PHIPA DECISION 38

Complaint HC14-47

December 30, 2016

Summary: The complainants alleged that, in various ways on various occasions, the hospital breached the collection, use and disclosure provisions of the Personal Health Information Protection Act during the course of their interactions with hospital staff regarding their daughter’s hospital records. No review of the complaint is warranted in accordance with sections 57(3) and 57(4)(a) because there are no reasonable grounds to review the complaint, and to the extent that there are, the hospital has already provided an adequate response.

Statutes Considered:  Personal Health Information Protection Act, 2004, sections 10(2), 12(1), 18(3), 23(1)1.ii, 37(1), 38(1)(a), 57(3) and 57(4)(a).

BACKGROUND:

[1]  Between October 2013 and June 2014, the complainants had a number of interactions with a hospital regarding their daughter’s [1] hospital records from a one-day hospital visit. On June 15, 2014, the complainants filed this complaint with the Office of the Information and Privacy Commissioner (IPC) on behalf of their daughter, alleging that the hospital’s actions and information practices breached the collection, use and disclosure provisions of the Personal Health Information Protection Act (PHIPA).

[2]  Upon receipt of the complainants’ lengthy and detailed complaint, the IPC notified the hospital of the complaint and attempted to mediate it. The hospital’s response to the complainant’s allegations was that, in all the incidents mentioned by the complainants, there was either no contravention of PHIPA or it responded adequately to the complaint. The complainants provided a significant amount of correspondence and materials in response to the submissions made by the hospital and to support their allegations. A mediated resolution of the complaint was not possible and it was moved to the adjudication stage of the IPC’s process for PHIPA complaints.

[3]  After reading the complaint file, I sent the complainants a letter dated November 18, 2016, advising them of my preliminary view that their complaint does not warrant a review pursuant to sections 57(3) and 57(4)(a) of PHIPA because there are no reasonable grounds to review their complaint and because the hospital has responded adequately to their complaint. In my letter, I invited the complainants to provide written submissions to explain why their complaint should proceed to a review under PHIPA in the event that they disagreed with my preliminary view. The complainants did not provide any written submissions.

[4]  In the circumstances, I find that the complaint does not warrant a review under PHIPA in accordance with section 57(3) and 57(4)(a) because there are no reasonable grounds for a review and, to the extent there are, the hospital has responded adequately to the complaint.

DISCUSSION:

[5]  There is no dispute that the hospital is a “health information custodian” and that the hospital records relating to the patient comprise “personal health information” under PHIPA. Accordingly, as a preliminary matter I find that the hospital is a “health information custodian” under paragraph 4.i. of section 3(1) of PHIPA, and that the records at issue are “personal health information” under section 4(1)(a) of PHIPA.

[6]  The complainants describe nine incidents in which they allege the hospital contravened PHIPA. The complainants’ allegations, which are detailed below, relate to the following provisions of PHIPA:

10.(2) A health information custodian shall comply with its information practices.

12.(1) A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. 

37.(1) A health information custodian may use personal health information about an individual,

(a) for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose, but not if the information was collected with the consent of the individual or under clause 36(1)(b) and the individual expressly instructs otherwise[.]

38.(1) A health information custodian may disclose personal health information about an individual,

(a) to a health information custodian described in paragraph 1, 2, 3 or 4 of the definition of “health information custodian” in subsection 3(1), if the disclosure is reasonably necessary for the provision of health care and it is not reasonably possible to obtain the individual’s consent in a timely manner, but not if the individual has expressly instructed the custodian not to make the disclosure[.]

Incident #1

[7]  The complainants allege that the hospital did not collect the patient’s personal health information confidentially because a hospital staff member asked the patient personal questions about her health and provided information to her about a procedure while the staff member and the patient were in the hospital hallway within earshot of other people. The hospital responds that its policies and procedures for protecting confidentiality were respected at all times in regards to the patient, and that it did not release the patient’s clinical information to any third party not within the circle of care.

[8]  The complainants were not present during this incident. While it may have been possible that someone overheard the conversation between the patient and the hospital staff member, this possibility does not establish that the patient’s personal health information was collected or disclosed improperly, nor does it provide reasonable grounds for me to conclude that a review of the incident is warranted.

Incident #2

[9]  The complainants allege that the hospital did not follow its information practices because it failed to provide the mother complainant with a copy of the authorization form she signed when she first received a copy of the patient’s hospital records. The complainants also complain that the hospital provided the patient’s records free of charge. The hospital responds that the copy of the records it provided during this incident was for clinical follow-up reasons and it followed its standard practice and released relevant clinical records for continuity of care. The hospital states that it does not charge a fee for the production of records to be used for continuity of care, and it also does not provide a copy of the completed consent form unless it is asked to do so.

[10]  The complaint about not being charged a fee for the records when PHIPA does not require fees to be charged, and not receiving a copy of an administrative form that the complainants appear not to have requested, does not warrant any review.

