PHIPA DECISION 49

Complaint HI16-16

August 9, 2017

Summary: In this decision, the IPC concludes a Review under the Personal Health Information Protection Act, 2004  relating to an incident where a patient took a photograph of a physician’s computer screen, which contained the personal health information of a number of patients, including himself. The review was commenced pursuant to section 58(1) of the Act, which permits the IPC to conduct a review where there are reasonable grounds to believe that a person has or is about to contravene the Act. This decision finds that the Respondent was a recipient of personal health information for the purposes of the Act, and that his use of this personal health information contravened section 49(1) of the Act. The Respondent is ordered to dispose of records of personal health information pursuant to section 61(1)(e).

Statutes considered: Personal Health Information Protection Act, 2004,  SO 2004, c 3, sections 2 , 4(1) , 7(1) , 9(2) (c) 49(1), 49(2), 58(1), and 61(1); Personal Health Information Protection Act, 2004 , Ontario Regulation 329/04, sections 1(3) and 21.

BACKGROUND:

[1]  This review was commenced under section 58(1)  of the Personal Health Information Protection Act, 2004, (PHIPA or the “Act”), which permits the Office of the Information and Privacy Commissioner (IPC or this office) to conduct a review of any matter where there are reasonable grounds to believe that a person has contravened or is about to contravene a provision of the Act or its regulations.

Background information

[2]  On August 8, 2016, the IPC was contacted by a lawyer reporting a privacy breach. The lawyer reported that her client, a physician (the Physician), had received an email from a former patient, the Respondent, containing an image of a computer screen in the Physician’s examination room (the Image). To be more precise, the Image was a screenshot of two photographs of a computer screen in the Physician’s examination room.

[3]  In the email sent from the Respondent, the Respondent confirms that the Physician had dismissed him as a patient due to trust issues, and had told him he had to be accountable for his actions. The Respondent then states that he is bringing to the Physician’s attention a “very important matter that requires your immediate and utmost attention.” The email then reads:

I too now feel that you should be held accountable and that I can no longer trust you or your practice and I am currently speaking with an attorney about how to proceed with a lawsuit concerning Breach of Confidentiality/Privacy which I am sure you will agree should be an open and shut case. I have a picture that clearly displays other patients [sic] private information … that should have at all times remained extremely private and confidential and you are responsible for this information ….

[4]  The email then states that the Respondent is deciding whether or not to contact each of the individuals and have them “included in my future lawsuit.” After identifying some other concerns, the Respondent states:

I'm sure you will agree this matter requires your immediate attention and would like a reply via email if you have any concerns or how to contact your attorney rather than going straight to the other individuals involved in this matter or the media ….

[5]  Upon reviewing the Image attached to the above email, the Physician determined that it showed the daily schedule of the Physician’s electronic medical record (EMR) for January 6, 2016, containing the personal health information of 72 individuals. The Physician speculates that the Respondent obtained the Image by photographing the screen immediately after either he or another staff member left the examination room and prior to the automatic log-off being engaged.

[6]  Upon learning of the breach, the Physician asked the Respondent on numerous occasions to delete the photo. The Physician’s lawyer also wrote to the Respondent to advise that he had improperly accessed personal health information, and to request that he destroy all copies of this information and provide confirmation of having done so. In a responding email, the Respondent denied any improper access and refused to destroy the Image. He stated:

I did not "improperly access" any information and feel that my privacy and that of others has been severely compromised here. It was clearly visible on Dr. …'s computer monitor when I was directed into the room by his staff and this not only is a clear breach of privacy/confidentiality on his part but constitutes a strong case in court as I'm sure any legal team would agree.

I can make this information public if necessary as I have broken no laws whatsoever and have a right to properly defend my position and my own - what should have been - secure health matters which were in clear violation here.

If you feel there is a legal course of action here to make me "destroy" my evidence or my future legal claims within the courts then please forward those, but I do look forward to pursuing this matter further and strongly feel like you have already over-stepped your grounds asking me to follow your request.

