PHIPA DECISION 52

HA15-8-2

St. Michael's Hospital

September 29, 2017

Summary: After being given the contents of his central health record at a hospital, including diagnostic images, an individual sought access to all the underlying electronic data about him held by the hospital, in its native, industry-standard electronic format, including data files produced by diagnostic equipment. This decision determines that the complainant is not entitled to access data in the hospital’s electronic systems, devices or archives that cannot be extracted through custom queries against reporting views available to the hospital.

Statutes considered: Personal Health Information Protection Act, 2004 , SO 2004, c 3, Sched. A, sections 4 , 52(1) , 52(3) , 54(1) , 54(10) , and 54(11) .

Cases considered: McInerney v. Macdonald, [1992] 2 SCR 138, 1992 CanLII 57, Montana Band of Indians v. Canada (Minister of Indian and Northern Affairs), 1988 CanLII 5630 (FC).

Decisions considered: PHIPA Decision 17, PHIPA Decision 18.

INTRODUCTION:

[1]  This case concerns a request by an individual under the Personal Health Information Protection Act, 2004 (PHIPA or the Act), for access to his records of personal health information from St. Michael’s Hospital (the hospital), and the scope of a health information custodian’s obligation to provide access to data in electronic systems in responding to such a request. [1]

BACKGROUND:

[2]  The complainant’s request for access stated in part:

Records Requested

This request pertains to records characterized as follows:

• Excludes records previously disclosed; and,

• Includes all electronic records in native (machine readable) format; and,

• Includes all raw electronic data collected by medical devices.

Disclosure

The following disclosure is requested:

• Inventory for all existing data, whether permanent or transitory;

• For each record:

◦ Date of collection;

◦ Type of data, including its format specification; [and,]

◦ Raw data collected.

Production Format

I request that the records be provided in their native electronic file format. Please provide the data in an industry standard format, and (if applicable) proprietary format.

I prefer the data be delivered in a single encrypted, passphrase-protected archive. To minimize cost and delay, please send this archive to me at the address below. As you know, the encryption feature will ensure confidentiality, so delivery by email is permissible under these circumstances. This production format is well within current technical capabilities.

[3]  In response to the request, the hospital issued a decision granting access to what it understood to constitute the requester’s health records, with the exception of records that had been previously disclosed to the requester. The hospital offered to provide the records as an encrypted password-protected PDF file. The hospital’s decision letter further stated,

… unfortunately, we cannot provide the records in any other electronic format at this time, and we do not have a means to provide you with raw data or format specifications. We also do not have a means to provide you with dates of collection or types of data, except as these may appear as part of the health records themselves.

[4]  The requester advised the hospital that he did not want to receive the records in the format offered. The requester then filed a complaint with this office on the basis that the hospital did not provide access to responsive records, nor did it provide the requested records in the format outlined in the request.

[5]  During mediation of the complaint, the requester, now the complainant, provided additional information regarding the requested records, which the mediator shared with the hospital. The complainant also wrote directly to the hospital, stating that he was seeking underlying electronic data from his medical record rather than PDF-format copies of summary documents. He stated:

… I am seeking the following:

1.  An inventory of all items associated with my medical record; and,

2.  All electronic data associated with the items of the inventory (e.g. my electronic medical record). I seek the data in its native, industry-standard electronic format. This would include all data files produced by diagnostic equipment used when conducting procedures on me.

[6]  The complainant’s request for all data in native industry-standard format includes data in “HL7 format.”

[7]  The hospital issued a revised decision after internal consultations, including with its Director of Information Technology Operations and Director of Health Information Services. In its revised decision, the hospital offered to provide the complainant with electronic copies of all retained diagnostic images in DICOM format, as well as a history or inventory of all of the complainant’s hospital encounters in the form of a secured electronic spreadsheet in XLS format.

[8]  The hospital stated it was not possible to provide all of the requested records in HL7 format. It explained that HL7 is a format used to transmit data between selected hospital applications. This data is retained in large archive files, which pool the data of thousands of patients in millions of records. Extracting any information relating to the complainant from HL7 files would require significant expenditures and staff time, and interfere with the hospital’s operations.

[9]  At no cost to the complainant, the hospital provided the electronic records offered in its revised decision. The complainant subsequently advised the mediator that the hospital’s response was unsatisfactory.

