PHIPA DECISION 44

HC14-16

London Health Sciences Centre

April 25, 2017

Summary: A physician alleged that some of his colleagues engaged in unauthorized uses or disclosures of his personal health information, and that the hospital took inadequate steps to protect the privacy of his health information and respond to his complaints. This decision finds the allegations of unauthorized uses or disclosures to be unsubstantiated, with the exception of an instance where more information was used than was reasonably necessary to meet its purpose.

Statutes considered: Personal Health Information Protection Act, 2004.

Cases considered: PHIPA Order HO-13; PHIPA Decision 35.

INTRODUCTION

[1]  At the time of the events, the complainant was a radiologist at the London Health Sciences Centre (LHSC or the hospital). On October 23, 2012, he underwent a diagnostic procedure (an MRI) at the LHSC, which showed brain metastasis. Following this, a series of events occurred which led the complainant to file complaints with this office alleging that some of his colleagues had used or disclosed his personal health information, contrary to the provisions of the Personal Health Information Protection Act, 2004 (the Act).

[2]  The complainant initially filed two complaints with this office, which have been combined. In the first, he alleges that a colleague, Dr. DP, obtained information about the MRI and disclosed it without authorization to another colleague, Dr. AL, the Chair of the Medical Imaging Department. In the second, the complainant alleges that when he raised his concern about the inappropriate access by Dr. DP, the hospital failed to investigate and respond to the breach in an appropriate manner. The complainant alleges that Dr. AL’s involvement in the internal investigation on behalf of the LHSC was a conflict of interest and in contravention of the Act.

[3]  After filing his complaint with this office, the complainant received results of audits that LHSC conducted, at his request, on his Electronic Patient Record (EPR) and the Picture Archiving Communication System (PACS). These, as well as other information shared during the complaint process, led him to raise additional allegations of unauthorized uses of his personal health information.

[4]  During the course of this complaint, this office was advised that the complainant had died. His estate continues the complaint on his behalf.

[5]  In the final result, I find all allegations about the unauthorized use of the complainant’s personal health information to be unsubstantiated. I find, however, in one instance, that a respondent used more personal information than reasonably necessary for the purpose of the use, and issue an order addressing this finding.

[6]  I also make several recommendations to the hospital regarding its practices and procedures for preventing unauthorized accesses.

BACKGROUND TO THE COMPLAINT

[7]  It is not in dispute that following the complainant’s MRI on October 23, 2012, Dr. DP learned of the complainant’s condition, and disclosed it to the Chair of the Medical Imaging Department (Dr. AL) in a telephone conversation on October 24. Dr. AL then contacted the complainant on October 25, and spoke to him and his treating physician about the complainant’s ability to continue to perform the duties of a radiologist. At the time, the complainant was scheduled to work on October 24 and 25, and to be on-call the weekend of October 27-28. As a result of these discussions, the complainant did not work these shifts, although he did return to work for some period of time starting in early 2013.

[8]  In January 2014, the complainant asked the hospital to conduct an audit to determine whether there were unauthorized accesses to his medical records between October 22 and 25, 2012. In February 2014, the complainant also learned for the first time, in speaking with Dr. AL, that it was Dr. DP who advised Dr. AL of his condition in October 2012. He raised this with the hospital, alleging that Dr. DP had breached his privacy. The complainant also believed that Dr. AL should have reported this to the hospital as a privacy breach at the time it happened. On or about March 10, 2014, the complainant requested an audit covering May 19 to 23, 2013.

[9]  In April 2014, based on its investigation to that point, LHSC flagged accesses by three doctors as raising a concern and notified the complainant of this, providing him with a summary of the audit results. The complainant chose to add two of these doctors (Drs. DB and AG) to his complaint to this office. He also requested that he be provided with the complete audit logs for the audits he had requested to date. After receiving those results, the complainant then requested an audit of all accesses to his personal health information from October 19, 2012 to May 30, 2014. Based on those audit results, the complainant added additional allegations against Drs. DP and AL to his complaints.

[10]  Following the audits, and after providing the above notice to the complainant, the hospital continued to investigate, and ultimately decided that none of the accesses at issue were unauthorized.

[11]  The following is a summary of the complainant’s allegations of unauthorized use and/or disclosure of his personal health information that are the subject of this review:

1. Allegation of unauthorized use by Drs. DP, DB and AG based on PACS audit entries showing Report Viewed events;
2. Allegation of unauthorized use or disclosure by Dr. DP in sharing the result of the complainant’s MRI with Dr. AL on October 24, 2012;
3. Allegation of unauthorized use by Dr. AL in March 2014 (March 10, 11, 19, 21 and 27);
4. Allegation of unauthorized use or disclosure by Dr. DP based on text messages disclosed during the complaint process.
5. Allegation of unauthorized use or disclosure by Dr. AL to Dr. AG based on an email sent on October 29, 2012.

PROCESSING OF THE COMPLAINTS

[12]  After the initial complaints were filed, they were referred to a mediator with this office who investigated the circumstances and contacted the parties to try and resolve the complaints. Since no resolution was reached, the complaints were transferred to the adjudication stage.

[13]  I decided that there were reasonable grounds to review the subject-matter of these complaints. I began my review in June 2015 by issuing a Notice of Review to the LHSC, Drs. DB, AG, DP and AL, and invited those parties to submit representations on the facts and issues set out in the Notice.

[14]  I received joint representations from Drs. DB, AG and DP (whom for ease of reference I will also refer to as the “physicians”), and representations from the LHSC on behalf of the hospital and Dr. AL.

[15]  I then sent a Notice of Review, along with complete copies of all representations, to the complainant, and invited him to provide representations in response. During the course of the Review, counsel for the three doctors provided me with copies of certain text messages sent at the time of some of these events. These were shared with the complainant, who was invited to comment on them. The complainant takes the position that they are evidence of additional privacy breaches. I sent the complainant’s representations and supplementary representations to the LHSC and the doctors, inviting their reply representations.

[16]  In response to this Notice of Review, the physicians submitted that “accessing” a record within the meaning of the PACS does not correspond to actually viewing confidential personal health information. It simply means that in the course of performing one’s duties, the name of that patient is momentarily highlighted within PACS on the work list. In light of this submission, I decided to request a demonstration of the PACS, and on December 17, 2015, I visited the LHSC for this demonstration. Following the site visit, I asked for and received further information from the LHSC regarding the operation of PACS, the audit process and the incidents in question. My observations were summarized in a preliminary “Statement of Facts” that I sent to the LHSC initially, for fact-checking. Following this, I sent a revised Statement of Facts to counsel for the other parties and invited comment on any errors or omissions.

THE PICTURE ARCHIVING SYSTEM (PACS)

[17]  How PACS works is of particular relevance to my determination of some of the issues below. Before addressing the issues, I will set out some of my observations regarding the operation of PACS.

[18]  The LHSC is comprised of three hospitals, the University Hospital, the Victoria Hospital and the Children’s Hospital, as well as other health care facilities. The PACS is used by the radiologists at LHSC hospitals to review radiologic studies and provide diagnoses. LHSC has approximately 28 radiologists on staff, with approximately 80% of those radiologists working at a given time; in addition, 10–15 radiology residents work alongside staff. On any given day, approximately 32–37 of these individuals access the PACS at LHSC.

1. Typical work flow of a radiologist, including daily assignments

• For each work shift, a radiologist is assigned to one or more “modalities”—for example, computed radiography (CR), computed tomography (CT), magnetic resonance imaging (MRI), etc.—and sometimes additionally to specific procedures or organ systems —for example, head, chest, thorax, abdomen series, etc.

• Radiologists are also responsible on a rotating basis to review “new requisitions” (e.g. requests for new CT examinations) and to assign a protocol for the examination even though it may be performed and interpreted by a colleague other than the radiologist reviewing the requisition. This process often requires radiologists to review a patient’s history and previous examinations on PACS. A radiologist may accordingly, as part of his/her assigned duties, review the history and prior examinations on patients with respect to whom that radiologist may not ultimately review, diagnose or report.

• Radiologists are responsible for reviewing patient exams (ie., the images generated as a result of the performance of a radiological procedure), formulating diagnoses and dictating reports with respect to their assigned modality / procedure.

• Daily responsibilities for radiologists may overlap—for example, multiple radiologists may be assigned to the same modality / procedure for a given shift.

• Radiologists may be asked by colleagues to review or provide a second opinion on a particular exam / report or, in the case of residents, a series of exams / reports.

• Radiologists may be asked to work in a modality / procedure to which they were not originally assigned if there is a backup in the number of exams / reports for that modality / procedure.

2. Work lists

• On the PACS, patients are grouped into “work lists”.

• There are various work lists available to the radiologists. Each work list is defined by a set of criteria. Depending on its criteria, a work list will display a particular subset of patient exams stored in the LHSC database.

• The work lists available to radiologists are created by LHSC’s technology services.

• Radiologists may change work lists by selecting a new work list from the drop-down menu of all available work lists or from their own list of default work lists.

• Examples of work lists include “All Exams,” “Last 30 days,” “Last 14 days,” “All Recent [Modality],” “Unverified list,” “Unread scans,” “[Individual radiologist].”

• The work lists automatically display a list of patient exams when selected. The list of patient exams corresponds to the pre-set criteria of the work list. For example, the work list “Last 14 days” will automatically display the list of all patient exams from the last 14 days in the LHSC database.

