattern that appeared to be emerging, upon notification of the second breach, this office decided to conduct a review under the Personal Health Information Protection Act, 2004 (the Act). During this review, we conducted extensive interviews. We engaged in a thorough review of the Hospital’s relevant policies, practices and procedures and received written representations from the Hospital.

As a consequence of the two reported breaches, the Hospital notified more than 14,000 current and former patients of its Rouge Valley Centenary site and Rouge Valley Ajax and Pickering site, all of whom may have been affected by the actions of the two employees. It was necessary to notify all of these individuals because the Hospital was unable to identify the individuals who were actually affected by the actions of the two employees involved in the reported breaches.

Following the first breach, the Hospital discovered that the audit functionality of its Meditech system, the electronic information system at issue in this review, was limited and it undertook to address this shortcoming. During this review, we learned that despite the actions taken and the similarity between the two breaches, the Hospital was still unable to conduct an audit of user activities relating to the second breach due to another “gap” in the Meditech system’s audit functionality.

Audits are essential technical safeguards to protect personal health information. They can be used to deter and detect collections, uses and disclosures of personal health information that contravene the Act. In this way, they help to maintain the integrity and confidentiality of personal health information stored in electronic information systems. The Hospital’s failure to implement full audit functionality in its Meditech system meant that it could not comply with its own policies and that it did not comply with the requirements of the Act.

HO-013

1

We also learned that the Hospital’s administrative measures or safeguards such as privacy policies, procedures and practices as well as privacy training and awareness programs which are critical in protecting personal health information were insufficient and therefore not in compliance with the Act. These types of safeguards are particularly important in relation to electronic information systems which provide agents with the ability to access a vast amount of personal health information.

In this Order, among other things, I find that the Hospital failed to comply with its obligations under the Act to put in place technical and administrative measures or safeguards to protect personal health information in compliance with section 12(1) of the Act and I order the Hospital to:

1. In relation to all of the Hospital’s electronic information systems, implement the measures neces­sary to ensure that the Hospital is able to audit all instances where agents access personal health information on its electronic information systems, including the selection of patient names on the patient index of its Meditech system.

2. In relation to the Hospital’s Meditech system: a) Work with the Hospital’s Hosting Provider to review and amend the service level agreement between the Hospital and the Hosting Provider to clarify the responsibility for the creation, maintenance and archiving of user activity logs generated by the Hospital’s use of its Meditech system, and ensure that the user activity logs are available to the Hospital for audit purposes.

b) Work with Meditech or another software provider to develop a solution that will limit the search capabilities and search functionalities of the Hospital’s Meditech system so that agents are unable to perform open-ended searches for personal health information about individuals, including newborns and/or their mothers, and can only perform searches based on the follow­ing criteria: health number, medical record number, encounter number, or exact first name, last name and date of birth.

3. Review and revise its Privacy Audits policy, the Pledge of Confidentiality policy and the “Pledge of Confidentiality,” and the Privacy Advisory in accordance with the comments and findings made in this Order, and take steps to ensure that it complies with the Privacy Audits policy.

4. Develop and implement a Privacy Training Program policy, a Privacy Awareness Program policy, and a Privacy Breach Management policy in accordance with the comments and findings made in this Order.

5. Immediately review and revise its privacy training tools and materials in accordance with the comments and findings made in this Order.

6. Using the privacy training materials developed in accordance with Order provision 5: a) immediately conduct privacy training for all agents in clerical positions in the Hospital; and b) conduct privacy training for all other agents by June 16, 2015. 7. Provide this office with proof of compliance with all of the Order provisions by September 16, 2015.

2

HO-013

BACKGROUND Within the span of less than a year, the Rouge Valley Health System (the Hospital) reported two separate breaches to the Office of the Information and Privacy Commissioner of Ontario (IPC). The first breach was reported to the IPC in September 2013 and the second, seven months later, in April 2014. Although the reported breaches involved separate incidents, they were materially similar in that both involved allegations that Hospital employees in clerical positions used and/or disclosed the personal health information of mothers who had recently given birth at the Hospital for the purposes of selling or marketing Registered Education Savings Plans (RESPs). Given the pattern that appeared to be emerging, upon receipt of the report of the second breach, the IPC decided to conduct a review pursuant to section 58(1) of the Personal Health Information Protection Act, 2004 (the Act).

The circumstances surrounding the two reported breaches are complex. Before going into the details of the two breaches, it is necessary to provide some background on the Hospital as well as on the electronic information system at issue in this review.

The Hospital The Hospital operates two community hospital sites, Rouge Valley Centenary (Centenary site) and Rouge Valley Ajax and Pickering (Ajax and Pickering site). The Centenary site is located in east Toronto and the Ajax and Pickering site is located in west Durham. The two employees who were the subject of the reported breaches were employed at the Centenary site, but had access to the personal health information of patients at both sites through one of the Hospital’s electronic information systems.