[10]  As mediation did not resolve the complaint, the file was transferred to adjudication, where I decided to conduct a review of the complaint. During my review, I sought and received representations from both parties, and shared these in accordance with this office’s Code of Procedure for Access and Correction Complaints under PHIPA and Practice Direction Number 3. I also sought additional representations from the parties in order to provide them with the opportunity to clarify their positions and address issues raised in each other’s responses.

[11]  The issue before me is whether the hospital has fulfilled its obligations under the Act  in responding to the complainant’s request for access.

[12]  In this decision and for the reasons that follow, I find that the complainant is entitled to access information about him that can be extracted by the hospital in readable form through the creation and application of custom software queries. This includes information that can be viewed by staff using the hospital’s electronic systems, but also extends to information housed in each system’s databases that is not normally displayed and which can be extracted in a readable form through custom software queries. I will use the term “reporting views” to describe this information.

[13]  I find that the complainant is not entitled to access raw data in native format, including data collected by medical devices and instruments, that cannot be so extracted. He is also not entitled to access HL7 data.

DISCUSSION:

Is the information sought by the complainant covered by the definition of “records of personal health information”?

Background

[14]  Section 52(1) of PHIPA  provides an individual with a right of access to records of personal health information that are about the individual and in the custody or under the control of a health information custodian, subject to the exemptions listed in sections 52(1)(a) to (f) and exclusions listed in section 51. “Personal health information” is defined as “identifying information about an individual in oral or recorded form”, relating to specified subjects (section 4). In turn, “identifying information” is information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

[15]  While section 52(1) of PHIPA  confers a broad right of access to records of personal health information, that right of access may be limited if a record is not dedicated primarily to the information of the person requesting access:

52(3) Despite subsection (1), if a record is not a record dedicated primarily to personal health information about the individual requesting access, the individual has a right of access only to the portion of personal health information about the individual in the record that can reasonably be severed from the record for the purpose of providing access.

[16]  Also relevant to my determinations is the definition of a “record” under the Act , which means a “record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record.”

[17]  The first question I must answer is what are the “records of personal health information” to which the complainant has a right of access. In this case, the hospital provided the complainant with the contents of his centrally stored electronic health record, all diagnostic images in industry standard DICOM format, and the electronic health record from the hospital’s Family Health Team. The hospital states that together, these constitute the complainant’s complete health record as maintained by the hospital and, accordingly, takes the position that it has met its obligation to provide the complainant with access to his health records.

[18]  What the hospital has not provided the complainant, and what he seeks, is the underlying raw data from which the information in the health record is derived, such as in medical devices or databases associated with each electronic system. In addition, the complainant seeks any information relating to him contained in HL7 files (which I will describe below).

The hospital’s electronic systems

[19]  In order to better understand the context of this complaint, I requested particulars from the hospital about the electronic systems in which information about the complainant may reside. Excluding the complainant’s central health record in Soarian, I provide, below, a description of the hospital’s systems combined with a description of whether any personal health information recorded on these systems remains in issue in this review:

Montage, PS Suite, and CognisantMD Ocean Wave

[20]  Montage Search and Analytics is a radiology data mining and analytics solution for use by department heads, radiologists, researchers, and educators. Patient reports are stored and catalogued in the system for later analysis. The information in the system consists of copies of radiology reports that are available in the hospital’s main health record.

[21]  PS Suite is the hospital’s family health team EMR system, which is used for patient care and reporting within the family medicine department. The data is stored in an Oracle database service that is accessible through the PS Suite application. The hospital states that PS Suite may also contain medical reports and results, notes typical of a family practice, and scanned results from various sources, including external providers, such as laboratories. None of the family medicine information is copied or transferred to the hospital’s main health record. The hospital has provided the complainant with all relevant PS Suite records.

[22]  CognisantMD Ocean Wave is an online, mobile, patient information survey tool used by the hospital for health equity purposes, and to collect patient health status information such as pain levels, exercise etc. Once a patient completes a survey, the information is transferred to the family health team’s EMR, PS Suite, but not to the main hospital health record. The hospital states that no patient information is retained in this system.

[23]  Based on the hospital’s descriptions, the complainant has already been provided with the information in the Montage, PS Suite and CognisantMD Ocean Wave systems, through receipt of records from the central health record and PS Suite. It is unnecessary for me to address the above systems in this decision, and the remaining discussion therefore does not include these systems.