Let me know how you which [sic] to proceed.

[7]  I note that, after learning of the breach, the Physician sent notices to all 72 individuals whose information may have been contained in the Image, advising them that a former patient had viewed and photographed the daily patient schedule for January 6, 2016 from the EMR. The Physician advised each individual of the information that was contained in the EMR, that the Physician had demanded that the Respondent destroy all copies of the “stolen” information, and that the patient could make a separate complaint to this office under PHIPA .

[8]  The Physician’s lawyer then reported the matter to this office, and the IPC opened a file to address the Physician’s obligations to ensure the security of personal health information. That matter is being addressed by this office in a separate file.

[9]  During the intake stage of that file, an analyst from this office contacted the Respondent. She sought the Respondent’s cooperation in securely destroying all copies (including the original) of the Image. The analyst also informed the Respondent that failure to respond in a satisfactory manner may result in the IPC initiating a review under the Act , and that a review may result in a final order being made against the Respondent.

[10]  In response, the Respondent took the position that he is not obligated to delete all copies of the Image, and that he should be able to provide this information to his lawyer as he is “planning to pursue [the privacy breach] in a court of law.”

[11]  Based on the information provided in the course of the related file, the IPC had reasonable grounds to believe that the Respondent had used or disclosed, or was about to use or disclose, personal health information in contravention of the Act . Accordingly, the IPC initiated this review pursuant to section 58(1) of the Act .

Commencement of the Review

[12]  In conducting the review, a Notice of Review was sent to both the Respondent and the Physician (identified as an affected party for the purpose of this review). The Notice of Review requested that the parties respond to the following questions:

1. Please explain when and how the Respondent came to possess the personal health information in the Image.
2. Where is the personal health information in the Image maintained and/or stored? In what format is it maintained (e.g., paper, electronic)? On what devices is it stored?

How many copies of the Image has the Respondent made? Has the Respondent transferred or transmuted the personal health information in the Image to other records?

3. Did the Physician disclose personal health information in the Image to the Respondent within the meaning of the Act ? Was any personal health information, beyond the information in the Image, disclosed to the Respondent? Please explain.

If the answer to any part of question #3 is yes:

4. Is the Respondent’s use and/or disclosure of the personal health information recorded in the Image, or any other personal health information disclosed by the Physician to the Respondent, governed by section 49(1) of the Act ?
5. What uses and/or disclosures has the Respondent made or does the Respondent intend to make of the personal health information disclosed by the Physician to the Respondent?
6. What is the authority for each of the uses and/or disclosures identified in response to question #5? In particular:
1. Are any of these uses and/or disclosures for the purpose for which the Physician was authorized to disclose the personal health information under the Act ? Please explain. What was the authority for the Physician’s disclosure of personal health information to the Respondent?
2. Are any of these uses and/or disclosures for the purpose of carrying out a statutory or legal duty? Please identify the statutory or legal duty, and explain how the uses and/or disclosures relate to the fulfillment of this duty.
3. Are any of these uses and/or disclosures otherwise authorized under section 49(1) of the Act ? Or do any of the exceptions to section 49(1) at section 21, 22 or 23 of Regulation 329 to the Act  apply? Please explain.
4. If any of these uses and/or disclosures are permitted by section 49(1), do they comply with the requirement in section 49(2) that no more personal health information be used or disclosed than is reasonably necessary to meet the purpose of the use or disclosure? Or, is the use or disclosure required by law? Please explain.
7. Should the IPC issue an order requiring compliance with section 49(1) of the Act , or any other order under section 61(1)?
8. If a finding is made that the Respondent is prohibited by section 49(1) of the Act  from using and/or disclosing personal health information disclosed by the Physician except for the purpose of carrying out a statutory or legal duty (and no such duties are identified), what is the appropriate remedy?