Electronic Information System The Hospital uses electronic information systems to facilitate the provision of health care to its patients. While the Hospital maintains records of personal health information in paper format, there has been nothing to suggest that the two employees who were the subject of the reported breaches used and/ or disclosed personal health information in paper form for the purposes of selling or marketing RESPs.

The software that runs the electronic information system at issue is named after the company that provides it. That company is Medical Information Technology, Inc. (Meditech). In this Order, I will use “Meditech” to refer to the company and “Meditech system” to refer to the electronic informa­tion system at issue. The information that the IPC received about the Hospital’s Meditech system was provided by the Hospital in its representations filed during this review.

The Hospital’s Meditech system is a collection of different applications called “modules.” Different modules assist employees and other agents of the Hospital in performing different high-level tasks; for example, scheduling, admissions, payroll, billing, etc. At a lower level than modules are components of modules. Components of modules perform specific functions. For example, the patient index is a component that is present in the scheduling module. The patient index, an electronic list of every

HO-013

3

Hospital patient, allows employees and other agents of the Hospital with access to it to search for patients in the Hospital’s database.

The scheduling module was used by the two employees to access the personal health information of new mothers. The employees were granted access to this module to perform their duties, which included registering patients and scheduling appointments and procedures for them. The first step in scheduling an appointment or procedure is to determine whether the person is an existing Hospital patient by searching for their name on the patient index. If the patient is not on the patient index, then they must be registered and issued a medical record number (MRN). This two-step task requires access to the entire patient index so as to prevent the same patient from being registered multiple times and receiving multiple MRNs. For this reason, the two employees had access to the personal health information of patients at both the Hospital’s Centenary site and Ajax and Pickering site, including demographic information about patients, such as their name, address and phone numbers, date of birth, health number and the dates of visits to the Hospital.

The Hospital shares a version of Meditech software with another hospital that runs the software and hosts the Meditech system used by the Hospital. In this Order, this other hospital will be referred to as the “Hosting Provider.” The Hosting Provider owns the license for the shared Meditech software and is responsible for implementing and operating a Meditech system on behalf of the Hospital according to a service level agreement between them. A consequence of the fact that the Hospital and Hosting Provider share a version of Meditech software is that some technical settings apply to both the Hospital and the Hosting Provider.

Clerical Staff As noted above, the responsibilities of the two employees who were the subject of the reported breaches included performing tasks such as registering patients, and scheduling appointments and procedures for them. However, the two employees’ responsibilities were not limited to such tasks. Throughout this Order, those who work in positions with similar responsibilities as the two employees will be referred to generally as “clerical staff.” Clerical staff are not responsible for directly providing health care to patients.

Reported Breach 1 In September 2013, the Hospital contacted the IPC to report a breach involving an employee (Employee 1) who it determined had violated the Hospital’s privacy policy and the Act. Employee 1 began work­ing in a clerical position at the Centenary site in May 2004. In July 2013, Employee 1 was transferred to another department at the Centenary site, where he continued to work in a clerical position until he was terminated in October 2013.

In 2009, Employee 1 advised the Hospital that he had applied for a part-time position as a sales rep­resentative for an RESP company and he asked the Hospital to confirm, in writing, that selling RESPs

4

HO-013

would not be a conflict of interest vis-à-vis his employment with the Hospital. In July 2009, the Hospital provided Employee 1 with a letter, which stated:

It is our understanding that one of our employees, [name of Employee 1] has applied for an RESP sales representative position. Many of our staff hold jobs apart from work­ing here and all employees who hold other positions outside of their employment with Rouge Valley Health System must abide by our rules and regulations, including our Conflict of Interest Policy, which states, in part, that no employee shall solicit any busi­ness from patients, staff or visitors to support such outside employment.

When Employee 1 was transferred in July 2013, his access to Meditech system modules that included personal health information was terminated, because the Hospital determined that he no longer required that access to fulfil his job duties. According to the Hospital, shortly after his transfer, Employee 1 asked the Hospital to reinstate his access to Meditech system modules that included personal health information, stating, at that time, that he was “seeking access to phone numbers of patients who had recently given birth in order to sell them RESPs in the course of his part-time employment.” Based on this information, Employee 1 was suspended pending the outcome of an investigation by the Hospital. His access to personal health information was also suspended.

The Hospital advised that during a subsequent interview by its human resources staff, Employee 1 denied that he was employed part-time selling RESPs or that he had contacted any patients of the Hospital for that purpose. Shortly after that interview, the Hospital terminated Employee 1 having concluded that he had violated the Hospital’s privacy policy and the Act.

During discussions we had with Employee 1, he continued to deny that he had contravened the Hospital’s policies and the Act. However, given the Hospital’s findings and the fact that it reported a privacy breach to this office, for the purposes of this Order, I accept the Hospital’s conclusion that Employee 1 had contravened its policies and the Act.