Access Database

[24]  The Access Database contains data that facilitates process improvement for patients’ primary care, such as recalling patients for overdue cancer screening, streamlining routine diabetes visits, and following-up with patients that have been discharged by the hospital. The data is stored in spreadsheets using Microsoft Access. The hospital provides the following details about each of the three databases that comprise this system:

• Cancer screening database: The information is typically generated from the main health record. Any relevant clinical details are transferred to the main health record as necessary for clinical care. The hospital advises that the only information that may be contained in this database that has not been copied in full to the main health record and/or already provided to the complainant in full is information about staff calls that were made to patients at the beginning of the initiative.
• Diabetes database: The information is generated from the main health record. The hospital advises that there is no information about the complainant in this database that has not been copied in full to the main health record and/or already provided to the complainant.
• Discharge follow-up database: The hospital advises that relevant clinical details are transferred to the main health record as necessary for the provision of safe clinical care; however, details about a patient’s discharge, including attending physician, location within the hospital, discharge diagnosis, date, outcome of the phone call to book a follow-up appointment, and responses to a questionnaire are not copied to the main health record.

[25]  With respect to the Access Database, the hospital has not indicated that compiling the complainant’s information from this database and providing it to him would require extraordinary effort, and it appears from its submissions that it is prepared to do so. The following discussion also excludes this database.

Carestream PACS, EP Care, MUSE, Xcelera, Syngo Workflow

[26]  Carestream PACS is a picture and archiving communication system, which stores clinical medical images (CTs, MRIs, Ultrasounds, etc) and associated orders and reports for procedures performed in the hospital’s Medical Imaging Department. The hospital provided the complainant with the images and reports in this system.

[27]  EP Care is the hospital’s cardiac and electrophysiology system, which stores information pertaining to cardiology-related services, including patient visits, registration information, scheduling and appointments, and medical documentation.

[28]  MUSE is the hospital’s electrocardiogram (ECG) management and reporting system, which stores information about registration, test orders, medical documentation, the results of ECG tests, and physician’s interpretations of ECG data. Interpretations of the ECG data are copied to the main health record, but data points from the ECG readings are stored in MUSE only.

[29]  Xcelera is the hospital’s cardiology ultrasound management and reporting system, which collects, uses and retains information including patient and visit data as it relates to ultrasound (eg. registration and order information), medical documentation, and physicians’ interpretations of cardiology ultrasound data. As with MUSE, any interpreted results are copied to the main health record, while the underlying data (such as DICOM ultrasound images and other supporting measurements) are stored only in Xcelera.

[30]  Syngo Workflow is a radiology information system that is used by the medical imaging department to store patient radiological data that is used for patient care, such as exam tracking data, scheduling, orders, and results. Any patient that has had an exam in the medical imaging department will have information stored in Syngo Workflow. The hospital advises that the information in Syngo Workflow is the source of the medical imaging reports that are in the hospital’s main health record.

[31]  The complainant has received information about him from the Carestream PACS, Syngo Workflow, EP Care, Muse, and Xcelera systems, insofar as that information was incorporated into his central health record, or provided in DICOM images. However, he has not been provided with information remaining in those systems that is available to the hospital through reporting views, but not incorporated into the central health record. The hospital provided estimates of the staff time and cost required to write custom software queries to retrieve information about the complainant from each of these systems. The estimates range from $600.00 to $5,250.00.

HL7

[32]  The complainant has also specifically requested that he be given access to “HL7 data”. The hospital explains that HL7 is the protocol used to transport data between its various systems as a patient interacts with those systems. For example, an order message encoded in HL7 is sent to Xcelera, described above, when an ultrasound test is requested, and a result message encoded in HL7 is sent to the viewing system from Xcelera when a report is ready for viewing.

[33]  The hospital explains that once an HL7 message is acknowledged by a receiving system, the message is logged in a daily file, which contains messages of all patients. The messages are retained in an individual file for seven days, after which they are combined into a monthly file, which is archived for seven years. A message related to any individual patient is stored among thousands of messages.