• There are three main types of worklists used by radiologists: “unverified” worklists, “unread” worklists and “all recent” worklists. Each of these worklists filters patient exams differently.

• “Unverified” worklists display patient exams that have been captured by a technologist but have not yet been verified by the technologist in the PACS.

• “Unread” worklists display patient exams that have been verified by a technologist but for which no report has yet been dictated by a radiologist.

• Radiologists typically work from “unread” worklists containing patient exams without a dictated report. However, they may also work from “all recent” worklists containing patient exams at different stages of the report creation process for a number of reasons, including:

• o to review which patient exams have had reports dictated and which still need to have reports dictated;

• o to review what trainees have done or are currently doing and to assess what the radiologist needs to do;

• o to do an audit for planning purposes, for instance, to see how many patients have had a particular procedure;

• o to select and display patient exams to students for teaching purposes.

• The length of time covered by a given worklist varies from 14 up to 180 days. Most of the worklists used by the radiologists cover patient exams conducted within the previous 14 to 28 days. The hospital explained that the worklists at the higher (28 day) timeframe are a “catch all bucket” to ensure the department catches any studies that have come off the worklists with shorter time frames but have not yet been reported.

3. Statuses

• Each patient exam in the PACS has a status, and the status changes over time as the information is updated. A patient exam may start as having been “ordered”, then change to “arrived” as images begin to arrive in the PACS. The status will change to “verified” once the technologist verifies that all images have arrived, then to “dictated”, “transcribed” and “completed.” A patient may appear on one work list and then move to a different work list as the status of his or her exam changes.

4. Scrolling, highlighting, hovering and clicking functionality

• Doctors log into PACS to view their work lists. The PACS automatically selects a default Work List. The default screen divides the information displayed to the user into three segments. The top of the screen contains the list of patients corresponding to the Work List. The first patient on the list is highlighted by default. The middle of the screen is the “Patient Jacket”, containing a list of the highlighted patient’s exams. Again, one exam is highlighted by default. The bottom segment contains the “Report” screen, which provides access to the report for the highlighted exam.

• The information in each of the three segments on the screen is limited by the size of the segments. For instance, on the default screen, the Patient Jacket may contain up to four exams for the highlighted patient.

• Scrolling through lists on the screen may be done with the mouse either by selecting the scroll bar on the screen and moving the mouse cursor up or down or by rotating the mouse scroll wheel forwards or backwards over the list of exams. Scrolling may also be done with the keyboard by using the up or down arrow keys.

• Hovering or resting the mouse cursor over a limited number of areas of the PACS user interface produces a dialog box containing further information regarding a particular field. For example, hovering over the “Reason for exam” field in the Report screen, which field is typically truncated, will produce a dialog box containing the full text of the “Reason for exam” entry in the patient report. Examples of common entries in the “reason for exam” field are: cough, SOB (shortness of breath), r/o (rule out) pneumonia.

5. Viewing reports

• The Report segment of the screen displays information about the report corresponding to the highlighted exam in the Patient Jacket. If a report has been transcribed or completed, the report screen also includes the contents of the report. Due to the limited size of this segment on the screen, only a few lines are available and in order to view all of a report, the user must scroll up and down within the Report screen.

• Whether or not a report is available, the default screen for the Report segment displays the following fields:

• o Patient name;

• o Study date/time – the date/time of the patient exam;

• o Type of Procedure;

• o MRN (Medical Record number);

• o Birth date;

• o Status (of exam);

• o Reason for exam;

• o Order comments (although this field was available, at the time of these events the PACS system did not capture any information in this field);

• o Physician

• There is limited room on the screen to view the information in the fields and, as indicated above, additional information can be displayed by hovering over or clicking on some fields.

6. Logging accesses to reports and images

• The PACS captures and logs certain types of actions by users.

• Scrolling or moving through a list of patient exams in the Work List or a list of exams in the Patient Jacket may trigger an audit log in the PACS depending on how the scrolling is done.

• Scrolling through the Work List or the Patient Jacket with the mouse does not by itself trigger a log in the PACS.

• Assuming that the Report screen is open as part of the default three-segment screen, a “report viewed (RV)” log is triggered when the user scrolls through the Work List with the keyboard, as each patient’s name is highlighted. The same log is triggered when the user clicks directly on a patient’s name in the Work List.

• When a patient’s name is highlighted through either of the last two scrolling techniques, the Patient Jacket shows a list of that patient’s exams (limited by the default size of that screen), and the Report screen shows information about the exam on the top of the Patient Jacket list.

• Double clicking on a patient name in the Work List produces the same result as above; however, in addition it also opens the images of the highlighted exam. This triggers an “exam viewed (EV)” log.

• Hovering over areas of the screen that produce dialogue boxes does not trigger a PACS log in itself.

• A “report viewed (RV)” log may be generated in the above-described circumstances even where the report for the exam has not yet been produced.

• Each PACS log is date and time stamped.

• The length of access is calculated by taking the difference in date/time stamps between sequential logged events in the PACS audit log. For example, if the PACS audit log showed that a particular radiologist viewed a report screen (RV) at 15:03:25 and then subsequently accessed another report screen at 15:07:47, LHSC calculates the length of access to the first screen as 4 minutes, 22 seconds.

• LHSC did not have the PACS configured to capture printing events in its audit log.

7. Automatic logout

• Radiologists are automatically logged out of the PACS system after a period of inactivity which ranges from a few minutes to 30 minutes depending on the needs of the department.

8. Audit reports and process

• Audit reports, which consist of a series of logs, may be generated for events in the PACS concerning a particular patient or a particular user, over a given timeframe.

• In the case of a particular patient, the audit report contains a list of all events in the PACS audit log representing accesses to the patient exams/reports of the patient by all users.

• In the case of a particular user, the audit report contains a list of all events in the PACS audit log representing accesses to all patient exams/reports by the user.

• LHSC staff work through the audit report by checking each access and documenting in the “Comments” section whether or not the access is questionable, having recourse to tools and hospital applications that contain information such as work schedules, employee roles, patient appointments, etc.

• Where accesses identified as questionable require further investigation, they are summarized in chart form and provided to a “leader” of the department involved, who may be the Chief of the Department or Director of Medical Affairs. This individual further investigates the accesses, which may involve interviewing the staff involved, to come to a determination of whether the accesses were authorized.

The audits of the complainant’s records

[19]  As indicated, the complainant asked the hospital to run several audits of the PACS system, initially focusing on specific times, and then, ultimately, for the entire period of October 19, 2012 to March 31, 2014. The hospital provided this office and the complainant with the complete audit logs for this period.

[20]  In this case, the audit log generated with respect to the complainant, for the period October 29, 2012 to March 31, 2014, is contained on a Microsoft Excel spreadsheet consisting of 12 columns and 4157 rows. Each row represents an event respecting one of the complainant’s patient exams. There is a good deal of duplication of events in the report. For example, some events appear four times in a row. A number of events are the result of “back-end” PACS processes used to connect applications and devices to the PACS and do not represent accesses by individual users. Given that some events are the result of back-end PACS processes as well as the duplication of information, the total number of accesses to the complainant’s patient exams for the time period of the report is far below 4157, although it is still a substantial number.

[21]  A total of 81 different users accessed the complainant’s patient exams and/or reports between October 29, 2012 to March 31, 2014. Since the length of the accesses is not shown, I asked the LHSC for further information with respect to a number of accesses in a date range, whose characteristics suggested that they may be the results of scrolling through worklists. The information I received was that most of these accesses were under 10 seconds in length, with a significant number under 5 seconds, while others ranged from 14 seconds to 75 minutes.

[22]  After running the initial audits requested by the complainant, in February and March of 2014, the hospital’s privacy office initially identified certain accesses as questionable. These were given to Dr. AL on March 6 and 14, 2014 to investigate. On April 11, 2014, the hospital notified the complainant of accesses by three individuals, on November 7, 2012 and May 21, 2013, describing them as inappropriate. The complainant requested and received the hospital’s summary of these accesses. As indicated above, he chose to add two of the individuals identified in the summary to his complaint of unauthorized access made to this office.

DISCUSSION

Health Information Custodians

[23]  Broadly speaking, the Act regulates the activities of a defined group of persons and their agents with respect to personal health information. ^[1] This group is referred to in the Act as “health information custodians”, a term which the Act defines, in part, as follows:

3. (1) In this Act,

“health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:

1.  A health care practitioner or a person who operates a group practice of health care practitioners.

…

4.  A person who operates one of the following facilities, programs or services:

i.  A hospital within the meaning of the Public Hospitals Act, a private hospital within the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Act or an independent health facility within the meaning of the Independent Health Facilities Act. …

[24]  In this case, there is no dispute, and I find, that the person who operates the hospital is a health information custodian within the meaning of the Act and that the hospital has custody or control of the personal health information on the PACS.

Personal Health Information

[25]  The Act defines “personal health information” as follows:

4. (1) In this Act,

“personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information,

(a)  relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,

(b)  relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,

(c)  is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual,

(d)  relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,

(e)  relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,

(f)  is the individual’s health number, or

(g)  identifies an individual’s substitute decision-maker.

(2) In this section,

“identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

(3) Personal health information includes identifying information that is not personal health information described in subsection (1) but that is contained in a record that contains personal health information described in that subsection.

(4) Personal health information does not include identifying information contained in a record that is in the custody or under the control of a health information custodian if,

(a)  the identifying information contained in the record relates primarily to one or more employees or other agents of the custodian; and

(b)  the record is maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employees or other agents.