[13]  Both parties provided representations in response to the Notice of Review. Also during this process, the Physician provided this office with an undertaking addressing retention of the Image, which was shared with the Respondent.

Representations

[14]  In response to the Notice of Review, the Physician advised that the copy of the Image that he received from the Respondent is blurry and its contents are distorted. The Physician states that it was only after reviewing the EMR that he was able to determine that the personal health information of 72 patients was potentially displayed in the Image.

[15]  The Physician maintains that he does not have direct knowledge of how the Respondent obtained the personal health information in the Image. The Physician submits that the EMR in the examination room has an automatic log-off feature. He speculates that the Respondent improperly accessed the computer immediately after either he or another staff left the examination room and prior to the automatic log-off being engaged.

[16]  The Physician submits that the personal health information visible in the Image is maintained and stored in electronic format on the EMR. He submits that he is unaware of whether the Respondent has made any copies of the Image, or has transferred the personal health information contained therein to other records.

[17]  The Physician maintains that he did not disclose personal health information to the Respondent. Rather, the Respondent inappropriately accessed and took personal health information without authorization. The Physician advises that he notified the affected patients of this unauthorized access to and theft of their personal health information, as required under the Act . Given this response to question #3, the Physician did not provide representations on questions #4-8, quoted above.

[18]  The Respondent submits that the Image was taken to document a serious breach of patient privacy and confidentiality that occurred when both his and dozens of other patients’ personal health information was openly displayed on a computer screen that either the Physician or one of his staff failed to log-off. The Respondent submits that if the Image had never been captured, there would have been no way for him to bring this privacy breach to light. He submits that he has not shared the Image with any other individual(s) and, with the exception of his providing it to his lawyer, he does not plan to disseminate the Image.

[19]  The Respondent submits that in asking him to delete the Image, this office is asking him to delete evidence that is required in order to hold the Physician and his staff accountable for openly displaying personal health information to unauthorized individuals. The Respondent also submits that in asking him to delete the image, this office is interfering with his ability to defend his actions in court.

[20]  In light of the Respondent’s concerns regarding the possible destruction of evidence necessary for any legal proceedings, this office sought an undertaking from the Physician. On November 28, 2016, the Physician signed an undertaking (the Undertaking) that he will:

1. retain at least one copy of the Image, in the format in which it was received, for a period of time not less than two (2) years from the date of [the] Undertaking;
2. ensure that administrative, technical and physical safeguards that are reasonable in the circumstances are in place to ensure that the Image is protected against theft, loss and unauthorized use or disclosure and will further ensure that the Image is retained, transferred and disposed of in a secure manner;
3. not use or disclose the Image except as permitted or required by law. For greater clarity, nothing in [the] Undertaking restricts the ability of the [Physician] to disclose copies of the Image to his legal counsel in the course of receiving advice and representation with respect to these matters; and,
4. comply, subject to any right of appeal, with any order of a court or tribunal of competent jurisdiction requiring disclosure of the Image.

[21]  This office provided the Respondent with a copy of the Undertaking and invited submissions on what the Respondent considers an appropriate remedy in this matter. The Respondent again advised that he does not plan to share the Image with anyone other than his lawyer for the purpose of bringing a legal action against the Physician. He emphasized that, in his opinion, he is not the reason the parties are the subject of this review. Rather, he felt compelled to document what he referred to as “a major lack of professionalism” in the Physician’s office.

[22]  In this decision, I find that the Respondent is a recipient of other individuals’ personal health information that was disclosed to him by the Physician. I find that the Respondent’s use of his own personal health information is not in contravention of the Act , but that his use of other individuals’ personal health information contravenes section 49(1) of PHIPA . I order the Respondent to securely dispose of the recorded personal health information of other individuals, pursuant to the powers of this office as set out in section 61(1)(e) of the Act .