Incidents #3 and 4

[11]  The complainants allege that the hospital did not have proper physical, administrative or technical safeguards in place to protect the personal health information contained in the Diagnostic Imaging Records room, and that the clerk working there left the mother complainant unattended in the room. They also complain that although the clerk asked the mother complainant for identification, she did not verify, document or record the patient’s health card that the mother complainant presented.

[12]  The complainants also allege that the hospital disclosed the patient’s diagnostic imaging records to the father complainant after he produced only the patient’s health card as identification. They complain that the hospital did not require the father complainant to sign a form documenting his receipt of these records and that the records, which were provided on disks, were unencrypted and not secure.

[13]  In its response, the hospital acknowledges that the staff member involved in these two incidents did not follow its confidentiality policies properly. It confirms that it reviewed appropriate polices and procedures with the clerk as part of its investigation of the complaint allegations. It adds that it will provide additional confidentiality training to all diagnostic imaging staff and that its Privacy Office will audit the physical privacy safeguards in the Diagnostic Imaging Department to ensure that privacy standards are being followed.

[14]  The hospital’s acknowledgement that the staff member did not follow its confidentiality policies properly; its confirmation that it followed up with the staff member by reviewing the appropriate policies and procedures; and its decision to provide additional confidentiality training to all its diagnostic imaging staff and to audit its physical privacy safeguards to ensure privacy standards are being followed, adequately address the complainants’ concerns about the incidents and about the safeguards in place in the Diagnostic Imaging Records room.

Incident #5

[15]  The complainants allege that the hospital did not protect the patient’s confidentiality when staff in its Health Records Office discussed the complainants’ request for a copy of a specific document from the patient’s hospital records in the small office where there were other people waiting to be served and other hospital staff and individuals in the nearby hallway. During this same incident, the complainants allege that the Health Records Office clerk corrected an error on an Authorization to Release Information form with correction fluid, thus failing to preserve the original content, and that she did not ask them to provide permission from the patient, who was 16 years of age at the time, to disclose the specific document from the hospital records to them.

[16]  The hospital responds that it had an Authorization to Release Information in the Clinical Record form signed by the father complainant on file and that no unauthorized person had access to the patient’s hospital records. It adds that it gives a copy of the completed consent form to the patient only when asked. The hospital confirms that its Privacy Office does not allow the use of correction fluid on forms and it has followed up with the relevant staff member about the proper way to correct errors on administrative documents such as the authorization form in question. The hospital states that the Health Records Office is located in the basement in an access controlled area that is not frequented by visitors or hospital staff. It adds that its staff has a duty to maintain confidentiality and its standard practice is to collect confidential information from identification cards in order to prevent the verbal transmission of confidential information. 

[17]  The hospital’s responses that no unauthorized person accessed the patient’s records and that the Health Records Office is in an access controlled area that is less frequented by others, and its acknowledgement that the use of correction fluid is not permitted and it followed up on this issue with the staff member, are adequate.

[18]  Regarding the complainants’ allegation that the patient’s personal health information was inappropriately disclosed to them during the incident on account of the patient having turned 16 years of age a month earlier, I note that sections 18(3) and paragraph 1.ii. of section 23(1) of PHIPA address the consent requirements for the disclosure of personal health information of an individual who is 16 years of age as follows:

18.(3) A consent to the disclosure of personal health information about an individual must be express, and not implied, if,

(a) a health information custodian makes the disclosure to a person that is not a health information custodian[.]

23.(1) If this Act or any other Act refers to a consent required of an individual to a collection, use or disclosure by a health information custodian of personal health information about the individual, a person described in one of the following  paragraphs may give, withhold or withdraw the consent:

1.ii. if the individual is at least 16 years of age, any person who is capable of consenting, whom the individual has authorized in writing to act on his or her   behalf and who, if a natural personal, is at least 16 years of age.

[19]  In accordance with the above sections which demand express written consent from the patient, I agree with the complainants that the hospital should have inquired about their authority to access the patient’s records. The hospital’s disclosure without doing so constitutes a technical breach of PHIPA.  However, I conclude that the circumstances of this technical breach of PHIPA do not warrant a review for the following reasons.

[20]  The complainants’ dealings with the hospital about the patient began well before this, and there was no issue about their authority to either seek access to her records on her behalf, or seek disclosure of her records to them. On this occasion, the hospital disclosed the specified document to the complainants in good faith, after having previously given them two complete copies of the patient’s records and interacted  with them acting on the patient’s behalf a number of times prior to the patient turning sixteen. The complainants’ communications with the IPC about this complaint indicate that they knew the patient’s written authorization was required in order for them to obtain her records at the time of the incident; however, the complainants did not raise this issue or the patient’s age with the hospital. These circumstances raise a question about the complainants’ own actions, since it is a violation of PHIPA to make a request under PHIPA, under false pretences, for access to a record of personal health information. Given the history of this matter and the complainants’ involvement in these events, even if I were to find that the hospital breached the provisions of PHIPA on this occasion, I would not issue any order. I therefore find a review of the hospital’s actions with respect to this incident is not warranted.