[26]  The definition of personal health information is broad, encompassing more than just diagnoses and medical test results. For example, the fact that a person is being provided health care by a hospital is that person’s personal health information.

[27]  In this case, there is no dispute, and I find, that the PACS contains the complainant’s personal health information as defined in the Act. However, I note, and address below, the position of the hospital that no personal health information is displayed in the PACS system where an access occurred before a report had been created.

Agents of Health Information Custodians

[28]  The Act also applies to the activities of those persons who act for or on behalf of health information custodians in respect of personal health information. Such persons are referred to as “agents”. “Agent” is defined in the Act as follows:

in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated; [2]

[29]  Where a health care practitioner is acting as an agent of a health information custodian, that health care practitioner is not a health information custodian in respect of the personal health information he/she collects, uses or discloses as an agent. [3]

[30]  In this case, there is no dispute, and I find, that the physicians as well as Dr. AL were agents of the hospital in using the PACS to provide radiology services. However, I note, and address below, the complainant’s allegation that Dr. DP was not acting on behalf of the hospital in communicating his personal health information to Dr. AL and Dr. DB on October 23 and 24, 2012.

Collections, Uses and Disclosures

[31]  One of the purposes of the Act is to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care. ^[4] One of the ways in which the Act achieves this purpose is by requiring that collections, uses and disclosures of personal health information occur with the consent of the individual to whom the information relates, unless such collections, uses and disclosures are permitted or required without consent by the Act. [5] Unless the Act requires express consent, the consent may be express or implied. [6] Some health information custodians, such as hospitals, may rely upon assumed implied consent where the collection, use or disclosure is for the purpose of providing health care or assisting in providing health care, in specific circumstances. [7]

[32]  In the context of this complaint, there does not appear to be any dispute that, where radiologists were assigning a protocol for an examination of the complainant or formulating a diagnoses in relation to the complainant, this is “providing health care or assisting in providing health” within the meaning of the Act. [8] However, the parties dispute whether each of the specific accesses by the physicians as well as Dr. AL in this case were done for the purpose of providing health care, or assisting in the provision of health care, or were done for another unauthorized purpose, and further whether each of these accesses is a “use” of the complainant’s personal health information.

[33]  As indicated above, the Act also provides for situations in which health information custodians may collect, use and disclose personal health information without consent. In the context of this complaint, subsections 37(1)(a), (c) and (d), which describe certain permitted uses without consent, and subsection 37(2) are relevant, and provide:

37. (1) A health information custodian may use personal health information about an individual,

(a)  for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose, but not if the information was collected with the consent of the individual or under clause 36 (1) (b) and the individual expressly instructs otherwise;

…

(c)  for planning or delivering programs or services that the custodian provides or that the custodian funds in whole or in part, allocating resources to any of them, evaluating or monitoring any of them or detecting, monitoring or preventing fraud or any unauthorized receipt of services or benefits related to any of them;

(d)  for the purpose of risk management, error management or for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian;

…

(2) If subsection (1) authorizes a health information custodian to use personal health information for a purpose, the custodian may provide the information to an agent of the custodian who may use it for that purpose on behalf of the custodian.

[34]  Even where a collection, use or disclosure would otherwise be authorized under the Act, health information custodians are prohibited from collecting, using or disclosing personal health information if other information will serve the purpose of the collection, use or disclosure, and from collecting, using or disclosing more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure, except where the collection, use or disclosure is required by law. [9]

[35]  In the following discussion, I will review the complainant’s allegations in the following groups:

1. Allegations of unauthorized uses by Drs. DP, DB and AG based on audit entries showing “RV” events.
2. Allegation of unauthorized use or disclosure by Dr. DP in sharing the result of the complainant’s MRI with Dr. AL on October 24, 2012.
3. Allegation of unauthorized use by Dr. AL in March 2014 (March 10, 11, 19, 21 and 27.
4. Allegation of unauthorized use or disclosure by Dr. DP based on text messages disclosed during the complaint process.
5. Allegation of unauthorized use or disclosure by Dr. AL to Dr. AG based on an email sent on October 29, 2012.

1. Allegations of unauthorized use based on audit entries showing “RV” events.

Are the accesses at issue “uses” of personal health information within the meaning of the Act and if so, were they authorized uses?

[36]  Based on the audit results, the complainant alleges that, on the following dates, the following individuals used his personal health information in the PACS for unauthorized purposes:

1. Dr. DB: November 7, 2012 and March 5, 2014.
2. Dr. AG: February 20, 2013 (5 instances), February 21 and 28, May 21 and November 19, 2013.
3. Dr. DP: October 19, 2012, February 21, May 15 and November 19, 2013.

[37]  The audits conducted by the LHSC showed “RV” events in the PACS by each of the above individuals on the dates set out above. For ease of reference, I will also refer to these events as “accesses.”

Positions of the parties

[38]  Some of these events lasted less than 10 seconds. The LHSC takes the position that accesses of less than 10 seconds are not unauthorized uses, stating that in that period of time, there is “no PHI to handle or deal with.” Further, where an RV event occurs at a time before a report is available on the PACS system, the LHSC does not view the event as an unauthorized use. In its view, even if the report screen is open at the time of access, where a Digital Imaging Report had not yet been transcribed or typed, no personal health information was “handled” or “dealt with” within the definition of a “use” under the Act.

[39]  Drs. DP, DB and AG made submissions about the manner in which work is assigned and thereafter sorted and viewed by radiologists in order to perform diagnostic imaging services to LHSC patients, which is largely consistent with my own observations above.

[40]  Generally, the physicians submit that “accessing” a record within the meaning of the PACS does not correspond to actually viewing confidential personal health information. It simply means that in the course of performing one’s duties, the name of that patient is momentarily highlighted within PACS and the work list.

[41]  The physicians review each of the alleged unauthorized accesses in turn, noting the brief duration of many of the “accesses”, as well as the fact that on some of the days for which accesses were logged, no report for the complainant had yet been dictated and/or transcribed. With respect to other events, the physicians submit that they arose out of the permitted purpose of providing care to the complainant.

[42]  Dr. AG commented in particular on the access of May 21, 2013. He states that on this date, he was assigned to report MRI’s, in addition to CT scans, ultrasounds, x-rays and fluoroscopy. He states that the access of May 21, 2013 involved a neurologic MRI, which he was not assigned to report at that time. He submits that the access in question was therefore the result of the scrolling/highlighting phenomenon. Dr. AG submits that the information provided by LHSC corroborates his position that the impugned access on May 21, 2013 was not actually an access at all, but simply an artifact of PACS as a result of scrolling/highlighting.

[43]  The complainant believes that all of the accesses listed above were unauthorized, and made for personal motivations connected to conflict between members of the professional corporation. At the time of the events, the complainant, as well as many of his colleagues at the hospital, provided his radiology services to LHSC through a professional corporation (“UIA”). Dr. DP was the Managing Director of UIA, but the hospital also describes him as the Managing Director of Radiology for the hospital. At the time, Drs. AG, DP and DB were all Directors of the Corporation. The complainant states that just before his MRI on October 23, 2012, some of the members of the professional corporation, including himself, had expressed dissatisfaction with the leadership of the corporation. He believes these events led to targeted unauthorized accesses.

[44]  The complainant rejects the “scrolling/highlighting phenomenon” explanation offered by LHSC and the physicians and takes the position that all the accesses reflected in the audit were unauthorized uses or disclosures.

[45]  The complainant submitted that the work lists of each radiologist are narrowed for a particular modality or a particular organ system, and that it would be unusual for a radiologist to scroll through the entire list of scans without doing some narrowing before beginning his/her work. He also submitted that the audit reflects accessing of particular reports. Therefore, the complainant believes the scrolling/highlighting “excuse” does not explain this audit result.

[46]  The complainant submits that the physicians identified as having accessed his reports were not involved in reading any of his scans on the days in question, and therefore questions why they must have clicked on his name and then clicked on a specific report. He also submits that on two of the dates in question, he should not have been on any work lists.

[47]  The complainant queries, if the “scrolling/highlighting phenomenon” is the explanation, why the audit report is not replete with such instances, and why only the physicians about whom he is concerned appear in the audit results. The complainant also submits that if the LHSC’s audit system logs access to a report when no report is in fact available, then there would seem to be a problem with the audit system and the value and reliability of the information it produces.

[48]  The complainant’s position is that an access for less than 10 seconds is still a “use”. He rejects LHSC’s statement that “there was no PHI to handle or deal with”. He submits that the conclusion that an access of under 10 seconds is not a “use” is an arbitrary conclusion without logical foundation, and that 10 seconds is plenty of time for a radiologist to review the “conclusion” or “impression” section of the diagnostic imaging report. As well, 10 seconds is long enough to print a hard copy of a report to read later.

[49]  In reply, among other things, the physicians submit that the scrolling/highlighting function, together with the layout of the screens used in the radiology department, provides a complete answer to the majority of the accesses which are alleged by the complainant to have been improper. They submit that most of the alleged accesses were not “uses” within the meaning of the Act. Other accesses, which they acknowledge were “uses” of the complainant’s personal health information, were in connection with the provision of care.

