PHIPA DECISION 50

HR15-160

A Medical Clinic Operating as a Group Practice

August 31, 2017

Summary: A medical clinic reported that the service provider hosting its electronic medical records had improperly transferred some patient files to a physician leaving the clinic. After investigating the circumstances, the IPC decides not to conduct a review under the Personal Health Information Protection Act. The parties entered into a consent court order resolving the dispute over the patient files, and the clinic has taken steps to amend its Association Agreement to clarify responsibility for patient records and address succession planning.

Statutes considered: Personal Health Information Protection Act, 2004, sections 2, 12(1), 13(1), 17 and 58(1); O. Reg. 329/04, section 6.

BACKGROUND:

[1]  This investigation was opened under the Personal Health Information Protection Act (the Act) as a result of information submitted by a medical clinic (the Clinic). The information provided raised concerns regarding the alleged actions of an electronic service provider (the ESP) to the Clinic, a physician who had been practicing at the Clinic, as well as the Clinic itself.

[2]  The Clinic is an association of several doctors who provide medical services. The Clinic uses electronic medical records (EMR), a service provided by the ESP, to collect, use, modify, disclose, retain and dispose of personal health information. The physician was designated an associate of the Clinic, and provided health care at the Clinic, from late August 2011 until October 30, 2015.

[3]  On October 28, 2015, the Clinic contacted the Office of the Information and Privacy Commissioner of Ontario (the IPC) to report a potential breach of the Act. This was followed by a written report from the Clinic dated November 24, 2015. In its correspondence, the Clinic identified concerns with the ESP’s management of patient data. The Clinic stated that it had lost control of some of the personal health information contained in its EMR database managed by the ESP. Specifically, the Clinic stated the following:

This complaint relates to the conduct of individuals employed by the EMR provider [The ESP] where their conduct resulted in the copying and removal of patient charts of the [Clinic] Group Practice EMR data base on or about May 5^th, 2015 and again on October 27^th, 2015 and providing it to a physician leaving the group practice. [Emphasis in original]

[4]  In conducting the investigation, I requested submissions from the Clinic, the physician and the ESP. While the Clinic and the physician submitted separate responses, the ESP did not respond and as such, the investigation was conducted without input from the ESP.

[5]  Unless otherwise indicated, the following facts are not in dispute.

May 5, 2015 Incident

[6]  On or about May 5, 2015, a patient attended the Clinic and the Clinic discovered that records of personal health information pertaining to this patient were missing from the EMR hosted by the ESP. Upon further inquiry, the Clinic determined that it could not access the records of 404 patients, concluding that they had disappeared from the EMR. According to the Clinic, the physician informed it later that month that he had contacted the ESP, which had provided him with his own EMR database to which these records were transferred. The Clinic explained that these records reappeared in its EMR in June 2015, although the physician denies ever hiding patient files.

[7]  In an email to the Clinic dated May 26, 2015, the physician stated that the files transferred out of the Clinic’s database were “my private patient files”. The Clinic informed the physician that he had contravened the written Association Agreement which grants all associates access to all of the patient records in the Clinic EMR.

[8]  The physician maintained and operated his own family medical practice in addition to seeing patients at the Clinic. The physician stated that a business dispute developed between him and the Clinic in May of 2015 and that the Clinic challenged his conduct, taking issue with the physician having his own ESP account for patients at his family practice.

October 27, 2015 Incident

[9]  On October 27, 2015, the physician attended the Clinic and entered his office alone. The Clinic determined that afterwards it no longer had access in its EMR to records of personal health information pertaining to the patients for which the physician was assigned as the most responsible physician. The Clinic concluded that the electronic records of 392 patients had been removed from the Clinic EMR and control was transferred by the ESP to the physician. On October 30, 2015, the physician ceased being an associate of the Clinic.

[10]  In relation to the events of both May and October 2015, neither the physician nor the ESP obtained the Clinic’s consent for transferring or otherwise copying the records contained in the Clinic’s EMR. The Clinic stated that the fact that the patient files were transferred to the physician remained unclear for about 60 days, but was disclosed by the ESP to the Clinic on December 22, 2015. During this period the Clinic physicians and staff did not have access to these records.