[34]  The hospital states that there is no personal health information in the HL7-formatted data that is not already available in the records identified in the three program areas (medical imaging, cardiology, and family health team), or in the complainant’s health record as the data in HL7 messages is extracted from these originating systems. In terms of the relationship between HL7 data and a health record, the hospital advises that an HL7 message is a subset of data contained in the health record in a given system, and that the data that is sent is the information needed for the receiving system to process the message.

[35]  The hospital states that extensive resources would be required to extract HL7 data pertaining to the complainant and, even if the fees were covered, the work required would considerably interfere with the hospital’s operations. The hospital stated that in order to provide the complainant with the requested HL7 data, it would be required to carry out the following steps:

1. A large enough computer device (a “server”) would have to be allocated or purchased in order to hold the data to be searched, and to ensure that computerized searching would not interfere with regular hospital operations;
2. The correct archive files would have to be identified and reloaded onto the allocated server, to render them searchable;
3. Programming and/or procedures would have to be written, tested and implemented to extract the complainant’s HL7 data from the millions of records involved; and
4. The resulting HL7 data that pertains to the complainant would need to be formatted, secured, packaged and delivered to the complaint, in accordance with specifications.

[36]  The hospital initially estimated that the costs associated with carrying out the above-mentioned steps would amount to approximately $18,000 (describing this as a conservative estimate). In subsequent submissions, it stated that to undertake this request would impact at least nine current projects at the hospital, and would require an estimated 228 hours of work and $21,500.00. Further, it also estimated that it would take approximately one year to complete the project in a manner that would not risk disrupting its critical ongoing operations.

Representations

[37]  As stated above, PHIPA  provides individuals with a right of access to records of personal health information about them in the custody or control of a health information custodian. I repeat for convenience the definition of a “record” in section 2 of PHIPA :

“record” means a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record;

[38]  On this question, the hospital distinguishes between information contained in “reporting views” available to it within the various systems, and data beyond the reporting views in the “depths of each vendor’s system architecture.” With respect to the latter, the hospital submits that it is not required to provide access to raw data under PHIPA . The hospital acknowledges that under PHIPA , records of personal health information will extend beyond the typical patient chart to include other places where the hospital holds personal health information. However, the hospital submits that neither the common law nor PHIPA  have dealt with the right of access to personal health information found in its native format on underlying devices for transitory purposes.

[39]  The hospital states that, in its view, the complainant is asking for data, not information. It states that permitting access to raw data in native format goes beyond a plain reading of the Act and its legislative intent and will ultimately change the face of access requests. The hospital submits that accessing raw data in its native format may require the translating program or mechanism from a vendor so as to render the data readable. The hospital takes the position that access requests for mechanisms that enable data to be read are beyond the scope of PHIPA , and that there is no guarantee that vendors would agree to produce the data, especially given the potential for revealing proprietary information. The hospital also submits that demanding a public hospital to require its vendors to produce raw data in native format beyond what is available in the viewing records raises the question of whether such records/data are really in the hospital’s “custody and control”, as required by the Act .

[40]  In its description of its systems, the hospital also notes that to obtain raw data from a system housed in a medical device would require stopping scanning equipment, thus impeding patient care.

[41]  The complainant urges me to find that he has a right of access to raw data. He states that the content contained in some hospital records is derived from other records. He submits that while the hospital has provided some records of derived data, it has not provided the underlying raw data that was used to compile those records. According to the complainant, raw data is the data produced by diagnostic instruments, which then typically cascades through multiple analytic stages, and therefore has important consequences when it comes to the completeness, quality, and correctness of any derived records. The complainant states that for this type of information, the responsive information would be contained in bytes of the related computer file systems and their backups.

[42]  The complainant takes the position that absent the requested raw data, any summary or derived records are otherwise incomplete, thereby frustrating his right to obtain access to information that is “as accurate, complete and up-to-date as necessary for the purposes of disclosure”, as provided for in section 11 of PHIPA . He also submits that absent being provided access to the requested raw data, he is denied the opportunity to review the records for correctness and to report and request corrections to any identified errors, as provided for in section 55 of PHIPA .

[43]  The complainant notes that the hospital shares electronic health records with partner healthcare providers by participating in the ConnectingGTA (cGTA) data-sharing project. He submits that the information contained in the electronic health record would typically be exported in multiple computer data files for sharing purposes, each conforming to various industry-defined specifications. He submits that any record that is available through cGTA, or similar data-sharing systems, is responsive to the request and therefore must also be available to the individual who requests it. The complainant states that those records must be disclosed in the same format that it is transmitted in within the data-sharing system. The complainant suggests that the hospital could make such information available by offering requesters access to the cGTA service on the hospital premises. The complainant states that the cost of such access would be minimal because the necessary infrastructure is already in place.