When this breach was reported to the IPC in September 2013, the IPC believed that it was an isolated incident and, based on the information provided by the Hospital as to the steps that it had taken or would take to minimize the risk of a similar breach occurring in future, the IPC worked with the Hospital to contain the breach and to ensure that appropriate notice to affected patients was given. Further discussion of the Hospital’s response to this reported breach appears below.

In a letter dated October 8, 2013, the Hospital provided the IPC with the results of its internal inves-tigation, including the following information:

The Hospital “determined that the incident was a violation of the [Hospital] privacy policy and the PHIPA act, and self-reported the incident to the IPC.”

The Hospital’s IT department was not able to prove or disprove that Employee 1 had been “accessing patient records” because the Hospital’s “system only has two weeks of user history” which was “a limitation posed by [its] Meditech hosting partner.”

HO-013

5

The Hospital “[e]stablished that the employee had access to schedule information which allowed him to view contact information (telephone and address) of expecting mothers without accessing the patient record.”

The Hospital was not “able to view patient record level audit logs” and therefore was also “not able to quantify the number of patients whose information was viewed inappropriately by the employee.”

With respect to the limitations of its audit functionality, the Hospital stated: In order to overcome the audit log limitation that we discovered in our Meditech system, we are working with our hosting party, [ ], and the vendor, Meditech, on two enhance­ments of the access logs: (a) extend the length of the live Meditech log to ninety days and enable the archiving of the logs past ninety days, (b) create an export of the access logs from the Meditech proprietary format to a relational database that will allow us to maintain unlimited access history and report inappropriate access.

On December 12, 2013, the Hospital began notifying 7,613 current and former patients that their personal health information may have been used by Employee 1 in contravention of the Act. Not knowing for certain which patients’ personal health information was used by Employee 1, the Hospital notified all patients at the Centenary site who had given birth between July 2009 and August 2013, which is the period of Employee 1’s employment for which he had access to the scheduling module of the Meditech system.

Reported Breach 2 On April 24, 2014, the Hospital notified the IPC that it had discovered that a second employee (Employee 2) had been selling the personal health information of patients who had recently given birth at the Hospital to an RESP company.

Employee 2 began working in a clerical position at the Hospital’s Centenary site in July 2001 and continued to work in that capacity until June 2013. In July 2013, Employee 2 began working again in a clerical position at the Hospital’s Centenary site until her resignation in April 2014.

The Hospital explained that in early April 2014, one of its staff members found a number of documents on a printer that appeared to be printed screen shots of the Meditech system. The Hospital stated that the documents included the personal health information of patients who had recently given birth. The screen shots were given to senior managers, who determined that Employee 2 had printed them.

In representations submitted by the Hospital during this review, the Hospital states that the printed screen shots represented the results of searches conducted on the patient index. The results included a “lookup list of patients meeting the search parameters” used by Employee 2. In addition, the printed screen shots included the patient “selected” from the list which pulls up the patient’s contact informa-tion, health number and Hospital visits. These search results indicated that Employee 2 was looking for information about new mothers.

6

HO-013

The Hospital conducted an internal investigation. During this internal investigation, Employee 2 admit­ted to the Hospital that she had been selling personal health information to an RESP sales agent since 2010 and stated that she had sold the information of about 400 patients in the last nine months of her employment for approximately $600. After the Hospital concluded its internal investigation in April 2014, Employee 2 resigned.

On May 27, 2014, the Hospital notified an additional 669 former patients of its Centenary site that “a staff member was inappropriately accessing hospital information through the Hospital’s electronic scheduling system.” This group of patients was comprised of the mothers who had given birth at the Hospital’s Centenary site between July 2013 and April 2014 the period of time between the first reported breach and the second reported breach. The Hospital states in its representations that it was not able to identify the actual patients affected by Employee 2’s actions.

Further Notification to Patients On July 2, 2014, the Hospital informed the IPC that the screen shots that were found on the printer that triggered its investigation into the activities of Employee 2, contained the personal health infor­mation of patients who had received care at its Ajax and Pickering site, in addition to its Centenary site. In light of this and given that Employee 1 also had access to the Meditech patient index, which includes the personal health information of patients at the Ajax and Pickering site, the Hospital con­cluded that some patients at the Ajax and Pickering site may have been affected by the activities of the two Employees.

On August 19, 2014, the Hospital notified a further 6,150 former patients of the Ajax and Pickering site that their personal health information may have been used and/or disclosed in contravention of the Act.

REVIEW PROCESS Following the report of the second breach, the IPC commenced a review under section 58(1) of the Act and began to gather further information from the Hospital including copies of relevant documents, such as copies of the applicable policies, practices and procedures of the Hospital.

The IPC also met with and interviewed the Chief Information and Privacy Officer and other senior managers at the Hospital, and was given a demonstration of the Meditech system and its scheduling module that was used by both Employees in the regular course of their employment. Hospital IT staff also gave a demonstration of the audit capabilities and limitations of the Meditech system.

The IPC contacted both Employees and asked them to meet with IPC staff. Employee 1 declined, but Employee 2 agreed to be interviewed.