[11]  The parties went to court regarding this dispute. On October 29, 2015, the Ontario Superior Court of Justice in Windsor issued an order, on consent, directing the Clinic to “… deliver up to [the physician] all of his original patient files forthwith.” The Court also ordered the Clinic to direct the ESP to permit the physician “… access to any of his patient electronic charts by remote access utilizing the [ESP’s] software used to record and maintain electronic medical records.” As this was a consent order, the Court did not adjudicate the respective rights of either the Clinic or the physician.

[12]  The Clinic now asserts that the Court erred by ordering that the original patient charts be turned over to the physician in the absence of individual patient consents. The Clinic also asserts that “the Court was misled and the order is not in compliance with CPSO standards or the law."

[13]  There is no dispute that the records at issue in this file are records of personal health information as defined in section 4 of the Act. However, the Clinic and the physician dispute which of them was the health information custodian with custody or control of these records within the meaning of section 3 of the Act.

ISSUES:

1. Is a review warranted under the Act?
2. What are the obligations of health information custodians for the security and handling of records?
3. What are the obligations of agents and the handling of personal health information?

DISCUSSION:

A: Is a Review Warranted under the Act?

[14]  Section 58(1) of the Act sets out the Commissioner’s discretionary authority to conduct a review as follows:

58(1) The Commissioner may, on his or her own initiative, conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of this Act or its regulations and that the subject-matter of the review relates to the contravention.

[15]  In accordance with my delegated authority to determine whether a review is conducted under section 58(1) of the Act and for the reasons set out below, I find that a review is not warranted.

[16]  Both the Clinic and the physician assert that they, and not the other, are the health information custodian of the records at issue. During the course of my investigation, both parties expressed their opinions on this issue. After careful consideration of the facts, I conclude that it is not necessary for me to make a determination on this point, and a review is not warranted, in light of the consent order.

Consent Order

[17]  The consent order of the Superior Court referred to above arose from a motion brought by the physician. Part of the motion addressed the patient records, and requested that the Clinic “provide access to all medical charts in its custody, either in physical or electronic form, to [the physician] without any restriction whatsoever and to further refrain from keeping, altering or in any way handling these medical records.”

[18]  According to the physician, the Clinic’s request for an adjournment was denied and the parties entered into negotiations regarding a draft court order. On October 29, 2015, the draft order was presented to the Superior Court in Windsor, was signed by a judge of that Court and was subsequently issued and entered. Included in the order’s provisions, were the following:

That the Clinic “shall deliver up to [the physician] all of his original patient files forthwith.”

That the Clinic “shall direct [the ESP] to permit [the physician] to have access to any of his patient’s electronic charts by remote access utilizing the [ESP’s] software used to record and maintain electronic medical records.”

[19]  As noted above, this was a consent order and the Court did not adjudicate the respective rights of the parties.

[20]  The Clinic has challenged the order in submissions to the IPC, alleging that the physician perjured himself, and that the Court was misled.

[21]  It is not clear whether the actions of the physician and the ESP that were raised with the IPC fall squarely within the terms of this consent order. The consent order does not expressly address the “transfer” of the electronic records of personal health information. Rather, the order permits the physician access to “any of his patient’s electronic charts” via the ESP and addresses the “delivery” of original patient files. While I note this aspect of the order is not clear, any ambiguity about the terms of the consent order is a matter that is most appropriately addressed between the parties and the Court. Despite some lack of clarity, it is apparent that the parties intended to resolve their disputes over custody of patient files, and permit the physician to take patient files to his new practice.

[22]  The consent order was issued and entered after the actions of the physician and the ESP had already occurred. While the Court order only came about after the fact, the Clinic and the physician have now consented to the terms under which the physician would obtain original patient files and under which the physician would have access to his electronic charts utilizing the EMR, as part of the court process. Any adjudication by the IPC of the Clinic’s concerns would have to consider the impact of the Court order. There is a further prospect that an IPC decision in this matter adjudicating the respective obligations of the physician, the Clinic and the ESP under the Act, may be inconsistent with the terms of the consent order.

[23]  Despite the Clinic’s expressed concerns with this order and the manner in which it came about, the information before me indicates that the order is valid and has not been challenged by the Clinic through the Court process. Having consented to an order addressing their respective obligations and rights with respect to the physician’s access to records of personal health information in the EMR, and delivery of his original patient files, the Clinic’s concerns are more properly addressed as part of the Court process.