[44]  The complainant submits that the hospital’s perceived difference between data and information is a needless distraction. He states that information is acquired through the interpretation of data, which is contained in records. He submits that PHIPA  grants patients the right to access records of their personal health information, and that he has requested access to records to make his own interpretations of the data contained therein.

[45]  The complainant takes the position that there is a clear industry and societal direction toward empowering patients through access to their personal health information. He submits that PHIPA  gives control to patients by providing for access to one’s own personal health information, thereby allowing patients to analyse their records and use them for their own benefit, as they see fit. The complainant submits that, in contrast, the hospital is advocating for a more restrictive model in which a custodian controls what patients see and how a patient can or cannot use their personal health information.

[46]  Finally, the complainant addresses the hospital’s concerns about the consequence of other individuals making similar requests for their personal health information. The complainant submits that if everyone made similar access requests, then providers would deploy truly patient-centric systems that empower patients through access to their records. He submits that it is only a matter of time until everyone can exercise their inherent right to access their records of personal health information, and when that day arrives, we will have a healthcare system that complies with PHIPA .

Decision

[47]  Although the hospital seeks to make a distinction between a record of “data” and “information”, I do not find support in PHIPA  for such a distinction. The definition of a record is broad, stating that it is a record of information “in any form or in any medium”, excluding only a computer program or other mechanism that can produce a record. The raw data at issue cannot itself be considered a computer program or other mechanism, although it may require a computer program or other mechanism to retrieve it.

[48]  The definition of “personal health information” is also broad enough to encompass “data” within an electronic system. The hospital does not disagree that patient information within these systems is associated with identifiable patients, through patient names or other identifiers. Given this, I again am unable to find a basis for distinguishing between identifying “data” and “information”.

[49]  I also bear in mind that the consequence of excluding raw data about identifiable patients from the definition of personal health information is that the privacy protections in the Act  would not apply to it. Health information custodians would not be obliged to comply with the safeguards and standards required by the Act  in their handling of the data. I find it unlikely that the Legislature would have intended such a result, especially given the fact that PHIPA  specifically contemplates that health information custodians will use electronic means to collect, use, modify, disclose, retain or dispose of personal health information.

[50]  I therefore conclude that raw data is included in the definition of a record of personal health information within the meaning of PHIPA .

[51]  In reaching this conclusion, I acknowledge the legitimate concerns raised by the hospital about the implications of treating raw data as records of personal health information to which a right of access applies. Those concerns are based on the potential interference with its operations of providing access to raw data, the cost and effort of extracting the data, the readability and usability of such data, the possibility that raw data in native format may not be readable without vendor-specific support, as well as potential third party proprietary rights over such data. While I find that these concerns do not support a narrow definition of a record of personal health information that excludes raw data, they are relevant to an assessment of whether the records are dedicated primarily to the complainant’s personal health information and, if they are not, whether his personal health information can be reasonably severed for the purpose of providing access.

[52]  Some of these concerns can also be addressed through the hospital’s right to reasonable cost recovery for providing access to records of personal health information under sections 54(10) and (11) of PHIPA .

Are the records “dedicated primarily” to the personal health information of the complainant?

[53]  As indicated above, section 52(3) qualifies the right of access under PHIPA , where personal health information of an individual is found in a record that is not dedicated primarily to that information. I asked the parties to address the potential application of this section in their submissions.

[54]  In applying section 52(3), I must first determine what “records” are at issue. Each of the electronic systems described above has its own set of databases holding information that has been collected by the system, in which information about the complainant is pooled with that of others. Whether data relating to the complainant is found in databases in an electronic information system, in raw data collected by electronic devices, or in the HL7 message archive, the extraction of data relating only to the complainant requires, at a minimum, the creation and application of software techniques to search for and assemble that data. Until these steps are taken, the data of the complainant does not exist as a separate and coherent body of information. In the circumstances, for the purposes of this decision, I view each database housed within each of the above referenced systems, each repository of raw data within a device, and the whole of the HL7 archive, as a “record” for the purpose of section 52(3).