Conclusions

The accesses are “uses”

[50]  The first question I will address is whether the accesses in question are “uses” of the complainant’s personal health information. I note that, where a health information custodian provides personal health information to an agent of the custodian, this is a use and not a disclosure. [10]

[51]  I do not accept the position of the hospital that if these events occurred before a report has been created, the screen contains no personal health information. Each of the accesses which resulted in an RV entry in the audit log represents an instance in which the complainant’s personal health information was displayed, however momentarily and limited. Even if the report screen contains no report, it provides some information about the exam highlighted, such as the doctor who ordered it. As well, the patient jacket provides a list of the exams ordered for the patient. All of this qualifies as personal health information. Under the Act, even the patient’s name on the PACS, indicating that the patient is receiving treatment from LHSC, is personal health information. [11]

[52]  The respondents assert that to the extent that all of these logged events represent untargeted and incidental views of the complainant’s information during the course of scrolling through worklists, they do not amount to “uses” within the meaning of PHIPA. I see no reason to limit the meaning of “uses” in this manner. At the time of these submissions and these events, a “use” under the Act meant to “handle or deal” with personal health information. [12] On a straightforward application of these terms, the displaying and/or viewing of a patient’s personal health information in the PACS is a “use” of the information, as is the selection of that patient’s name on the system (which displays additional personal health information). In such a context, I find that even brief views of a patient’s personal health information, and even if those brief views include only the name of the patient on a work list, are “uses” of personal health information within the meaning of the Act.

[53]  As will be discussed further below, many of the impugned accesses were brief and despite generating a RV log, did not involve access to a report. It is unfortunate that the LHSC’s staff initially informed the complainant, based on its interpretation of the audit logs, that the respondents had in all cases reviewed reports of his radiological exams. It was well into the LHSC’s investigation that its staff learned that RV entries could be generated by its audit system even before reports were available. As I state above, the default PACS screens still contain personal health information before they are populated with reports. But the amount of information available on these screens differs significantly depending on whether or not a report has been completed at the time of a given access, and this was not made clear to the complainant by the LHSC until well after its initial reponse to his complaint. The complainant was thus led to believe that the audit results showed that the respondents had read the reports of his exams.

The “uses” were authorized

[54]  Having determined that the particular accesses in question are “uses”, I must now consider whether these types of uses of the complainant’s personal health information are authorized by the Act.

[55]  After considering all the material before me, I find that uses in connection with scrolling through PACS worklists are permitted without the complainant’s consent, pursuant to subsections 37(1)(a) and 37(1)(c) of the Act.

[56]  The radiologists use worklists to organize, prioritize and review their work as well as the work of others they supervise or with whom they collaborate. As part of their work, radiologists may engage in incidental as well as non-incidental views of personal health information of patients. Worklists, as the name suggests, are used to plan the work of the radiology department as well as to ensure that the department catches any exams that have not yet been reported. Even though the agent who views a patient name on a worklist may not ultimately provide direct health care to that patient, this does not make this viewing a contravention of the Act. [13] Rather, as I find happened in this case, where personal health information is viewed incidentally as part of scrolling through worklists, these uses are authorized as being:

• reasonably necessary for carrying out the purpose for which the personal health information was collected or created under pursuant to 37(1)(a) [14] (in this case being the provision of health care to the complainant); and
• for the purposes of planning or delivering programs or services that the custodian provides pursuant to section 37(1)(c) (in this case being the provision of radiology services and, more specifically, health care).

[57]  Further, where an individual’s personal health information is viewed on a worklist as part of providing or assisting in providing health care to that individual, and provided the other statutory conditions are met, this use will be authorized with the individuals’ assumed implied consent under section 20(2).

[58]  There is no dispute that the radiologists who were involved in providing, or assisting in providing, health care to the complainant were authorized to use his personal health information in the PACS. From the complainant’s representations, I also infer that he does not disagree that other radiologists may also legitimately view his name on a worklist, for instance, when they review a list of “unread” exams in order to determine their work for the day. The complainant does not suggest that this type of workplace practice of the radiologists contravenes the Act. He also does not suggest that the use of worklists, the existence of a three-part screen, and the display of information as radiologists move through the screen, are unauthorized uses of personal health information, when these are part of normal practices during the delivery of radiology services. Rather, he believes that the accesses that are the subject of this complaint were done for personal motivations connected to conflict between members of a professional corporation.

[59]  I have considered and weighed all the evidence in order to come to a determination on this question. Ultimately, I must draw inferences about the motives of the physicians when viewing the complainant’s information on the PACS. On my review of the material before me and the representations of the parties, I conclude that the circumstances surrounding most of the “accesses” to the complainant’s information shown as RV events on the audit logs are consistent with permitted uses in subsections 37(1)(a) and 37(1)(c). With the exception of those occurring on February 20 and 21, 2013, which I discuss separately below, I conclude that they were the product of normal workplace use of PACS worklists. In arriving at this conclusion, I have relied on the following:

• An audit log can result from the action of scrolling through a list of patient names on a work list using the keyboard, although not a mouse. On this matter, the complainant appears to assume that RV audit logs result only when a user selects and clicks on a patient’s name. I find this not to be the case, in that audit logs are generated through scrolling as well.
• The accesses occurred during times when the complainant’s name would have appeared on a number of work lists commonly used by the radiologists in their normal course of work. On my review of the evidence about the work lists and their composition, I do not agree with the complainant’s submission that some of the accesses occurred on dates when his name was not on any work lists.
• Most of the accesses occurred at a time when no report was yet available for the complainant, increasing the number of work lists on which his name appeared.
• The accesses were brief and are consistent with the action of scrolling through a work list.
• Normal hospital routines result in radiologists viewing lists and some limited information of patients for whom they do not transcribe reports or directly provide care.
• None of the accesses that occurred when no report was yet available was followed by an access once the report became available.
• Although images were available on occasions when reports were not completed, there were no attempts to view the images.

[60]  I will specifically review the accesses that occurred when reports were available, as these raise greater potential concerns. The access by Dr. DB on March 5, 2014, when a report was available, was for less than a second. Based on the above factors, as well as the duration of the access, I conclude that it was more likely than not the result of scrolling through a worklist, rather than a deliberate and targeted attempt to access the information of the complainant.

[61]  The accesses by Dr. DP on October 19, 2012 and May 15, 2013, when reports were available, were for two seconds each. Having regard to the above factors, as well as the length of the accesses, which I find unlikely to have provided an opportunity to review the reports, I find that they were the result of scrolling through worklists.

[62]  The access by Dr. AG on May 21, 2013 is longer (25 seconds) and I requested more information from LHSC to understand the context of this access. The report for the related exam was available on the screen as it had been transcribed as of May 19. I requested a log of Dr. AG’s 20 accesses immediately before and 20 accesses immediately after the May 21 access to the complainant’s patient exam. The information I received is that the May 21 access to the complainant’s patient exam came fourth in a series of six accesses by Dr. AG, in reverse chronologicial order, to patient exams for which a report was available, i.e., the exam had a report status of “completed”. The accesses ranged from 10 to 35 seconds in length. These six accesses, in turn, came in the midst of 40 accesses within a period of 19 minutes (therefore averaging about 30 seconds per access), at about 8 am. The 40 accesses cover patient exams that occurred (with three exceptions) between May 18 and May 21, 2013, some when a report was available but most when a report was not yet completed. Most entries (including that relating to the complainant) are logged as “Report Viewed”, with a few logged as “Exam Viewed.” The 40 accesses cover several different types of exams.

[63]  When interviewed about this access, almost a year later, Dr. AG did not recall it. At the time of this access, Dr. AG had just returned to work after a vacation. According to his submissions, he theorized that he might have viewed the report in his role as Site Chief in order to determine whether the complainant would be working his scheduled shifts, but considered that possibility highly unlikely. After reviewing the additional facts about the context of this access during the course of this review, Dr. AG submits that the surrounding information establishes this access was a result of scrolling through a worklist. He states that he did not view any records.

[64]  The hospital initially treated this access as questionable based on its criteria of a greater than 10 second access. The hospital ultimately came to view the access as authorized, and consistent with scrolling through a worklist as part of performing radiology functions.

[65]  The complainant submits that the access cannot be explained by the “scrolling/highlighting” phenomenon as the complainant would not have been on a work list that day, the exam having been completed.

[66]  The length of this access raises questions, as it is long enough to allow a user to read through the associated report. Given the overall context, however, the length of the access alone does not support a finding of an unauthorized use. After considering the additional information about the access of May 21, as well as all the events surrounding this access, I conclude that this use was not for an improper purpose. I find that several worklists in common use contained both reported and unreported exams performed within a recent time frame. I accept that the complainant’s name would have appeared on several worklists on this date, as the exam in question had been performed two days previous to May 21.

[67]  Dr. AG, as Site Chief for the provision of radiology services at this location, had just returned from vacation. On the morning of his return, he appears to have scrolled through a number of exams which occurred in his absence, some for which reports had been completed and others not. The time spent on the complainant’s entry is consistent with the time spent on other patients within a 19-minute period. The access to the complainant’s information came in the midst of a set of reverse chronological order accesses, consistent with the action of scrolling through a list. On balance, I conclude that this access to the complainant’s information was not targeted nor done for an unauthorized purpose.

[68]  The complainant questions why it is that only the individuals about whom he had concerns appeared in the audit results. However, this submission is not supported by the audit results that were flagged by the hospital. During its audit the hospital identified some accesses as questionable, involving doctors who were not providing care to the complainant. In the case of one individual, the complainant subsequently provided his consent to those accesses. Whether or not consent can be given retroactively, the complainant did not pursue a complaint in relation to this access. In the case of another individual, whose access occurred at a time when no report was available, the complainant also chose not to pursue a complaint of unauthorized access.