Incident #6

[21]  The complainants complain that a representative of the hospital’s Access to Information and Privacy Office left his office door open during their meeting with him to review the patient’s hospital records. They allege that their discussion with the representative was within earshot of people and staff outside the office in the hallway, and that a staff member stood in the doorway at one point during the meeting. They also complain about the representative not asking them for two pieces of identification as required by the hospital’s policy, and not providing any documentation confirming that they received a copy of the patient’s hospital records during the meeting. Finally, the complainants complain that the representative did not require them to pay a fee for the copy of the records they received.

[22]  The hospital responds that the office door could have been closed at any time had anyone felt it was necessary. It notes that the complainants did not ask that the door be closed during the meeting, nor did the representative refuse to close the door. The hospital asserts that no breach of confidentiality occurred during the meeting. In the spirit of improving its services and public perception, the hospital confirms that in the future, the representative will close his door during consultations with people and advise that he is doing so to ensure their privacy. Regarding the identification issue, the hospital states that the representative did not ask for identification because he had seen the mother complainant during an earlier visit she paid to the office and because he was expecting the complainants at that specific time in accordance with their scheduled appointment. He had also just confirmed the appointment with the father complainant on the telephone. The hospital explains that once patients are known to hospital staff, as in this situation, it is unnecessary and redundant for staff to ask for identification. Finally, the hospital states that because the complainants had paid for an earlier copy of the records that they received, it did not charge additional fees when the complainants requested the meeting for clarification of the records.

[23]  The complainants, by their own account, did not ask the representative to close the door during the meeting nor did they express any concern at the time although they could have. Nonetheless, the hospital advises that the representative will proactively close his door in future consultations for privacy purposes. As for the identification issue, the hospital’s response, that the complainants were known to staff in the records department and that the representative was expecting them, is adequate. Also adequate is the hospital’s response that it does not charge additional fees for records when clarification is sought. Moreover, as noted above, the hospital is not required to charge a fee under PHIPA.

Incident #7

[24]  The complainants allege that the electronic signature of a physician on the electrocardiogram reading demonstrates that the physician accessed and used the patient’s hospital records without authorization. The hospital responds that all electrocardiograms are interpreted by a specialist in cardiology, internal medicine or pneumology and electronically authenticated or signed by the physician who interprets them; this was the reason the physician accessed the patient’s records.

[25]  The physician in question is an internal medicine specialist who interpreted and signed the electrocardiogram in accordance with the hospital’s standard practice for such test results. This is an adequate response to the complainants’ concern about the physician accessing the patient’s records.

Incidents #8 and #9

[26]  The complainants allege that multiple copies of the diagnostic imaging disks have been made and distributed to third parties, and thus, the patient’s health information contained in the disks is not secure. They also allege that as members of the public, they were able to obtain confidential hospital operations and human resources documents and policies, which shows that hospital staff are unaware of and/or disregard privacy and confidentiality procedures.

[27]  The hospital provides a general response that its security practices for disclosing personal health information are consistent whether the records are paper based or electronic and include the proper identification of an individual authorized to receive the personal health information; in this case a known patient or legal guardian. There is no evidence in support of the complainants’ broad assertion about distribution of the patient’s diagnostic imaging disks and I will not inquire further into that allegation.  The complaint about the internal hospital documents and policies warrants no review. Whether or not the complainants and/or a hospital staff member acted inappropriately in respect of these documents, they do not contain personal health information and their disclosure is outside both the scope of PHIPA and my jurisdiction.

[28]  Sections 57(3) and (4)(a) set out my authority to decline to review a complaint as follows:

57.(3)  If the Commissioner does not take an action described in clause 1(b) or (c) or if the Commissioner takes an action described in one of those clauses but no settlement is effected within the time period specified, the Commissioner may review the subject-matter of a complaint made under this Act if satisfied that there are reasonable grounds to do so.

57.(4) The Commissioner may decide not to review the subject-matter of the complaint for whatever reason the Commissioner considers proper, including if satisfied that,

(a) the person about which the complaint is made has responded adequately to the complaint[.]

[29]  In accordance with my authority under sections 57(3) and 57(4)(a) of PHIPA, I decline to review this complaint because there are no reasonable grounds for the complaint and, to the extent that there are, the hospital adequately responded to the complaint. I issue this decision in satisfaction of the notice requirement in section 57(5) of PHIPA.

NO REVIEW:

For the foregoing reasons, no review of this matter will be conducted under PART VI of PHIPA.

Original Signed By:		December 30, 2016
Stella Ball
Adjudicator