ISSUES:

1. Do the Image and the photographs depicted in the Image contain “personal health information” within the meaning of the Act ?
2. Is the Respondent’s use and/or disclosure of this personal health information governed by section 49(1) of the Act ?
3. Is the Respondent’s use and/or disclosure of this personal health information in contravention of section 49(1) of PHIPA ?
4. If the answer to Issue C is “yes”, what is the appropriate remedy?

DISCUSSION:

[23]  As a preliminary matter, I confirm that the Physician is a health care practitioner and therefore a “health information custodian” as defined in section 3(1) of the Act . In addition, there is no dispute that the Respondent is not a health information custodian under the Act .

Issue A:  Do the Image and the photographs depicted in the Image contain “personal health information” within the meaning of the Act?

[24]  To determine whether the Act  applies, I must first determine whether the Image and the photographs depicted in the Image contain “personal health information.”

[25]  “Personal health information” is defined in section 4(1) of PHIPA  as follows:

identifying information about an individual in oral or recorded form, if the information,

(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,

(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,

(c) is a plan of service within the meaning of the Home Care and Community Services PHIPA, 1994 for the individual,

(d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,

(e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,

(f) is the individual’s health number, or

(g) identifies an individual’s substitute decision-maker.

[26]  In addition, sections 4(2) and 4(3) state:

(2)  “identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

(3)  Personal health information includes identifying information that is not personal health information described in subsection (1) but that is contained in a record that contains personal health information described in that subsection.

[27]  The information at issue in this review is contained in a screenshot depicting two photographs, and the photographs themselves. The photographs depict a computer screen in the Physician’s examination room. No party disputes that the Respondent has photographed and thereby recorded personal health information of individuals in the custody or control of the Physician. There is no dispute that, if the information in the screenshot and the photographs is legible, this information is identifying information within the meaning of the Act , and that this information, at the very least,

• relates to the physical or mental health of the individuals (where there is a notation next to the name), and
• relates to the providing of health care to the individuals, including the identification of the Physician as a provider of health care to the individuals.

[28]  The Physician has confirmed that the screenshot shows the daily schedule of the Physician’s EMR for January 6, 2016, containing the personal health information of 72 patients. The Physician’s lawyer has stated that the screenshot, which was received in PNG format, is “potentially legible” and further notes that the version of this screenshot provided to the IPC was converted into PDF format for the purpose of redacting patient names, which “further distorted the image”. I have reviewed the redacted version of the screenshot ^[1] and, while I am unable to decipher the text of this image due to it being blurry, I am satisfied on a balance of probabilities that the original version of the screenshot is decipherable – and thereby contains personal health information. The Physician’s lawyer indicates that the PNG version of the image is potentially legible. Moreover, in his email to the Physician attaching this screenshot, the Respondent indicated that the screenshot “clearly outlines private and confidential information”. In light of the Respondent’s statement, I am satisfied that the screenshot, even if only the version in the hands of the Respondent, is legible.

[29]  While there is no evidence the Respondent sent the underlying photographs to the Physician, the screenshot clearly depicts that the Respondent has at least two photographs of the Physician’s EMR screen. In his email to the Physician, the Respondent stated that he has a “picture that clearly displays other patients [sic] private information ….” I am mindful of the difference between a screenshot depicting an electronic photograph and the underlying electronic photograph, and in particular note that the electronic photograph will generally contain greater detail and resolution than a screenshot of that photograph. Again, I am satisfied on a balance of probabilities that the Respondent has taken and retained photographs of the Physician’s EMR screen that are decipherable, and thereby contain identifying information that is personal health information.

[30]  In the circumstances, I find that the information at issue in this review is personal health information of the Physician’s patients within the meaning of sections 4(1)(a) and (b) of PHIPA . The screenshot and photographs at issue contain the names of the Physician’s patients and therefore fit within section 4(1)(b) of the definition. In addition, next to a number of the names are brief notations relating to the physical or mental health of the named patient, and therefore this fits within section 4(1)(a) of the definition. I further find that the screenshot and the photographs constitute a “record” of personal health information as that term is defined in the Act .