HO-013

7

Given the seriousness of the allegations, I issued a summons to both Employees pursuant to section 60(12) of the Act. The summons compelled them to attend at the office of the IPC and to give evi­dence under oath or affirmation.

I also issued a Notice of Review asking the Hospital to submit written representations on the issues relevant to this review. After receipt of representations in response to the initial Notice of Review, I issued a Supplementary Notice of Review inviting the Hospital to submit further representations. I received representations from the Hospital in response to the supplementary notice.

Other Hospitals During the course of this review, the IPC received complaints from 20 different individuals who had given birth at other Ontario hospitals and who had been contacted by telephone in the days or weeks following their child’s birth by representatives of various RESP companies (“complainants”).

Seventeen of these complainants provided their consent to an investigation by this office into the cir­cumstances surrounding their complaint. The IPC then contacted the hospitals identified and requested that they conduct their own internal investigations and report back to the IPC on the results of those investigations. The hospitals’ internal investigations included audits of the personal health informa­tion of the complainants and, in some cases, the hospitals contacted the RESP companies involved to inquire as to how the RESP company received the contact details of the complainants. The IPC received the full cooperation of the hospitals involved.

I am satisfied that in each of these cases involving other hospitals, the personal health information of the complainants was not used and/or disclosed by agents of the other hospitals for the purposes of selling or marketing RESPs. Based on the reports received from the other hospitals, the IPC learned that the complainants had, at some point prior to the birth of their child, provided their consent to be contacted by an RESP company. This consent was provided in some cases on ballot entries submitted at baby shows or exhibitions, and/or by signing up for a loyalty card at a maternity clothing retailer. Most of these complainants did not recall providing their consent and acknowledged that they might not have thoroughly reviewed the information on the ballot or loyalty card application, or understood what they were consenting to.

As a result of the above, I am satisfied that the personal health information of these complainants was not used and/or disclosed by agents of these other hospitals for the purposes of selling or marketing RESPs and each of these files has been closed.

8

HO-013

ISSUES In this Order, I will consider the following issues: a) Is the information at issue “personal health information” as defined in section 4 of the Act? b) Is the person who operates the Hospital a “health information custodian” as defined in section 3(1) of the Act?

c) Were Employee 1 and Employee 2 “agents” of the Hospital as defined in section 2 of the Act? d) Was personal health information “used” and/or “disclosed” in accordance with the Act? e) Did the Hospital take steps that are reasonable in the circumstances to ensure that personal health information in its custody or control is protected against theft, loss and unauthorized use or dis­closure in accordance with section 12(1) of the Act?

f) Did the Hospital have in place information practices that comply with the Act and did it comply with these practices in accordance with section 10(1) and 10(2) of the Act?

RESULTS OF THE INVESTIGATION Issue A: Is the information at issue “personal health information” as defined in section 4 of the Act?

Section 4(1) of the Act states, in part: In this Act, “personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information,

(a) relates to the physical or mental health of the individual, including informa­tion that consists of the health history of the individual’s family,

(b) relates to the providing of health care to the individual, including the iden­tification of a person as a provider of health care to the individual,

(f) is the individual’s health number, or (g) identifies an individual’s substitute decision-maker.

HO-013

9

Section 4(2) of the Act states: In this section, “identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

In its representations, the Hospital stated that it does not know the exact nature and type of information that was used and/or disclosed by Employee 1 and Employee 2. Based on the information available to the Hospital, the Hospital “surmises that the information used and/or disclosed by the Employees was: patient names of the mother and baby, baby’s gender, baby’s date of birth, and the mother’s telephone number.”

The Hospital acknowledges that this information is “personal health information” as that term is defined in the Act. In its representations, the Hospital states that section 32(2) of the Act suggests that an individual’s name and contact information constitute “personal health information” even if they do not on their own relate to the physical or mental health of the individual, the health history of the family or the provision of health care to the individual.

I find that the information at issue is “personal health information” as defined in section 4 of the Act. It identifies the name of the mother and the baby and identifies that the mother and baby were patients of the Hospital. Section 4(1) of the Act clearly states that personal health information includes the identification of a person, in this case the Hospital, as a provider of health care to the individual, in this case the mother and the baby.

Issue B: Is the person who operates the Hospital a “health information custodian” as defined in section 3(1) of the Act?

Section 3(1) of the Act states, in part: “health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the per-son’s or organization’s powers or duties or the work described in the paragraph, if any:

4. A person who operates one of the following facilities, programs or services: i. A hospital within the meaning of the Public Hospitals Act… Section 2 of the Act defines a “person” to include a partnership, association or other entity. Section 87 of the Legislation Act further provides that a “person” includes a corporation.

10

HO-013

Consistent with the IPC’s findings in previous Orders, I find that the Hospital is a “person” who operates a hospital within the meaning of the Public Hospitals Act and that it is a health information custodian with custody or control of the personal health information at issue as defined in section 3(1)4i of the Act. The Hospital does not dispute this finding.