[55]  The next question I must answer is whether each of these records is dedicated primarily to the information of the complainant. In PHIPA Decision 17, I discussed the approach to determining whether records are dedicated primarily to personal health information about an individual. In addition to the quantity of the record that is devoted to the information of one individual, other factors which ought to be considered include:

• whether the personal health information of the individual is central to the purpose for which the record exists;
• whether the record would exist “but for” the personal health information of the individual in it;
• whether the record is qualitatively related to other matters, for example, scheduling, legal advice and strategies for communicating with the complainant;
• whether the record was created in the usual course of clinical interaction; and
• whether the record arises indirectly and several steps removed from the actual clinical experience.

[56]  In this case, I find that the electronic databases in which the complainant’s information is found are not dedicated primarily to his information. Each of them pool his information together with that of many other patients. The complainant’s own personal health information is not central to the purpose for which each database exists as they would exist regardless of whether they contain the complainant’s information. I come to the same conclusion with respect to raw data in medical devices, and the HL7 message archive.

Can the complainant’s personal health information be reasonably severed?

[57]  Under section 52(3), where a record is not dedicated primarily to the personal health information of the individual seeking access, the right of access applies only to the individual’s personal health information that can be reasonably severed from the record. The Act  does not elaborate on what constitutes “reasonable severability”. One principle that has emerged from decisions of this office and the courts is that information that would comprise only disconnected or meaningless snippets is not reasonably severable and such snippets need not be released. [2] In this regard, an important consideration is whether the degree of effort to sever the record is proportionate to the quality of information remaining in the record. In Montana Band of Indians v. Canada (Minister of Indian and Northern Affairs), 1988 CanLII 5630 (FC), for example, the court concluded on the facts before it that “[t]he effort such severance would require on the part of the department is not reasonably proportionate to the quality of access it would provide”.

[58]  In determining whether data relating to the complainant can be reasonably severed from the rest of the record, I find it relevant to consider the burden imposed on the hospital to extract the data, and the nature and quality of any extracted data. Some of the facts germane to my analysis are:

• The extraction of information relating only to one patient requires, at a minimum, the development of custom software queries;
• The hospital has estimated the time and cost for its own staff to develop custom software queries to extract information available to the hospital through reporting views;
• However, it has not done so for data that is not available to it through reporting views as extraction of that data would require support from the vendors of each system;
• It has also not done so for raw data that may be housed in the medical devices in which it was originally collected;
• Medical devices generate certain raw data (which the hospital describes as “diagnostic metadata”) in order to process results but such metadata is not stored on a long-term basis, and typically only up to 7 days;
• The extraction of raw data from medical devices would require stopping the equipment;
• Raw data in native format may require a translating program or mechanism from a given vendor to render the data readable as it is collected for machine to machine processing;
• HL7 data is different from diagnostic metadata in that it is a protocol, or format, used to transfer data from certain hospital systems to others, for example, to transmit lab test orders from the main clinical system to the ancillary lab system;
• HL7 data consists of encoded messages – like the raw data collected by medical devices, it is not generated to be read by humans, but to be processed by machines.

[59]  One distinction that arises from the above facts is that the hospital is able to extract some data from these systems through custom software queries against reporting views. However, there is other data that the hospital cannot extract by its own efforts. Extracting the data, whether in its native format or in readable format, would require assistance from the vendors who service and support the software. In other words, some of the data the complainant seeks is not reasonably available even to the hospital. It is data used in machine processing and not intended to be used by hospital staff. In considering the scope of what personal health information can reasonably be severed from these records within the meaning of section 52(3) of PHIPA , in my view this distinction is key.

[60]  Having regard to the evidence before me, I conclude that where the extraction of the complainant’s information can be done through the development of conventional custom queries by hospital staff, based on information in reporting views available to the hospital, the complainant’s information can be reasonably severed for the purpose of section 52(3) of the Act . The hospital’s obligation to provide access to this information, if the complainant wishes to pursue it, is met by providing him with the results of such queries. The information need not be in native format, but can be in the format in which those results are generated through such queries.

[61]  This finding applies to information in the following systems: Carestream PACS, Syngo Workflow, EP Care, Muse, and Xcelera. As I have indicated, the hospital will be entitled to reasonable cost recovery in providing access. If the complainant disagrees with the fee charged by the hospital as reasonable cost recovery, he may further complain to this office.