[31]  I find that the Image contains the personal health information of the Respondent as well as that of 71 other individuals.

Issue B:  Is the Respondent’s use and/or disclosure of this personal health information governed by section 49(1) of the Act?

[32]  The IPC initiated the present review under section 58(1) of the Act  because this office had reasonable grounds to believe that the Respondent had contravened or was about to contravene section 49(1) of the Act . In determining whether the Respondent’s actions were in contravention of section 49(1) of PHIPA , I must first decide whether the Respondent’s use and/or disclosure of this personal health information is governed by section 49(1) of PHIPA .

Section 7(1)(b)(ii) of the Act  states:

7. (1) Except if this Act  or its regulations specifically provide otherwise, this Act  applies to,

(b) the use or disclosure of personal health information, on or after the day this section comes into force, by,

(ii) a person who is not a health information custodian and to whom a health information custodian disclosed the information, even if the person received the information before that day[.]

[33]  Section 49(1) of the Act  sets out rules for recipients of personal health information from health information custodians. This section states:

49. (1) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a health information custodian and to whom a health information custodian discloses personal health information, shall not use or disclose the information for any purpose other than,

(a) the purpose for which the custodian was authorized to disclose the information under this Act ; or

(b) the purpose of carrying out a statutory or legal duty.

[34]  In addition, section 49(2) addresses the extent of any allowable use or disclosure of personal health information by recipients of personal health information from health information custodians. This section states:

(2) Subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a health information custodian, and to whom a health information custodian discloses personal health information, shall not use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, as the case may be, unless the use or disclosure is required by law.

Did the Physician “disclose” this personal health information within the meaning of the Act and was this disclosure authorized under the Act?

[35]  The parties were invited to address the question of whether the Physician disclosed the personal health information to the Respondent within the meaning of the Act , and whether this disclosure was authorized.

[36]  In response, the Physician states:

[The Physician] did not disclose personal health information to the Respondent. The Respondent has inappropriately accessed and taken the personal health information of other patients contained on the computer screen image, without authorization. As a result of this unauthorized access and theft, [the Physician] has provided due notice to affected patients, in accordance with his obligations under [the Act ].

[37]  The Respondent states:

The photo in question was taken at my former Physician’s office when a serious breach of privacy/confidentiality occurred and [the personal health information] of myself and dozens of others was openly displayed on a computer screen that the doctor or his staff failed to properly shut down, jeopardizing the privacy of myself and many patients. …

[38]  The word “disclose” is defined in section 2 of the Act  as follows:

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning; (“divulguer”, “divulgation”)

[39]  Other than the evidence of the Respondent, who was apparently the only person present when he took the photo of the personal health information of himself and others, I have no direct information regarding how the personal health information of others came into his possession. The Respondent states that the personal health information of himself and others “was openly displayed on a computer screen that the doctor or his staff failed to properly shut down.”

[40]  The Physician takes the position that the Respondent “inappropriately accessed” the personal health information of others without authorization, and that this constitutes “unauthorized access and theft”.

[41]  What is clear is that the Respondent took a photo of a computer screen at the doctor’s office. In these unique and unusual circumstances, I am satisfied that the personal health information at issue was “made available” to the Respondent by the Physician. I accept that this was done inadvertently and in error, and that there was no intention to make the information available to the Respondent. However, the fact is that the Respondent was able to take a photo of the information while attending at the Physician’s office, and that the Physician, as the health information custodian with custody or control of this personal health information, displayed this personal health information to the Respondent. In these circumstances, I am satisfied that the Physician made this information available, and thereby disclosed personal health information to the Respondent for the purpose of section 49(1). ^[2]

[42]  To summarize, based on my review of the particular circumstances that resulted in this Review, I am satisfied that the Physician disclosed personal health information to the Respondent, who is not a health information custodian, within the meaning of section 49(1).