Issue C: Were Employee 1 and Employee 2 “agents” of the Hospital as defined in section 2 of the Act?

The issue to be decided here is whether Employee 1 and Employee 2 were “agents” when they used and/or disclosed personal health information in the custody or control of the Hospital for the pur­poses of selling or marketing RESPs. The issue is relevant to determining whether the personal health information was “used” and/or “disclosed” within the meaning of the Act. 1 Section 2 of the Act defines an “agent” as: “agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of per­sonal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated.

The Hospital submits that Employee 1 and Employee 2 were not “agents” for these purposes. The Hospital argues that it did not authorize Employee 1 or Employee 2 to use and/or disclose personal health information for the purposes of selling or marketing RESPs and, in doing so, the Employees acted beyond the authority delegated by the Hospital. It argues that these uses and/or disclosures of personal health information by the Employees were not in the course of their duties and were not carried out for, or on behalf of and for the purposes of, the Hospital, but rather, were “clearly motivated by self-interest.” Therefore, the Hospital argues that the Employees were not “agents” within the meaning of the Act in using and/or disclosing personal health information for these purposes.

Having carefully considered these representations, I disagree. In the usual course of their duties, Employee 1 and Employee 2 acted for or on behalf of, for the purposes of and with the authoriza­tion of the Hospital in respect of personal health information, and not for their own purposes. They were authorized to collect, use, disclose, retain or dispose of personal health information to assist the Hospital in carrying out its duties. Therefore, they were “agents” under the Act even though they may have acted beyond the authority delegated by the Hospital in the particular instances when they used and/or disclosed personal health information to market or sell RESPs.

This interpretation is consistent with previous Orders of the IPC. As held in Orders HO-002 and HO-010:

1 The provision of personal health information between a health information custodian and an agent of the custodian is a use by the custodian, and not a disclosure by the person providing the information or a collection by the person to whom the information is provided. See section 6(1) of the Act.

HO-013

11

A cursory reading of the definition of “agent” in the circumstances of this complaint might suggest that, because in this instance the nurse did not have the hospital’s autho­rization to use or disclose the health information in question, and was in fact doing so for her own purposes, she was not an “agent.” That is not my view. For the reasons that follow, I have concluded that this interpretation is not sustainable, and that the nurse was in fact an agent.

A careful reading of the definition, particularly when viewed in the context of the Act as a whole, makes it clear that the Legislature intended that the phrase, “acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian” should be read as a reference to the person’s usual duties and activi-ties, as opposed to an action taken in the particular circumstances of a complaint… It is also important that the definition of “agent” expressly contemplates the inclusion of employees in this category. 2 My finding is also supported by the modern rule of statutory interpretation which states: “the words of an Act are to be read in their entire context, in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament.” 3 Grammatical and Ordinary Meaning of “Agent” In R v Conception, the Supreme Court of Canada emphasized that the starting point of statutory inter­pretation “is the text of the provisions in their grammatical and ordinary sense,” especially where the key term is expressly defined by statute. 4 Section 2 of the Act defines an “agent” as “a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes.”

The Hospital argues that the Employees were not acting “with the authorization of” and “for or on behalf of” and “for the purposes of” the Hospital, but rather for their “own purposes,” and therefore were not “agents” within the meaning of the Act in using and/or disclosing personal health information for the purposes of selling or marketing RESPs.

I do not agree with this position. Employee 1 and Employee 2 meet the definition of “agent” in the ordinary sense of the word used in the Act. They are “persons” who acted “with the authorization of,” “for or on behalf of,” and “for the purposes of” the Hospital in respect of personal health information in the usual course of their duties. But for the fact that they were agents, the Employees would not have had access to the personal health information at issue.

This interpretation is consistent with the grammatical and ordinary meaning of the term “agent.” “Agent” is defined by Merriam-Webster as “a person who does business for another person,” “a person

2 (July 2006), HO-002, online: IPC <http://www.ipc.on.ca/images/Findings/up-HO_002.pdf> at 5 [HO-002]; (December 31, 2010), HO-010, online: IPC <http://www.ipc.on.ca/images/Findings/ho-010.pdf> at 7 [HO-010].

3 Ruth Sullivan, Sullivan on the Construction of Statutes, 5 th ed (Markham: LexisNexis Canada Inc., 2008) at 1; Re Rizzo & Rizzo Shoes Ltd., [1998] 1 SCR 27 at para 41; and R. v. Conception, 2014 SCC 60 at para 14 [Conception].

4 R. v. Conception, supra note 3. 12 HO-013

who acts on behalf of another,” or “a person or thing that causes something to happen.” 5 Similarly, Oxford defines “agent” as “a person who acts on behalf of another” or “a person or thing that takes an active role or produces a specified effect.” 6 None of the dictionary definitions consulted indicate that a person must act within the authorization of, for or on behalf of and for the purposes of the other person at all times in order to be an agent.