[24]  I emphasize that I am drawing no conclusions on how these circumstances would be interpreted by the IPC under the Act, absent the consent order.

Finding

[25]  The decision of whether to conduct a review under section 58(1) of the Act is discretionary. For the foregoing reasons, and because of the additional steps taken by the Clinic in response to this incident, referenced below, I will not be conducting a review of this matter.

[26]  Although I find that a review is not warranted under section 58(1) of the Act, the circumstances in this case demonstrate the risks when parties fail to address in their agreements who has responsibility for patient records, through identification of the health information custodian, and what will happen when a physician leaves the custodian. In order to provide guidance to parties in future cases, I will discuss some of the obligations imposed on health information custodians and describe the steps taken by the Clinic after this incident.

B: What are the obligations of health information custodians for the security and handling of records?

Section 12(1) of the Act requires that health information custodians take reasonable steps to ensure that records of personal health information in their custody or control are protected against theft, loss, unauthorized use or disclosure, and unauthorized copying, modification or disposal. Section 13(1) of the Act requires that health information custodians retain, transfer, and dispose of records of personal health information in a secure manner.

[27]  Taken together, sections 12(1) and 13(1) of the Act impose significant obligations on health information custodians to protect personal health information in their custody or control. One of the most important ways that health information custodians can protect this information, particularly in a multi-party relationship, is by clearly setting out roles and responsibilities in writing. At the most basic level, this includes addressing who is the health information custodian assuming the responsibilities under sections 12(1) and 13(1), and who is responsible for personal health information in the event of a change of practice. All too often, individuals and organizations report privacy breaches to the IPC where, at their core, the issues in dispute stem from a failure of the parties to properly clarify and document their own relationship and obligations.

[28]  A decade ago, the IPC published a guidance document entitled “How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice”. [1] Among other things, this document provided guidance that is applicable to this matter:

Be Proactive

From the outset, custodians should think proactively about how they will continue to meet their obligations under PHIPA, in the event of a change in practice. The following best practices may assist in this regard.

…

Clearly Identify the Custodian

While the determination of who is the health information custodian may be obvious for sole practitioners, it may not be as clear for health care practitioners who work together in a group practice. In some situations, two or more practitioners may establish a partnership, with each being a custodian. In other cases, custodians may employ one or more health care practitioners to work as their agents. Where a group practice is incorporated, the professional corporation is the custodian and the practitioners are its agents.

In group practice settings, there must be clear identification of who the custodian is and formal agreements about the obligations of each person involved in the group practice with respect to records of personal health information in the event of a change in practice.

…

Group Practice Agreement

Custodians engaged in group practice should address the continuity of record management in their practice agreement. In formalizing such agreements, all health care practitioners should bear in mind that they may have professional obligations with respect to the handling of records of personal health information, regardless of whether they are considered to be health information custodians under PHIPA. As a best practice, the following privacy safeguards should be addressed in the agreement:

•  Arrangements for the secure storage of records. If the services of an agent (e.g. record storage company) are used, then the practice agreement should clearly identify the agent and its responsibilities. As discussed above, it is a best practice to have a separate agreement with the agent that clearly sets out its obligations with respect to personal health information.

•  The method of distribution of records in the event of a change in practice.

•  The requirement to notify individuals as suggested in the Guidelines in the event of change in practice.

•  How to deal with the unforeseen departure of a custodian. In these situations, at a minimum:

o Individuals should be notified of the change in practice; and

o Records should be kept in a secure location until another custodian assumes responsibility for the records, or an individual directs the file to be transferred to another custodian.

[29]  The matter before me may have been avoided if several practical steps had been taken. First, the Association Agreement should have clearly identified the custodian.

[30]  Second, the Association Agreement should have described the circumstances in which patient records may be copied, disclosed, transferred or destroyed. Third, succession planning was not addressed. The Association Agreement should clearly explain what happens to records of personal health information when a physician leaves the association and the process to be followed in that regard. In this case, there appears to have been genuine confusion concerning who is the health information custodian and who will retain patient records in the event a physician leaves the association.