[43]  Section 29 of the Act  provides as follows:

29. A health information custodian shall not collect, use or disclose personal health information about an individual unless,

(a) it has the individual’s consent under this Act and the collection, use or disclosure, as the case may be, to the best of the custodian’s knowledge, is necessary for a lawful purpose; or

(b) the collection, use or disclosure, as the case may be, is permitted or required by this Act .

[44]  There is no evidence or information before me to suggest that this disclosure of personal health information was authorized under the Act . In particular, there is no evidence or suggestion that the Physician had obtained consent to disclose this personal health information to the Respondent, nor that this disclosure would otherwise be authorized under the Act  without consent. As such, I find that this disclosure was not authorized for any purpose under the Act .

[45]  While I have found that this disclosure was not authorized, I have not made any findings regarding whether the Physician complied with the obligations imposed by section 12(1) and 13(1) of the Act  to maintain the security of personal health information. As noted above, that matter is being addressed by this office in a separate file.

Issue C:  Is the Respondent’s use and/or disclosure of this personal health information in contravention of section 49(1) of the Act?

[46]  As noted above, section 49(1) of the Act  sets out rules for recipients of personal health information from health information custodians. This section states:

49. (1) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a health information custodian and to whom a health information custodian discloses personal health information, shall not use or disclose the information for any purpose other than,

(a) the purpose for which the custodian was authorized to disclose the information under this Act ; or

(b) the purpose of carrying out a statutory or legal duty.

[47]  Subject to the exceptions set out in section 49(1), this section prohibits the Respondent from using or disclosing the personal health information “for any purpose”.

a) Did the Respondent use the personal health information, or is it anticipated that he will?

[48]  Section 2 of the Act  defines the term, “use” as follows:

“use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to handle or deal with the information, subject to subsection 6(1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning. ^[3]

[49]  Section 6(1) of the Act  has no application to the circumstances in this file.

[50]  The Respondent’s statements clearly indicate that he took photographs of the personal health information of other individuals, and that he has retained a copy of those photographs. His correspondence plainly demonstrates that he has viewed these photographs and sent a screenshot of these photographs to the Physician. I am satisfied that the Respondent “handled” or “dealt with” this personal health information, and therefore used the personal health information within the meaning of the Act .

[51]  Furthermore, based on the Respondent’s statements that he intends to “bring [the Physician’s] privacy breach to light,” I am also satisfied the Respondent intends to “use” the personal health information for other purposes in the future.

b) Did the Respondent disclose the personal health information, or is it anticipated that he will?

[52]  As noted above, the word “disclose” is defined in section 2 of the Act  as follows:

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning; (“divulguer”, “divulgation”)

[53]  Based on the information set out above, and based on the Respondent’s statement that he has not shared the Image with any other individual(s), and in the absence of any evidence to the contrary, I am satisfied that the Respondent has not “disclosed” the personal health information at issue.

[54]  However, based on the Respondent’s statements that he intends to share the Image with his lawyer for “the purpose of bringing legal action” and to “bring [the Physician’s privacy breach to light,” I am satisfied the Respondent intends to “disclose” the personal health information for other purposes in the future.

c) Is the Respondent’s use and/or disclosure of this personal health information in contravention of section 49(1) of PHIPA?

[55]  As noted above, section 49(1) of the Act  sets out restrictions on recipients who are not health information custodians but who receive personal health information from health information custodians. Section 49(1) prohibits the Respondent from using or disclosing the personal health information “for any purpose”, except where the use and/or disclosure is:

• Permitted or required by law;
• for the purpose for which the health information custodian was authorized to disclose the information under the Act ;
• for the purpose of carrying out a statutory or legal duty; or,
• subject to prescribed exceptions and additional requirements, if any.

[56]  As noted above, the parties were asked to identify what uses and/or disclosures the Respondent made or intended to make of the personal health information.