The words “with the authorization of the custodian,” “acts for or on behalf of the custodian,” and “for the purposes of the custodian, and not the agent’s own purposes” in section 2 of the Act ensure that third parties who do not have an employment, contractual or other agency relationship with the custodian fall outside the scope of the definition of “agent.” These words make it clear that third parties who may be permitted to access personal health information in health care settings for their own purposes, such as independent researchers, assessors or inspectors of regulatory colleges and government inspectors, are not “agents” within the meaning of the Act and therefore the custodian is not responsible for their actions in respect of the personal health information in its custody or control.

Objects and Scheme of the Act The Legislation Act states that a statute shall be interpreted as being remedial and shall be given “such fair, large and liberal interpretation as best ensures the attainment of its objects.” 7 The Hospital’s argument that the term “agent” should be narrowly interpreted to exclude a person who is authorized to collect, use, disclose, retain or dispose of personal health information for or on behalf of and for the purposes of a health information custodian in the usual course of his or her duties, but who, in a particular instance or instances, collects, uses, discloses, retains or disposes of that information for an unauthorized purpose, is inconsistent with the objects of the Act and with the scheme of the Act.

Objects of the Act The objects of the Act are set out in section 1, which provides in part: 1. The purposes of this Act are, (a) to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care;

[…] (e) to provide effective remedies for contraventions of this Act. 5 Merriam-Webster Online Dictionary, sub verbo “agent.” 6 Oxford Online Dictionary, sub verbo “agent”; likewise, Cambridge Dictionaries Online’s definition of “agent” includes “a person who acts for or represents another”, sub verbo “agent.”

7 Legislation Act, 2006, SO 2006, c 21 Sched F at s 64(1). HO-013 13

At its core, the objects or purposes of the Act are to protect the privacy of individuals in respect of their personal health information, to protect the confidentiality of that information and to provide effective remedies for contraventions of the Act. Privacy and confidentiality are best protected by holding health information custodians accountable for the conduct of persons who act for or on their behalf and for their purposes in the usual course of their duties.

As the law of vicarious liability demonstrates, “[e]mployers are often in a position to reduce accidents and intentional wrongs by efficient organization and supervision.” 8 Vicarious liability is designed to ensure that the employer remains responsible for the reasonably foreseeable risks attributable to or arising from the employer’s activities so that the employer takes reasonable steps to reduce the risk. This has been acknowledged on numerous occasions by the Supreme Court of Canada. In London Drugs v Kuehne & Nagel International Ltd., the Court noted “[v]icarious liability has the broader func­tion of transferring to the enterprise itself the risks created by the activity performed by its agents.” 9 Further, in John Doe v Bennett, the Court stated “the hope is that holding the employer or principal liable will encourage such persons to take steps to reduce the risk of harm in the future.” 10 But for the fact that they were employees, Employee 1 and Employee 2 would not have had access to the personal health information at issue. Therefore, the Hospital provided the opportunity and created the risk of unauthorized use and disclosure. The Hospital is also in the best position to take reasonable steps to reduce the risk of further contraventions of the Act not only by Employee 1 and Employee 2, but by all persons. The Hospital, and not the Employees, can develop, amend and implement poli-cies, procedures, practices and safeguards that apply to all persons, including those acting for or on its behalf and for its purposes in the usual course of their duties.

If the Hospital’s submissions were accepted, a health information custodian would arguably have less responsibility for those acting for or on its behalf and for its purposes in the usual course of their duties under the Act than under the law of vicarious liability. This clearly does not protect the privacy of individuals with respect to their personal health information and the confidentiality of that infor-mation. If the Legislature intended to limit the responsibility of health information custodians for the actions of those acting for or on their behalf in the usual course of their duties, it would have included clear and unambiguous language in the Act. Absent such clear and unambiguous language, there is no basis for interpreting the term “agent” in such a way that is fundamentally inconsistent with the purposes of the Act.

The Hospital argues that “it is not necessary for a person to be an ‘agent’ to be covered by the restric­tions and potential sanctions in the Act.” In particular, it argues that the Commissioner may make an order under section 61(1) of the Act against “any person” and that “any person” may be charged with an offence under section 72 of the Act, suggesting that such orders and prosecutions would, in these circumstances, achieve the objects or purposes of the Act.

8 Bazley v Curry, [1999] 2 SCR 534 at para 32. 9 [1992] SCR 299 at 339. 10 2004 SCC 17 at para 20.

14

HO-013

While an order of the Commissioner directed at “any person” or a prosecution commenced by the Attorney General against “any person” may have a deterrent effect on others, such measures would not adequately address the systemic issues that an order directed at a health information custodian would achieve. As previously noted, an order directed at a custodian to implement policies, proce-dures, practices and safeguards would reduce the risk of further contraventions of the Act not only by the “person” whose acts or omissions are at issue, but all “persons” acting for, on behalf of and for the purposes of the custodian in the usual course of their duties.