The accesses of February 20 and 21, 2013

[69]  I will deal with these accesses separately as the physicians describe them as having been made for the purpose of providing health care to the complainant.

[70]  On February 20, 2013, Dr. AG accessed the complainant’s information on the PACS by viewing information in four different exams under the complainant’s name. One of these was viewed twice. The duration of the accesses ranged from 3 seconds to 10 minutes. On February 21, 2013, Dr. AG accessed one of these exams again, for 3 seconds.

[71]  Dr. AG submits that these accesses were for legitimate clinical purposes as he was within the complainant’s “circle of care” at this time. He states that on February 20, he was approached by a junior colleague in the department who had joined the professional staff of the hospital less than a month earlier. The colleague had been tasked with interpreting a study conducted on the complainant earlier that day (a CT scan of the chest). Second opinions are often sought as part of normal workflow in the department. This colleague was particularly vigilant about reporting findings on a senior colleague’s condition and wished a more senior diagnostician to review the matter. Dr. AG states that he reviewed some of the complainant’s information in the PACS in connection with the colleague’s request, on February 20, and provided his impression. He also viewed the relevant images at the junior colleague’s workstation. Dr. AG states that he has no recollection of the access on the morning of February 21, 2013, and assumes that he may have wished to review the result of the consultation.

[72]  Dr. DP also accessed the draft report of the CT scan described above on February 21, 2013, for 14 minutes. When asked about this access by the hospital, he did not have a recollection of his reason for accessing this study. In his representations, he states that, upon further reflection, the colleague named by Dr. AG also sought his opinion on the study. He states that he reviewed the draft report on his computer terminal on the morning of February 21, before the colleague finalized it. He states that the colleague particularly wanted advice on the wording of the report.

[73]  The complainant provides a number of reasons to doubt the veracity of these physicians’ explanations for the accesses of February 20 and 21, which I have considered. Among other things, he disputes the need for the colleague to seek advice from others and points out that by the time this consultation had occurred, the colleague had already advised the complainant of the results. He also disputes the need for the physicians, even if they were consulted by their colleague, to access other reports in order to provide advice on the scan in question.

[74]  I find that these submissions, which may reflect a difference in professional opinion, do not undermine the explanations provided. From all accounts, the results of the scan were of significant concern. They resulted in a fairly lengthy and detailed report. I find it reasonable to conclude that a junior colleague would seek advice from others more senior on these results. Further, information from the hospital about the history of the report shows that it was modified by the radiologist a few times before being finalized on February 28, supporting the conclusion that the radiologist consulted with his colleagues.

[75]  Based on the material before me, including the complainant’s submissions, I am persuaded that the evidence leads to the conclusion that these accesses were done for purposes related to the provision of health care or assisting in the provision of health care. “Health care” is defined in section 2 of the Act as:

… any observation, examination, assessment, care, service or procedure that is done for a health‑related purpose and that,

(a)  is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition,

(b)  is carried out or provided to prevent disease or injury or to promote health, or

(c)  is carried out or provided as part of palliative care,

and includes,

(d)  the compounding, dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription, and

(e)  a community service that is described in subsection 2 (3) of the Home Care and Community Services Act, 1994 and provided by a service provider within the meaning of that Act;

[76]  I find that Drs. AG and DP were consulted by the radiologist responsible for preparing the report of the CT scan, and that the practice of consulting with colleagues in this manner was part of the normal workflow in the radiology department in providing services to diagnose and treat patients (a health-related purpose). I conclude that this use of the complainant’s personal health information was for the purpose of providing health care or assisting in providing health care to the complainant. As referenced above, in certain circumstances, health information custodians and their agents may assume that they have an individual’s implied consent to collect, use, and disclose personal health information where they are providing, or assisting in the provision of, health care. This is often referred to as being in a patient’s ‘circle of care’. The law regarding assumed implied consent was recently summarized by Adjudicator Ryu of this office in PHIPA Decision 35: ^[15]

[23] The term “circle of care” is not defined in the Act. It has been used to describe the provisions of the Act that enable certain health information custodians to assume an individual’s implied consent. Section 20(2) of the Act specifies when implied consent may be assumed:

A health information custodian described in paragraph 1, 2, 3 or 4 of the definition of “health information custodian” in subsection 3 (1) , that receives personal health information about an individual from the individual, the individual’s substitute decision-maker or another health information custodian for the purpose of providing health care or assisting in the provision of health care to the individual, is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information for the purposes of providing health care or assisting in providing health care to the individual, unless the custodian that receives the information is aware that the individual has expressly withheld or withdrawn the consent.

[24] In order to rely on assumed implied consent to collect, use or disclose personal health information, therefore, the following conditions must be met:

the health information custodian must fall within a particular category of health information custodians; and

the health information custodian must receive the personal health information from the individual to whom the information relates, or that individual’s substitute decision-maker or another health information custodian; and

the health information custodian must receive that information for the purpose of providing health care or assisting in the provision of health care to the individual; and

the purpose of the health information custodian’s collection, use or disclosure of that information must be for the purposes of providing health care or assisting in providing health care to the individual; and

in the context of a disclosure, the disclosure of personal health information by the health information custodian must be to another health information custodian; and

the health information custodian that receives the information must not be aware that the individual to whom the personal health information relates has expressly withheld or withdrawn the consent. [Footnotes omitted]

[77]  The complainant has not suggested that, in providing health care using the PACS, radiologists may not rely upon patients’ assumed implied consent. There is similarly no dispute that, in providing health care using the PACS, radiologists are acting as agents of the hospital, and that this is a “use” of personal health information. I find that the specific elements of section 20(2) have been satisfied for the following reasons:

• the hospital is a health information custodian listed in paragraph 4 of section 3(1) of the Act;
• the personal health information at issue was received from both the complainant and the hospital – as the information related to a scan of the complainant conducted at the hospital;
• the personal health information was received for the purpose of providing, or assisting in the provision of, health care to the complainant;
• the personal health information was used by AG and DP for the purpose of providing or assisting in providing, health care to the complainant; [16]
• there is no disclosure at issue as these are “uses” of personal health information, so the requirement that a “disclosure” must be to another health information custodian does not apply; and,
• there is no evidence to suggest that the complainant expressly withheld or withdrew consent at or before the time of these uses.

[78]  I acknowledge the complainant’s skepticism that the access by Dr. AG on February 21, for 3 seconds, could have been sufficient to allow for a “review of the result of the consultation”. While I agree that it is unlikely that any such review could have been accomplished in this time, in the context of the consultations on February 20, I do not attribute any purpose to this access other than providing, or assisting in the provision of, health care to the complainant.

2. Allegation of unauthorized use or disclosure by Dr. DP in sharing the result of the complainant’s MRI with Drs. AL and DB on October 23 and 24, 2012.

[79]  Shortly after the complainant’s MRI on October 23, 2012, Dr. DP learned of the complainant’s condition. He states that he was given this information by Dr. IG, a friend of the complainant who was also a shareholder in UIA, through a “casual conversation.”

[80]  There is no doubt that Dr. IG knew of the results of the complainant’s MRI. The audit report shows that Dr. IG accessed the complainant’s personal health information for three minutes on October 23, 2012, the very day of the MRI. In his submissions, the complainant states that Dr. IG denies having told Dr. DP of the results of the complainant’s MRI. Dr. DP’s version of the events is supported by a contemporaneous text message he sent that day to Dr. DB, in which he referred to having received information about the complainant’s condition from Dr. IG.

[81]  In one of the summaries it produced during its investigations, the hospital stated in April 2014, without identifying the source of the information, that Dr. EO told Dr. DP about the complainant’s condition during the October 2012 events.

[82]  On my review of all the material before me, I prefer to rely on the contemporaneous text message and accept that Dr. DP learned of the complainant’s MRI results from Dr. IG. There is no complaint against Dr. IG, and I see no purpose in making any findings about whether actions by Dr. IG were consistent with the Act.

[83]  Dr. DP states that he informed Dr. AL of the complainant’s condition on or about October 24, 2012, in a phone call. This is consistent with information provided by Dr. AL to the complainant’s doctor in the email of October 29, 2012. Dr. DP states that he informed Dr. AL, who is the Chief of the Department, in his “capacity” as the only Director of the hospital on site during this week. He states that he had concerns for patient safety given the complainant’s condition and was reporting that the complainant may be suffering from a condition that could implicate his ability to safely practice medicine. Dr. DP states that he had also received complaints from ultrasound technicians at or around this time, alleging that the complainant appeared unwell.

[84]  Dr. DP’s responsibilities regarding the provision of radiology services by the hospital is addressed in an email from Dr. AL to the complainant’s doctor on October 29, 2012, in which she states that as “Managing Director” of [UIA], it was his role to “be informed of any leaves, etc. and part of his role to keep me informed.”

[85]  Dr. DP also shared information about the complainant’s condition with Dr. DB, in a series of text messages on October 23 and 24, 2012 which he states were sent for the purpose of ensuring adequate coverage in the radiology department. [17] The messages convey some specific details about the results of the MRI, discuss the possibility that the complainant will not be able to work in the immediately following days, the arrangements made to cover the complainant’s shifts and the possibility of Dr. DB covering one of those.