[57]  The Respondent takes the position that he should be able to provide the Image to his lawyer in order to pursue “[the privacy breach] in a court of law.” The Respondent maintains that the Image is evidence, which he requires in order to hold the Physician and his staff accountable for openly displaying personal health information to unauthorized individuals, as well as for defending his own actions in court.

Analysis and Findings

[58]  To begin, as I found above, I am satisfied there were no purposes for which the Physician, (as the health information custodian) was authorized to disclose the personal health information to the Respondent (non-health information custodian) under the Act . As a result, the exception in section 49(1)(a) (which would permit a recipient to disclose the personal health information for the purpose which the health information custodian was authorized to disclose the information under the Act ) does not apply to the circumstances of this case.

[59]  In response to whether the uses or disclosures are “permitted or required by law” as set out in section 49(1) or are for the purpose of “carrying out a statutory or legal duty,” in section 49(1)(b), the Respondent’s representations simply refer to the fact that he took the photograph of the computer screen and retained it because he intends to pursue various legal processes. Specifically, he states that he should be able to provide this information to his lawyer as he is “planning to pursue [the privacy breach] in a court of law.” He also states that he intends to give it to his lawyer, and that he requires the information to “prove the breach.” Apart from the vague references noted above, he has provided no evidence that he has commenced an action or proceeding of any sort, or that he has hired a lawyer to pursue any of these legal processes.

[60]  The Respondent has already clearly used this personal health information. There is no evidence or legal argument to suggest that the Respondent is “required by law” or under a statutory or legal duty to use or disclose this personal health information “to pursue [the privacy breach] in a court of law” or “prove the breach.” The Respondent’s actions appear to be, from a legal point of view, wholly voluntary. At best, the Respondent could be “permitted by law” to take the above actions. However, on the facts of this case, I do not need to decide whether commencing a legal proceeding is a use or disclosure of personal health information that is, without anything more, “permitted by law” within the meaning of section 49(1) of the Act . The Respondent took the photograph in issue approximately 18 months ago. Despite his numerous statements, there is no evidence to suggest that he has commenced any legal proceeding, that he has retained a lawyer for that purpose, nor that anyone else has commenced a proceeding with respect to this matter (other than this office).

[61]  In June 2017, the IPC made the following specific enquiries of the Respondent:

1. Do you still have the image taken of your former Physician’s computer screen and schedule, and/or any copies of that image?
2. Have you shared the image and/or the information in it with any other individuals (including, for example, your lawyer)?
3. Have you commenced legal action of any sort, or hired a lawyer to pursue any legal processes, in relation to the image and/or the information in it?

[62]  In his response, the Respondent did not answer the above questions, and “strongly protest[ed]” to the third question. Given the Respondent’s refusal to respond to these questions, I am unable to conclude that the Respondent’s reference to commencing a legal proceeding and communicating with legal counsel is anything more than a bald assertion. Given the circumstances resulting in this review, I find that the Respondent is not entitled to use personal health information that has been disclosed to him without authorization, based on a bald assertion that he intends to commence a legal proceeding or that it is required to prove the breach. ^[4]

[63]  Further, with respect to his position that he requires the information to “prove the breach,” it is clear from the information set out above that the Physician has confirmed that this incident occurred, and that all of the individuals whose personal health information is at issue were notified of the breach. As a result, I do not accept the Respondent’s position that he requires the information to “prove the breach.” Neither the fact of the “breach” nor the scope of the “breach” could reasonably be in dispute: the Physician has communicated these facts to the individuals whose personal health information is at issue. There is no evidence that any other individual viewed personal health information on the Physician’s EMR screen in the same manner as the Respondent. In any event, the Physician has undertaken to retain a copy of the screenshot disclosed by the Respondent and to comply with any order of a court or tribunal of competent jurisdiction requiring disclosure of the Image.

[64]  Lastly, the Respondent’s correspondence suggests that he wishes to involve other individuals whose personal health information was disclosed and is recorded on the photograph he took in his proposed legal proceedings. There is no evidence before me that any of these other individuals, who were notified of the breach, have any interest in pursuing this matter further.