There are further problems with the Hospital’s proposed interpretation. If the Hospital’s submissions were accepted, it would result in inconsistent treatment or accountability of health information cus­todians under the Act, depending on whether or not they act through other persons. For example, custodians that are corporations (such as community care access corporations and corporations that operate hospitals, long-term care homes and pharmacies) and other custodians that act through other persons would have less responsibility for contraventions of the Act than a custodian who may do so to a lesser degree, such as a sole health care practitioner. Such an interpretation is inconsistent with the objects and purposes of the Act.

Moreover, if the Hospital’s submissions were accepted, it would result in persons constantly transitioning between acting as agents and non-agents, potentially from one moment to the next, throughout the course of a day. The effort that would be required to determine exactly when each person was acting as an agent would create unnecessary confusion and ultimately frustrate the ability of the Commissioner and the courts to achieve the objects and purposes of the Act. 11 The objects and purposes of the Act are not to apportion liability between the health information custodian and persons acting for or on its behalf. Its main object or purpose is to protect privacy and confidentiality of individuals in a health care setting.

Scheme of the Act My finding as to the proper interpretation of the term “agent” in section 2 of the Act is also consistent with other provisions in the Act.

Section 17(1) provides, in part, as follows: A health information custodian is responsible for personal health information in the custody or control of the health information custodian and may permit the custodian’s agents to collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf only if

This section unequivocally states that a health information custodian is responsible for personal health information in its custody or control. A health information custodian may permit others to collect, use, disclose, retain or dispose of personal health information for or on its behalf, but the Act clearly

11 This type of impractical time-based interpretation was expressly criticized in reference to the Freedom of Information and Protection of Privacy Act, RSO 1990, c F-31, in Ontario (Solicitor General) v Mitchinson, (2001) 55 OR (3d) 355 (CA), [2001] OJ No 3223 at paras 38-40.

HO-013

15

states that the custodian remains responsible. Nothing in the Act permits a custodian to delegate or assign that responsibility.

In these circumstances, there is no dispute that the personal health information at issue was and con­tinues to be in the custody and control of the Hospital. Therefore, pursuant to section 17(1), as the health information custodian, the Hospital “is responsible” for that information.

In fact, the majority of the obligations under the Act are imposed on health information custodians, not on other persons, including agents. This clearly points to the fact that accountability for personal health information remains with the custodian.

The Hospital’s suggestion that a person is not an “agent” when they act beyond the authority delegated by the Hospital is also inconsistent with sections 17(1)(b) and (2), which state:

(1) A health information custodian is responsible for personal health information in the custody or control of the health information custodian and may permit the custodian’s agents to collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf only if,

(b) the collection, use, disclosure, retention or disposition of the information, as the case may be, is in the course of the agent’s duties and not contrary to the limits imposed by the custodian, this Act or another law; and

(2) Except as permitted or required by law and subject to the exceptions and additional require-ments, if any, that are prescribed, an agent of a health information custodian shall not collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf unless the custodian permits the agent to do so in accordance with subsection (1).

Section 17(2) of the Act expressly permits agents to collect, use, disclose, retain or dispose of personal health information without the permission or authorization of the health information custodian in cer­tain circumstances, including those prescribed in section 7 of Regulation 329/04 under the Act. 12 As a result, the Act clearly contemplates that a person does not cease to be an agent simply because the custodian did not permit or authorize the agent to collect, use, disclose, retain or dispose of personal health information for a specific purpose. In addition, sections 17(1)(b) and (2) clearly contemplate the possibility of unauthorized collection, use, disclosure, retention or disposal by agents, which would be impossible if the Hospital’s submissions were accepted. As stated in both Orders HO-002 and HO-010:

Section 17 of the Act clearly contemplates the possibility of improper collection, use or disclosure by agents, which would be impossible if their status as agents ended when they ceased acting for the custodian’s purposes and began acting for their own… these provisions would be rendered meaningless if a person who would usually be an agent is converted to a non-agent in the event that they act improperly. The Legislature could not possibly have intended this result. 13 12 Personal Health Information Protection Act, 2004, Ontario Regulation 329/04 at s 7. 13 Orders HO-002 and HO-010, supra note 2.

16

HO-013

The Hospital refers to section 12(2) of the Act in support of its position that Employee 1 and Employee 2 were not “agents” when they used and/or disclosed personal health information for the purposes of selling or marketing RESPs. Section 12(2) states:

Subject to subsection (3) and subject to the exceptions and additional requirements, if any, that are prescribed, a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons.

The Hospital states that an agent is by definition not “an unauthorized person” and therefore sug­gests that because the Hospital was required to notify affected individuals under section 12(2), the Employees could not possibly have been agents.

Again, I do not agree. If the position of the Hospital were accepted, a health information custodian would also not be required to notify affected individuals under section 12(2) if the custodian authorized a person to use and/or disclose personal health information in contravention of the Act on the basis that the personal health information would not have been “accessed by an unauthorized person.” Such a result would not conform with the scheme of the Act.