[86]  The complainant asserts that Dr. DP did not hold any position of authority within LHSC and was merely an independent contractor with privileges at LHSC. He describes him as a Director of the corporate entity, UIA, that provided diagnostic imaging services to LHSC. The complainant submits, therefore, that there was no “capacity” within which Dr. DP was authorized by LHSC to disclose the complainant’s personal health information to Dr. AL. The complainant also asserts that another doctor, Dr. EO, was the person within the UIA business group in charge of scheduling and that there was no need for Dr. DP to be discussing the particulars of his health in order to arrange coverage. He states that he “trusted” Dr. EO with his personal health information, and did not “trust” Dr. DP.

[87]  The complainant asserts that the text messages from Dr. DP to Dr. DB were “mere gossip” and not for the purpose of seeking coverage for the complainant’s upcoming shifts. He submits that even if the communication was for the purpose of covering call, it was not necessary to share his personal health information.

[88]  The hospital states that Dr. DP is an agent of the hospital, holding the role of Radiologist and Managing Director of Radiology. It states that, in that latter role, Dr. DP must be kept informed of any occupational health issues and concerns, as they relate to the hospital’s Leave of Absence Policy for Professional Staff.

Analysis

[89]  The Act governs the collection, use and disclosures of personal health information by health information custodians and their agents. In this case, the complainant asserts that Dr. DP was not acting in any capacity on behalf of LHSC, describing Dr. DP as an independent contractor.

[90]  I do not take the complainant to be suggesting that Dr. DP is never an agent of the hospital. Clearly, there is no dispute that when he provides radiology services to the hospital, he is acting as an agent. Dr. DP’s status is less clear when he is not “on duty” providing radiology services. Based on the submissions of the parties, and the information before me, I conclude that Dr. DP was in these circumstances acting as both Managing Director of UIA, a professional corporation providing radiology services to the hospital, and as an agent of the hospital. With respect to the latter, the evidence suggests that the hospital saw his role as Managing Director of UIA as also involving a responsibility on behalf of the hospital to ensure the adequate provision of radiology services to the hospital’s patients.

[91]  I conclude that Drs. AL and DB were also acting as agents of the hospital in these circumstances, as Chief of the Department and as a member of a radiology group who shared responsibility to ensure adequate coverage of radiology services to the hospital’s patients, respectively.

[92]  I find that Dr. DP’s communication to Dr. AL was a use of the complainant’s personal health information, by an agent of the hospital. The information conveyed by Dr. DP was “personal health information” in the sense that it was information about the complainant’s medical condition in the hospital’s custody or control, obtained from Dr. IG. I find that, as a result of the complainant’s diagnosis, Dr. DP, in the exercise of responsibility with respect to the scheduling of radiologists at the hospital, informed the Chief of the Department of events that may have a significant impact on the provision of radiology services to patients in the near and long term, and may affect the complainant’s ability to safely practice medicine. I find that this use of the complainant’s personal health information is permitted by subsections 37(1)(c) and (d) of the Act, which provide:

37. (1) A health information custodian may use personal health information about an individual,

(c)  for planning or delivering programs or services that the custodian provides or that the custodian funds in whole or in part, allocating resources to any of them, evaluating or monitoring any of them or detecting, monitoring or preventing fraud or any unauthorized receipt of services or benefits related to any of them;

(d)  for the purpose of risk management, error management or for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian;

[93]  I am also satisfied that Dr. DP’s communication with Dr. DB was a permitted use under section 37(1)(c), as the purpose of the communication was to ensure adequate coverage of the complainant’s work shifts in the upcoming days.

[94]  However, as noted above, health information custodians and their agents are prohibited from, among other things, using more personal health information than is reasonably necessary to meet the purpose of the use. Section 30 of the Act provides as follows:

30. (1) A health information custodian shall not collect, use or disclose personal health information if other information will serve the purpose of the collection, use or disclosure.

(2) A health information custodian shall not collect, use or disclose more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure, as the case may be.

(3) This section does not apply to personal health information that a health information custodian is required by law to collect, use or disclose.

[95]  The complainant submits, and I agree, that it was not necessary to discuss the particulars of his health for the purpose of arranging coverage for his shifts. The information used by Dr. DP in text messages to DB included detailed information about the complainant’s diagnosis. Even if I were to accept that, in order to arrange coverage for shifts, some reference had to be made to the complainant’s illness (and therefore some personal health information had to be used), there was no reason to include the level of detail that Dr. DP did. There is no evidence to suggest that this use of personal health information was required by law. As such, I conclude that this use of personal health information contravened section 30(2) of the Act. As discussed below, I will direct the hospital to ensure that its training of its agents includes instruction on this provision.

3. Allegation of unauthorized use by Dr. AL in March 2014

[96]  There is no dispute that Dr. AL accessed the complainant’s personal health information on a number of occasions in March 2014.

[97]  The position of the hospital and Dr. AL is that all of these accesses, which come within the meaning of a “use” under the Act, were permitted uses under section 37(1)(d), which provides:

A health information custodian may use personal health information about an individual,

…

(d)  for the purpose of risk management, error management or for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian;

[98]  The hospital and Dr. AL take the position that all of the uses were in connection with Dr. AL’s investigation of the complainant’s allegations that his colleagues were viewing his information for improper purposes. They state that Dr. AL, as Chief of the Radiology Department, is classified as the “Leader” in the hospital’s privacy breach protocol, who has responsibility for determining the legitimacy of accesses by radiology resident and/or colleagues.

[99]  As Leader and Chief of the department, Dr. AL was asked to review the audit results showing accesses by members of the department as part of the investigation into the complaint. The LHSC submits this involvement was in accordance with its “Breach of Privacy” policy and its documented process “Privacy Breach Procedures for Leaders”. The LHSC indicated that the latter states that the Leader will “take steps to contain the breach and begin a department-level investigation”, and that the Leader will “follow up with the employee/affiliate as soon as possible after the department-level investigation has been completed if a breach is still suspected”.

[100]  The hospital explains that Dr. AL reviewed the PACS to determine if there was a “reason” why those individuals whose names appeared on the audit would have accessed the patient’s PACS records. Using information available within PACS (date/time of the exam, what the exam was, who the reporting Radiologist was if the report had been finalized), and cross-referencing other sources of data (including which subservice rotation those Radiologists/Residents were on at the time, whether they on call, which site, who their supervisor was), Dr. AL was able to make a determination of the reason for access, if it could be explained and thus be deemed appropriate.

[101]  The LHSC submitted that the dates are consistent with the timing of the delivery of the audit reports to Dr. AL as well as the dates on which Dr. AL provided her findings. As part of her investigation, she held meetings with the radiologists and residents involved. During those meetings, the summary data (not images or reports) was reviewed with the individuals to determine why they might have accessed the records in question.

[102]  The complainant does not disagree that review of personal health information by an individual in Dr. AL’s position, for the purpose of investigating a privacy breach, would be a permitted use under the above provision. He does not disagree that the particular instances of accesses by Dr. AL would be permissible uses in connection with investigating his complaint of unauthorized access. However, he takes the position that Dr. AL was in a “conflict of interest” and for this reason, should not have conducted the investigation and therefore cannot rely on this provision.

[103]  In the complainant’s submission, Dr. AL had a conflict of interest that should have prevented her from taking part in investigating his privacy complaint because she had just “forced” a voluntary leave of absence on him, as the result of allegations of deteriorations in his behaviour and competency caused by illness (which the complainant disputed). For this reason, the complainant submits that while other agents of LHSC may have been able to rely on section 37(1)(d) to access records in order to investigate the privacy breach, Dr. AL relied on it to investigate her suspicion that the complainant’s behaviour and competency were being impacted by illness. He asserts that these accesses allowed her to justify, after the fact, her effective suspension of him.

Analysis

[104]  In the context of this allegation there is no dispute, and I find, that Dr. AL was acting as an agent of the hospital in investigating the complainant’s allegations, and that the information Dr. AL accessed was the complainant’s personal health information.

[105]  On my review of the submissions and material before me, I find that the hospital and Dr. AL have established that her accesses to the complainant’s health information in March 2014 were for purposes permitted by section 37(1)(d) of PHIPA. They were consistent with hospital policy for the investigation of allegations of privacy breaches. The records of these accesses support the submission that they were for the purpose of investigating the complainant’s allegations. I find the investigation to be a risk management activity, in which Dr. AL had a defined role under the hospital’s policy. This was also an activity to maintain or improve the quality of services provided by the hospital, inasmuch as this investigation was directed at detecting and remediating unauthorized access to personal health information.

[106]  I recognize that Dr. AL was wearing “two hats” in her dealings with the complainant in these early months of 2014. As chief of the radiology department, she was involved in dealing with the potential workplace implications of the complainant’s illness. She was also investigating his allegations of unauthorized accesses to his personal health information on the PACS. Given the timing of the actions taken in both of these matters, the complainant was concerned about the potential for a blending of the two roles. In effect, he suggests that Dr. AL’s role in managing the potential workplace implications of the complainant’s illness convert otherwise authorized accesses, made for the purpose of investigating his privacy complaints, into unauthorized accesses.

[107]  I see no reason to come to this conclusion. I have found Dr. AL’s accesses to the complainant’s information in March 2014 to be for purposes permitted by PHIPA. I do not find the evidence to support the conclusion that Dr. AL used that information for other, unauthorized, purposes.