[62]  However, on the facts of this case, the complainant’s right of access does not require the hospital to extract raw data in its native format, whether it be housed in equipment, systems, or in the pool of archived HL7 messages, where the hospital cannot itself extract this data through custom software queries to reporting views. In these instances, having regard to the circumstances described above, the complainant’s personal health information is not reasonably severable within the meaning of section 52(3).

[63]   This interpretation of the right of access in PHIPA  is consistent with one of the primary justifications for providing individuals with a right of access to records of their own personal health information. Both the Supreme Court of Canada’s decision in McInerney v. Macdonald [3] (which established the right of access to medical records based on physicians’ fiduciary duties) and the Krever Report [4] (the seminal report on health privacy in Ontario) refer to the importance of reciprocity of information between the patient and the physician. My interpretation in this case ensures that the complainant has access under PHIPA  to the same information viewed by, or available to, those providing health care to him. However, the complainant cannot obtain raw data that the hospital itself cannot reasonably utilize through reporting views available to it.

[64]  With respect to HL7 data in particular, I accept that significant staff time and resources would be required to extract the messages related to the complainant that were sent between the hospital’s different systems. The complainant disputes the level of cost the hospital estimates for this work but, regardless of the precise figure, I accept on the evidence that the effort required to provide access would be considerable and would constitute a considerable interference with the hospital’s operations. In these circumstances, I find that the complainant’s personal health information in HL7 format is not reasonably available to the hospital itself. On this basis, it cannot be “reasonably severed” within the meaning of section 52(3).

[65]  The complainant submits that section 52(3) was intended to address situations where records concerning two or more individuals are intertwined from the outset due to the nature of the generating encounter. He submits that this is not relevant for the information requested, as none of the responsive records were intermingled with the personal health information of other individuals at the outset; rather, the personal health information was intentionally pooled by the hospital after its initial collection. The complainant submits that it is the hospital’s deliberate actions that have made his personal health information difficult to extract, and that it would be unfair to allow the hospital to benefit from this contrived non-severability.

[66]  I have no reason to believe that the hospital’s actions and the manner in which raw data is held in its systems are not consistent with ordinary and conventional electronic information management practices in the health sector, or were effected in an attempt to subvert access. In these circumstances, and given the breadth of information the complainant has been provided with and may pursue as a result of this decision, I do not view the access rights under PHIPA  to require extraction of raw data not available through the hospital’s reporting views.

Did the Hospital conduct a reasonable search for the complainant’s personal health information records under section 54(1) of the Act?

Background

[67]  Subsection 54(1) of PHIPA  provides, in part, that a health information custodian that receives a request from an individual for access to a record of personal health information shall,

(a) make the records available to the individual for examination and, at the request of the individual, provide a copy of the record to the individual and if reasonably practical, an explanation of any term, code or abbreviation used in the record;

(b) give a written notice to the individual stating that, after a reasonable search, the custodian has concluded that the record does not exist, cannot be found, or is not a record to which this Part applies, if that is the case[.]

[68]  A reasonable search is one in which an experienced employee, knowledgeable in the subject matter of the request, expends a reasonable effort to locate records which are reasonably related to the request. [5] The Act  does not require the custodian to prove with absolute certainty that further records do not exist. However, the custodian must provide sufficient evidence to show that it has made a reasonable effort to identify and locate responsive records. [6] To be responsive, a record must be "reasonably related" to the request. [7]

[69]  I may order a further search be conducted if the custodian does not provide sufficient evidence to demonstrate that it made a reasonable effort to identify and locate all of the responsive records within its custody or control. [8]

Representations

[70]  In this case, the hospital states that it engaged its Health Information Management Department, Department of Community and Family Medicine, and Department of Diagnostic Imaging to provide a complete copy of the centrally stored electronic health record pertaining to the requester for the period of time in question. The hospital also provided a complete copy of the electronic health record pertaining to the complainant’s Family Health Team visits, and the Department of Diagnostic Imaging produced a DVD of the complainant’s diagnostic images.