Section 12(2) cannot be read in isolation. It must be read in the context of the section in which it is found as well as the other provisions of the Act. The immediately preceding section states:

12(1) A health information custodian shall take steps that are reasonable in the circum­stances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

The notice requirement in section 12(2) of the Act stems from the obligation in section 12(1) which requires a health information custodian to take steps that are reasonable in the circumstances to pro­tect personal health information against “unauthorized use or disclosure.” Section 12(2) should be interpreted to encompass unauthorized use or disclosure of personal health information.

The Legislative Intent The Hospital has not referenced any legislative history to support its narrow interpretation of the term “agent.” In fact, the legislative history supports a broad interpretation.

Statements made by individuals who were instrumental in advising the Ministry of Health and Long-Term Care (the Ministry) on the development of the Act, make it clear that the term “agent” is to be interpreted broadly. For example, when explaining the term “agent” to the Standing Committee considering the bill that led to the Act, legal counsel for the Ministry stated:

HO-013

17

There’s always someone who is responsible. The hospital is responsible for all the health-care practitioners who work within it. As well, the doctor is responsible for his or her own staff in the office… The definition of “agent” is an expansive definition. It includes students, it would include volunteers; it is all of those who work within a custodian. 14 Before the same committee, the Acting Director of the Health Information, Privacy and Sciences Branch of the Ministry confirmed the breadth of the definition of “agent” in the Act:

You’ll see in section 17 the point that we made earlier, that custodians are respon­sible for the actions of their agents. Whether it’s a volunteer working in a hospital or an information manager that you’ve hired to transcribe your records, ultimately, the custodian is responsible. 15 In fact, the definition of “agent” was further broadened by the Standing Committee to include the phrase “whether or not the agent has the authority to bind the custodian,” 16 which is how the term is currently defined in section 2 of the Act. The Standing Committee’s expansion of the definition is further evidence that the term “agent” is meant to be interpreted broadly.

Upon consideration of the grammatical and ordinary meaning of “agent,” the objects and scheme of the Act and the legislative intent, I find that Employee 1 and Employee 2 were “agents” of the Hospital in the particular instances when they used and/or disclosed personal health information for the purposes of selling or marketing RESPs.

Issue D: Was personal health information “used” and/or “disclosed” in accordance with the Act?

Section 2 of the Act defines “use” and “disclose” as follows: “use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to handle or deal with the informa-tion, subject to subsection 6(1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning;

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning;

14 Ontario, Standing Committee on General Government (Hansard), 38 th Parl, 1 st Sess, (January 26, 2004) at 1050 (Halyna Perun) [emphasis added].

15 Ontario, Standing Committee on General Government (Hansard), 38 th Parl, 1 st Sess, (January 26, 2004) at 1110 (Carol Appathurai).

16 Ontario, Standing Committee on General Government (Hansard), 38 th Parl, 1 st Sess, (April 28, 2004) at 1600 (Kathleen Wynne).

18

HO-013

Section 6(1) of the Act is also relevant. It states, in part, that “the providing of personal health informa­tion between a health information custodian and an agent of the custodian is a use by the custodian, and not a disclosure by the person providing the information…”

Personal health information is permitted to be used or disclosed if the use or disclosure complies with section 29 of the Act, which states:

A health information custodian shall not collect, use or disclose personal health infor­mation about an individual unless,

(a) it has the individual’s consent under this Act and the collection, use or disclosure, as the case may be, to the best of the custodian’s knowledge, is necessary for a lawful purpose; or

(b) the collection, use or disclosure, as the case may be, is permitted or required by this Act.

As previously discussed, in July 2013, Employee 1 was transferred to another department at the Hospital’s Centenary site and his access rights to personal health information in the Meditech system were terminated. According to the information provided by the Hospital, Employee 1 asked his man­ager to reinstate his previous access rights and stated that he had been accessing the Meditech system to obtain the contact information of new mothers so that he could contact them for the purposes of selling them RESPs. Following an investigation by the Hospital, the Hospital concluded that there had been a violation of the Hospital’s privacy policy and of the Act and reported the breach to the IPC. The Hospital has indicated to the IPC that it has no information to suggest that Employee 1 disclosed personal health information.

Employee 2 admitted that she accessed personal health information for the purpose of selling it to an RESP sales agent and sold that information to the RESP agent for that purpose, and that she had been doing so since 2010. Employee 2 sold the personal health information knowing that the RESP agent was using this information to sell or market RESPs to patients.

Employee 2 used the Meditech scheduling module to search the patient index and retrieve the contact information of the patients. The printouts of Meditech screen shots found in April 2014 show that Employee 2 was able to return a list of newborns by searching for a patient with the name “AA” and a recent date of birth. Because the name “AA” did not match any patients in the patient index, the system relaxed the search criteria and searched for any patients with the specified date of birth only. In this way, an open-ended search for newborns was performed. By selecting the name of a newborn from the results of the patient index search, Employee 2 was able to access information about the newborn’s mother.

HO-013

19

Use of Personal Health Information Based on the information provided by the Hospital and the information