[108]  I have addressed whether any conflict of interest leads to a conclusion that Dr. AL’s accesses to the complainant’s personal health information were for unauthorized purposes, and dismiss this submission. These allegations also raise an issue of whether the hospital responded adequately to the PACS audits in compliance with section 12 of the Act. I will review this below when I discuss the adequacy of the hospital’s response to the complaint of a privacy breach.

4. Allegation of unauthorized use or disclosure by Dr. AL to Dr. AG based on an email sent on October 29, 2012

[109]  I will now turn to the remaining allegation of unauthorized use or disclosure of the complainant’s health information.

[110]  The allegation about this email, which was sent by Dr. AL to the complainant’s doctor, was not part of the original complaint and was raised by the complainant in his representations during my review. I have concerns about the timeliness of the allegation but assuming, without deciding, that it is timely, I find no contravention of the Act.

[111]  On October 29, 2012, Dr. AL, in her capacity as Chief of the Department, sent an email to the complainant’s treating physician regarding the complainant’s medical condition and its impact on his ability to continue to perform his duties as a radiologist. She summarized information provided by another consulting neurologist, whom she had contacted with the complainant’s consent. She indicated that the complainant was on leave from clinical duties as of October 26, 2012, although she invited the physician’s views on the possibility of the complainant’s return to work in the following week. Dr. AL also indicated that she was copying the letter to Dr. AG, as the Site Medical Imaging Program Leader and University Hospital Director, in order to inform him of these developments.

[112]  In his representations, the complainant alleges that by copying Dr. AG on the above email, Dr. AL engaged in unauthorized disclosure of his personal health information. He states that he had not authorized Dr. AL to share that information with Dr. AG.

[113]  I find that, in her capacity as Chief of the Department, Dr. AL was acting as an agent of the hospital within the meaning of the Act, and that AG was an agent of the hospital as the Site Medical Imaging Program Leader and UH Director. There is no dispute that, as a radiologist at the hospital, the complainant was also an agent of the hospital. However, it is less clear that the identifying information contained in this email falls under the definition of “personal health information.”

[114]  Section 4(4) excludes from the definition of “personal health information” identifying information in a record in the custody or control of a health information custodian, where the information relates primarily to employees or agents of the custodian, and the record is primarily maintained for a purpose other than health care to agents or employees. The purpose of the email of October 29, 2012 was not about the provision of health care to the complainant, but about managing the workplace implications of his illness. The email is a record that contains identifying information that primarily relates to the complainant in his capacity as an agent of the hospital. Further this record is maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employees or other agents of the hospital. As such, I find that the information about the complainant in this email is not “personal health information” and the rules in the Act about the use or disclosure of personal health information do not apply.

[115]  I conclude this identifying information is not regulated by the Act as a result of section 4(4).

Issue D:   Did the LHSC take reasonable steps to protect personal health information in its custody or control?

[116]  Section 12(1) of the Act states:

A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

[117]  The IPC has previously described the obligations imposed by section 12(1) of the Act, in the context of the risk of unauthorized access to personal health information posed by agents, as follows:

…health information custodians must identify the risks to privacy and confidentiality of personal health information and implement measures or safeguards that are reasonable in the circumstances to eliminate or reduce these risks and to mitigate the harms that may arise from these risks. The risks to privacy and to the confidentiality of personal health information posed by agents who use or disclose personal health information for purposes that contravene the Act are well known. [18]

[118]  I invited the LHSC to describe the administrative, technical and physical safeguards it uses to detect and/or deter inappropriate accesses to the personal health information in its custody and control, and to describe how these safeguards applied to the doctors in question.

[119]  I find it unnecessary to review all of LHSC’s safeguards in this decision, but will focus on its auditing and logging practices, its practice with respect to automatic timed logouts, and its training of agents, as these are raised by the circumstances of this complaint.

Auditing and Logging practices

[120]  In PHIPA Order HO-013, Commissioner Beamish commented on the importance of auditing, and obtaining analyzable data, for detecting and deterring unauthorized access to personal health information:

As in other industries, audits play an important role in the health sector. Auditing of electronic information systems is particularly important in ensuring that the privacy of individuals and the confidentiality of personal health information are protected. Audits are essential technical safeguards for electronic information systems. They can be used to deter and detect collections, uses and disclosures of personal health information and the copying, modification or disposal of records of personal health information that contravene the Act. As such, they help to maintain the integrity and confidentiality of personal health information stored in electronic information systems. The ability to conduct audits of personal health information and the activities of agents or users (referred to in this section as users) in an electronic information system also ensures that a health information custodian is able to respond to requests from patients for information about who has collected, used or disclosed their personal health information. [19]

[121]  In this case, the complainant alleges that the hospital’s auditing and logging practices are inadequate. In particular, the complainant submits that if it is true that the PACS system logs incidental accesses associated with scrolling through a worklist, then its audit systems are meaningless. He also submits that if the audit logs show a “RV” event when no report is yet available, there is a problem with the value and reliability of the information in the logs.

[122]  The hospital provided me with a description of its auditing processes and procedures. It also provided me with the complete logs of the audits requested by the complainant, which I have described above. Those logs contain thousands of entries. Under the hospital’s processes, its privacy office is responsible for reviewing the entries in an audit log. They assess whether the entries indicate authorized or unauthorized uses using a variety of hospital and external applications and tools that provide information about matters such as staff roles, departments, positions, work schedules, patient appointments, patient visits and potential relationships between individuals. Staff in the privacy office then flag any accesses that appear questionable for further investigation.

[123]  Accesses that require further investigation are referred to the “Leader” of the department at issue (Operational Leaders, Directors, Coordinators, Professional Practice Leaders, Union Leaders, Chiefs of Departments or Senior Leaders).

[124]  I appreciate the complainant’s suggestion that if merely highlighting a patient name is sufficient to result in a RV audit log, the logs would contain a large volume of irrelevant information. As part of this review, I received and analyzed the complete audit logs of accesses to the complainant’s information. I also asked for additional information from the LHSC. I observe that there are several factors that limit the number of events captured. First, as I indicated, only scrolling through a work list using a keyboard results in a RV audit log. Some users likely use the mouse and scroll bar to perform this function, which does not trigger a log. Secondly, there are a limited number of work lists in common use by the radiologists and the complainant only appeared on these lists as long as he met the parameters of those lists.

[125]  The fact that an audit of the hospital’s electronic health records results in a great volume of information that then has to be sifted, evaluated and investigated by hospital personnel does not suggest that it is inadequate, as long as the hospital has procedures in place to perform that investigation of the audit results. The fact that the audits capture events which, upon further investigation, represent authorized uses of personal health information, is also no indication of any fundamental flaws in the hospital’s systems for protecting the privacy of that information.

[126]  That said, I agree with the complainant that the failure to distinguish between scrolling and viewing events diminishes the utility of the auditing system. In this case, the PACS logs pauses while scrolling through a worklist with a keyboard in the same manner as if a user reads a report containing a patient’s diagnosis. When the patient’s name is selected on the worklist, a report viewed (“RV”) log is created regardless of whether the report was available or not available, and viewed or not viewed. While inferences can be drawn from the length of time a patient’s name is highlighted to determine whether an access was authorized, this has some shortcomings. Agents may take a telephone call, or may simply become distracted, while scrolling through a worklist. This could create the misleading impression that such an agent had read a detailed record containing personal health information, as opposed to simply sitting at their workstation performing other tasks while a name is continuously highlighted on a worklist. Many of the disputed accesses at issue in this complaint likely could have been resolved if the hospital had logged whether the user reviewed detailed personal health information beyond the name on a worklist. I note that, where an agent actually opens an exam on PACS, a separate exam viewed (EV) log is created. While I do not conclude that the hospital’s auditing and logging practices fall below the “reasonable” standard required by section 12 of the Act, I will recommend that the hospital consider making improvements to the way it audits and logs scrolling through the PACS worklist in light of this comment.

[127]  Further, during my site visit to the hospital I learned that LHSC did not have the PACS system configured to capture printing events in its audit log. As noted above, this creates a risk that, where a user accesses a record of personal health information for even a very short time, they may be able to print a record to be read later. While there was no evidence in this case to suggest that the printing function was used to facilitate unauthorized uses and disclosures of the complainant’s personal health information, I am concerned about the potential this functionality, combined with the absence of an audit log of printing events, creates. As such, I will also recommend that the hospital review the feasibility of implementing logging of print commands.

Automatic timed logouts

[128]  In the physicians’ submissions, Dr. DP states that if he is working on a list of examinations and is called away to see a patient or perform a procedure, the highlighted name may remain highlighted for the duration of his absence from the work station, creating the impression that the record has been “accessed” for a significant period of time. Further, he states that the radiology work stations are located in “quasi-public” areas where other physicians or medical staff have access. Therefore, if a physician has logged into a terminal and steps away without logging off, another physician may use the same terminal, leading the PACS to attribute the second physician’s uses of personal health information to the physician who was logged in. While this information was part of Dr. DP’s submissions, he did not apply this to any specific access at issue in this case.

[129]  The complainant states that, in light of the above information, the physicians “do not seem to have any sense of the importance of logging off before leaving their work stations unattended.”

[130]  As stated above, the hospital advised me that radiologists are automatically logged out of the PACS system after a period of inactivity, which can range from a few minutes to 30 minutes.