[65]  As noted above, to the extent this file raises broader issues about the steps taken by the Physician to keep personal health information in his custody or control secure, that is being dealt with by the IPC in a separate file.

[66]  In the circumstances, and in the absence of further evidence of existing litigation which necessitates the Respondent’s retention of this personal health information, I find that the Respondent’s uses of the personal health information are not “permitted or required by law” or for the purpose of “carrying out a statutory or legal duty.” As such, I find that the Respondent has used this personal health information in contravention of the Act . In light of my finding that there is no evidence of any proceeding, I do not need to address whether his intended use and/or disclosure of this personal health information for such a proceeding would be authorized under the Act .

[67]  I have also considered whether any prescribed “additional requirements” under section 49(1) would apply in the circumstance. In that regard, I have reviewed the provisions in sections 21, 22 and 23 of O. Reg. 329/04 under PHIPA . The only section which could apply in the circumstances of this appeal is section 21(1)(a) which reads:

Section 49 of the Act  does not apply,

(a) to an individual or a substitute decision maker of an individual in respect of personal health information about the individual;

[68]  In the circumstances, I find that because of this provision, section 49(1) does not apply to the Respondent’s own personal health information.

[69]  In summary, I find that the Respondent’s use of his own personal health information is not in contravention of section 49(1) of PHIPA , but that the Respondent’s use of other individuals’ personal health information is in contravention of section 49(1) of PHIPA .

[70]  In light of my finding that the Respondent’s use of this personal health information was not authorized under section 49(1) of the Act , I need not address the application of section 49(2) to this case.

Issue D:   If the answer to Issue C is “yes”, what is the appropriate remedy?

[71]  Having found that the Respondent’s use of personal health information relating to other individuals is in contravention of section 49(1) of the Act , I must determine the appropriate remedy in the circumstances. I invited the parties to address the appropriate remedy, but did not receive any submissions on this issue.

[72]  Section 61 of PHIPA  sets out the powers of this office. Section 61(1)(e) reads:

After conducting a review under section 57 or 58, the Commissioner may,

(e) make an order directing any person whose activities the Commissioner reviewed to dispose of records of personal health information that the Commissioner determines the person collected, used or disclosed in contravention of this Act , its regulations or an agreement entered into under this Act  but only if the disposal of the records is not reasonably expected to adversely affect the provision of health care to an individual;

[73]  In the circumstances, I find that the appropriate remedy is to order the Respondent to securely dispose of the personal health information of other individuals ^[5] contained in the Image, the photographs depicted in the Image, and any other photographs of the Physician’s computer screen, including all copies of this personal health information. I am satisfied that doing so is not “reasonably expected to adversely affect the provision of health care to an individual” as contemplated by section 61(1)(e).

[74]  In determining that this is the appropriate remedy, I note the Physician’s signed undertaking, in which he agrees to retain the Image for a defined time period, ensure that reasonable safeguards are in place for the retention of the Image in a secure manner, and comply with any order of a court or tribunal of competent jurisdiction requiring disclosure of the Image.

[75]  In conclusion, nothing in the Act  permits the Respondent to seize and retain the personal health information of others at will and he must now destroy it.

ORDER:

1. For the foregoing reasons, pursuant to section 61(1) of the Act , I order that the Respondent:
1. forthwith securely dispose of the recorded personal health information in his custody or control relating to individuals other than the Respondent depicted in:

1. the Image,

2. the photographs depicted in the Image, and

3. any other photographs of the Physician’s computer screen,

including all copies of such personal health information in whatever medium they may be maintained, and

2. provide this office with an affidavit sworn by the Respondent confirming that the records of personal health information of individuals other than the Respondent referred to in (a), and all copies thereof, have been destroyed, by no later than September 8, 2017.

Original Signed by:		August 9, 2017
Frank DeVries
Senior Adjudicator