[31]  I am encouraged that, during the course of my investigation, the Clinic adopted provisions identifying the custodian and specifying what happens to patient records in the event a physician leaves.

[32]  Based on the Clinic’s efforts to revise its Association Agreement, as well as the other reasons expressed in this Decision, I conclude that a review pursuant to Part VI of the Act is not warranted.

[33]  In summary, it is in the best interest of health care practitioners, group practices of health care practitioners, ESPs and patients to have a clear understanding about who is responsible for patient records, through identifying who is the health information custodian. Furthermore, as demonstrated in the circumstances in this investigation, an agreement on what happens to health records upon ending such relationships are critical to a smooth transition.

C: What are the obligations of agents with respect to the handling of personal health information?

[34]  Under the Act, health information custodians are permitted to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, subject to the prescribed requirements described in section 10. Entities, such as the ESP, who provides services for the purpose of enabling a health information custodian to avail of electronic medical records may, or may not, be an agent of the custodian. [2]

[35]  Section 2 of the Act defines the term “agent” as a person acting under the authorization of a custodian for the custodian’s purposes as it concerns the handling of personal health information. Section 17 of the Act outlines the conditions in which a custodian may permit an agent to act on its behalf. This includes the condition that, absent any permitted exceptions or legal requirements, agents require the custodian’s permission to collect, use, disclose, retain or dispose of personal health information

[36]  Broadly speaking, the rules for agent and non-agent electronic service providers reflect the fact that the person who provides services to the custodian is not the decision-maker with respect to the personal health information and acts at the direction of the health information custodian. [3] Of course, in acting at the direction of the health information custodian, it is essential that the custodian be clearly identified so that there is no confusion regarding who has authority over the personal health information.

[37]  The obligations placed upon agents cannot be separated from the custodian. Health information custodians are responsible for the actions of their agents. In turn, agents require clear direction from custodians regarding the collection, use, disclosure, retention and disposal of personal health information. While not mandated by the Act, the circumstances of this case support making these directions explicit and written. The agent must be able to identify the custodian; the terms of service must be clear; and the agent must agree to abide by the custodian’s direction.

[38]  In this case, the Clinic asserts that the ESP is its agent and that the ESP permitted and facilitated the transfer of patient records from the Clinic’s EMR database to a separate ESP hosted database controlled by the physician. The Clinic asserts that this was done without its consent and without notice to it. There was also no attempt by the ESP to inform the Clinic that the transfer of patient records had occurred. It was only after a patient attended the Clinic that his records were discovered to be inaccessible.

[39]  The Service Provider Agreement between the Clinic and the ESP outlines the terms imposed on the ESP. Of note, item 6.1 states, in part, that “[the ESP] considers data, including patient data, inputted and generated by Customer [Clinic] using the Hosted Software to be the data and personal information of Customer and its patients, as applicable…. [the ESP] does not access or examine data except at Customer’s request and only for the purposes of providing Customer with technical support.”

[40]  The Service Provider Agreement does not instruct the ESP to either notify or obtain the Clinic’s or patient’s consent to disclose records of personal health information. It is noted that the transfer of records to the physician in the May 2015 incident was discovered when a patient attended the Clinic. In the October incident, the missing records of personal health information were discovered at the initiative of the Clinic staff who were suspicious of the physician’s actions when he attended the Clinic on October 27, 2015.

[41]  As part of the amended Association Agreement, the Clinic has included a provision regarding ESPs. In summary, it requires written direction to be given to ESPs to permit them to copy patient files to the EMR of a physician who is not a member of the Association. Further, it explains that the written consent of patients is required to do so. It would be prudent for the Clinic to incorporate these amendments into the Service Agreement with the ESP.

[42]  In summary, I have determined that the Clinic acknowledged issues concerning the ESP and has amended its Association Agreement to require written direction to the ESP regarding copying patient files to EMRs belonging to physicians who are not members of the Association. While I am satisfied with the Clinic’s response to the concerns raised during this investigation, I also urge the Clinic to incorporate these measures into its agreements with ESPs.

NO REVEIW:

For the foregoing reasons, no review of this matter will be conducted under Part VI of the Act.

Original Signed by:		August 31, 2017
Jeffrey Cutler
Investigator