[131]  There is no uniform approach to automatic logouts from electronic information systems, as the appropriate automatic logout time period may depend on factors such as the location of terminals, the number of staff or members of the public that have access to the area, the existence of lock screens, the type of information contained in the system and other policies and practices in place to protect the privacy of personal health information in the system. In this case, I have not concluded that any deficiencies in automatic logout practices resulted in unauthorized accesses. However, given the submissions from the physicians, I will recommend that the hospital review its practices with respect to automatic logouts.

Training

[132]  Commissioner Beamish discussed the importance of training in PHIPA Order HO-013:

A comprehensive privacy training program is an essential tool to combat the risk of uses and disclosures of personal health information by agents in contravention of the Act, including agents who are “curious” or who are motivated by their own interests, such as financial gain.

…

Comprehensive and frequent privacy training is essential to the development and maintenance of a culture of privacy within any organization. [20]

[133]  In the Notice of Review provided to the hospital, I asked the hospital to describe any and all administrative, technical, and physical safeguards it uses to detect and deter inappropriate accesses to the personal health information in its custody or control and to describe how these safeguards applied to the doctors. For greater clarity, I asked the hospital to provide representations on the education/training it provided, including details of the training it provided to the four doctors who are the subject of this complaint.

[134]  While the hospital had provided the IPC with numerous of its policies prior to the Notice of Review being sent, none of these policies addressed or described the content of training provided to the four doctors. [21] In response to this request in the Notice of Review, the hospital simply noted that it provided periodic mandatory training to all physicians via an online tool, and noted the dates on which the four doctors had been trained.

[135]  The hospital was also given an opportunity to respond to the complainant’s representations and supplementary representations. The hospital’s responding representations addressed training, but largely repeated the same information it had provided to the IPC previously, and did not detail the specific content of the training provided to the physicians.

[136]  Training is a fundamental administrative safeguard health information custodians must perform. [22] While the specific content of the training required may vary by situation, health information custodians must train their agents in order to comply with section 12(1) of the Act . Otherwise, health information custodians would be providing personal health information to their agents, without guiding their agents on what they can do with this information. [23]

[137]  Above, I found that Dr. DP contravened section 30(2) of the Act by using more personal health information than reasonably necessary to meet the purpose of that use. The data minimization principles in section 30 are fundamental to the way in which Act regulates the collection, use and disclosure of personal health information. In light of my finding that this section was breached, and without evidence regarding the content of the online training provided to physicians, I am concerned that the hospital’s periodic mandatory training of its agents may not address the obligations imposed by section 30 of the Act. Accordingly, I will order the hospital to ensure that its mandatory periodic training of its agents includes training on the obligations imposed by section 30 of the Act.

Issue E:   Did the LHSC respond appropriately to the complaint of unauthorized access?

[138]  The complainant asserts that the LHSC’s response to his complaints did not comply with its obligations under the Act. He asserts that it did not respond in a timely manner to his complaint of unauthorized access.

[139]  I asked the LHSC to describe the steps taken to investigate and respond to the complaint.

[140]  The hospital’s responsibility to investigate and respond to a privacy complaint arises from its obligations under section 12 of the Act. The duty to take reasonable steps to ensure that personal health information in the hospital’s custody or control is protected against theft, loss and unauthorized use or disclosure includes a duty to respond adequately to a complaint of a privacy breach. A proper response will, amongst other things, help to ensure that the breach, if any, is contained, and will not re-occur.

[141]  I begin with the observation that the standard in section 12 is “reasonableness”. It does not require perfection, and the section does not provide a detailed prescription for what is reasonable.

[142]  The complainant argues that the hospital did not respond appropriately to his complaint of unauthorized access in several ways. He submits that Dr. AL should have taken steps in October 2012 to find out how or why Dr. DP knew of the complainant’s condition, and should have reported or taken some action to investigate this use of his information. He submits, in effect, that Dr. AL should have known this was a privacy breach before any complaint was made. I do not accept the complainant’s submission. I have found that Dr. DP’s report to Dr. AL in October 2012 was not a privacy breach. There was no reason for Dr. AL to suspect a potential privacy breach, and I do not conclude that Dr. AL’s actions, as an agent of the hospital, fell short of the obligations under section 12 of the Act in not inquiring any further into the matter at that time, and before any complaint had been made.

[143]  The complainant also submits that Dr. AL should not have been involved in the investigation of the audit results in February and March of 2012. He submits that Dr. AL “should have known”, based on her involvement in October 2012, that she ought not to lead the investigation, as she had failed to fulfil her obligations to the complainant as a patient in October 2012 in not pursuing Dr. DP’s breach. More importantly, in the complainant’s view, was Dr. AL’s role in what he terms a “voluntary” suspension, because of concerns about his health.

[144]  I concluded above that Dr. AL’s role in managing the workplace consequences of the complainant’s illness did not “taint” her use of the complainant’s personal health information as part of the investigation into the audit results. I also find here that the hospital’s decision to delegate that investigation to her was not a breach of the standard in section 12. Several chains of events were unfolding simultaneously in those months. The hospital was conducting several audits of the PACS, for different time periods, on the complainant’s request. As it was receiving these results, it was investigating audit results that showed potential unauthorized accesses. None of these results raised any accesses by Dr. AL. Consistent with hospital policy, Dr. AL was involved in the investigation of these accesses as Chief of the Radiology Department. Her involvement included reviewing the PACS system, and assisting with interviews of staff.

[145]  I accept that, at the time it assigned Dr. AL a role in investigating the audit results, the hospital was aware of the complainant’s position concerning Dr. AL’s conduct in October 2012. Does its decision to delegate this investigation to Dr. AL, despite the complainant’s views, breach its obligations under section 12 of the Act? On balance, I conclude that it does not. Dr. AL was the person in the best position to investigate the audit entries. None of them involved her. She was the staff member charged with that role under the hospital’s policy. Given this, the hospital would need a good reason not to turn to her in the investigation of the audit results. Although the hospital was aware of the complainant’s concerns about Dr. AL, it was legitimate for it to consider whether they presented sufficient reasons to remove her from her role in the investigation. It was reasonable for the hospital to take a different view than the complainant of the appropriateness of her involvement from the complainant. I have also reviewed the basis of the complaints against Dr. AL and confirm the hospital's view that the allegations against her are without merit.

[146]  In all these circumstances, I do not view the hospital's decision to delegate the investigation to Dr. AL as a breach of its obligations under section 12 of the Act. It does not represent a failure to “take reasonable steps” to safeguard the personal health information of the hospital's patients.

[147]  The complainant’s representations indicate that he disagreed with the hospital’s position on the need for him to take a leave of absence from the workplace due to his illness, in March 2014. He states that he also had “confrontational” meetings with Dr. AL over what he believed to have been unfair treatment of a friend/colleague of his. These views, however strongly held by the complainant, did not require the hospital to remove Dr. AL from the investigation into the audit results.

[148]  In this case, the hospital’s investigation proceeded in a number of stages. In accordance with the usual practice, the privacy office reviewed the audit results and flagged some accesses as questionable. The hospital then assigned Dr. AL to conduct a further investigation, which included interviewing the staff involved to determine whether there were role-based reasons for the accesses. Based on Dr. AL’s investigation, the hospital concluded that it should notify the complainant about what it concluded were privacy breaches. Even following this, however, further information was exchanged which led the hospital to revisit these findings. In one instance, the complainant told the hospital that he consented to use of his information by one of the individuals identified in the audit. As well, the hospital’s privacy office learned more about the PACS and the manner in which radiologists used the system in their routine work practices and concluded that some accesses it had previously questioned were, on further assessment, authorized.

[149]  While I do not uphold the hospital’s view that a “10 second” cut-off can be applied to distinguish authorized from unauthorized accesses, I have, for other reasons, found all of the accesses to be authorized. My own conclusions are based on information gained during this review, as well as that before the hospital during its investigation. As a result of the manner in which the radiology department performs its work, and the manner in which the PACS supports that work, the task of distinguishing between authorized and unauthorized accesses was not straightforward. This determination required reviewing many sources of information which could shed light on the motivation of the individuals involved. My own review also involved reviewing multiple sources of information, and several rounds of information-gathering. I also bear in mind that the allegations came to light, and the hospital began its investigation, more than a year after the events. In many cases, the hospitals and the individuals involved were attempting to make sense of events that lasted only seconds, well after the fact. In this context, I have not drawn adverse inferences from the fact that some explanations and theories changed over time, or seemed to contradict each other.

CONCLUSION:

[150]  In the final result, I find all allegations about the unauthorized use or disclosure of the complainant’s personal health information to be unsubstantiated. I find, however, in one instance, that Dr. DP, as an agent of the hospital, used more personal information than was reasonably necessary to meet the purpose of the use, and I issue an order to address this finding through training of hospital agents.

[151]  I also make several recommendations to the hospital about its practices for safeguarding the personal health information in its custody or control.

ORDER AND RECOMMENDATIONS:

1. I order the hospital to ensure that its training of agents on the Act includes training on section 30.
2. I recommend that the hospital consider ways of improving its auditing capabilities to distinguish between scrolling through worklists and viewing reports in the PACS system, in accordance with the comments made in this decision.
3. I recommend that the hospital investigate the feasibility of logging print commands in the PACS in accordance with the comments made in this decision.
4. I recommend that the hospital review its practices with respect to automatic timed logouts in the PACS in accordance with the comments made in this decision, having regard to all of the other measures it also has in place to detect and deter unauthorized access.

Original Signed by:		April 25, 2017
Sherry Liang
Assistant Commissioner