[71]  Together, the hospital understood these three components: the centrally stored electronic health record, the Family Health Team electronic record and the DVD of diagnostic images, to constitute the complainant’s complete health record maintained by the hospital. It indicated that the records provided to the complainant included all the information that the hospital relies on and/or communicates to others for the purposes of the complainant’s care and treatment. These records constitute the hospital’s repository of information regarding the complainant’s health and care and meet the record-keeping requirements of both the Act and the Public Hospitals Act. As indicated above, during the course of this complaint, the hospital also provided the complainant with a complete inventory of all of his hospital encounters.

[72]  In his representations, the complainant reiterates that he has requested “the raw electronic data” in its “native (machine readable) format”. He states that the responsive information would be contained in bytes of the related computer “file systems” and backups. The complainant takes the position that without underlying raw data, records derived from that data are incomplete; in every instance where a record was derived from raw data, the hospital should have searched for and provided him with the raw data. The complainant also notes that the hospital acknowledges that records in HL7 format exist, but those records have not been disclosed.

[73]  The complainant provided a list of his activities at the hospital which he states should have generated electronic records of personal health information. For instance, he refers to data about him which was collected by a monitor during a visit to the sleep disorders clinic. This data was subsequently collected and analyzed by the clinic. The complainant provides examples of other hospital encounters during which he believes data was created in an electronic system and should exist outside of the records that have been provided to him.

[74]  The complainant submits that custodians have a responsibility to organize records of personal health information in a conveniently searchable manner, and that to do otherwise has the effect of denying individuals the right of access that legislators intended they have. He submits that the hospital’s searches to date have been hampered by the fact that the hospital has not organized its records in the “systematic manner” as required by subsection 18(3)(b) of the Medicine Act, 1991, General Regulations, [9] such as in a single patient file as recommended by the College of Physicians and Surgeons of Ontario. [10] He submits that the hospital admits that patient records may be in any of many repositories, and that it is inconsistent with the legislative intent to allow a health information custodian to avoid disclosure by failing to organize its records in a conveniently searchable manner.

[75]  The complainant also refers to section 20 of the Medicine Act, 1991, General Regulations, which provides:

20. The records required by regulation may be made and maintained in an electronic computer system only if it has the following characteristics:

[…]

2. The system provides a means of access to the record of each patient by the patient’s name and, if the patient has an Ontario health number, by the health number.

3. The system is capable of printing the recorded information promptly […]

[76]  The complainant submits that all records corresponding to a patient must be accessible by patient name and Ontario health number, and that such a search must promptly return all records under the control of a health information custodian, not merely a subset of records held by, for example, a department or clinic. The complainant states that the hospital should confirm whether its systems fully comply with the requirements of the Medicine Act , and that searches by his name and health number were conducted and the results were fully disclosed. The complainant submits that the hospital should not be able to rely on a failure to comply with the requirements of the Medicine Act  as a justification for avoiding lawfully required disclosure.

[77]  The complainant raises a concern about the possibility that the hospital’s inadequate search practices may allow for some records of his personal health information to be destroyed, despite section 13(2) of PHIPA , which provides for deferred destruction of records that are subject to an access request under the Act . The complainant submits that as a result of his belief that additional responsive records should exist, he should be able to request that the hospital check for potentially responsive records within batches of records that are slated for destruction.

[78]  Based on these and other submissions, the complainant states that the hospital has not been able to conduct a reasonable search, and therefore has not discharged its obligations under subsections 53(3) and 54(1) of the Act . The complainant argues that this inadequate search risks denying him:

• the right to accurate and complete records;
• the possibility of exercising his right to correct errors contained in the records;
• the right to fully participate in the management of his own medical records; and
• the right that legislators unambiguously intended him to have, being the right to access all records of his personal health information.

[79]  The complainant therefore asks that a new or additional search for responsive records be conducted.

[80]  In addressing its obligations to conduct a reasonable search, the hospital submits that there are three possible approaches to searching for a requester’s personal health information. The first approach is to generally identify repositories and devices that collect personal health information from patients. The second approach, and the approach used by the hospital, is to start with an encounters inventory of the requester to determine their clinical path through the hospital, and any associated collections in systems or devices that may have occurred. The third approach is to circulate a broad query naming the requester and asking everyone to conduct individual searches at the provider level. While this option was considered by the hospital, the hospital submits that it would not undertake such an approach without express instruction from a requester, as the hospital is concerned that a requester may find this approach intrusive. I agree that such an approach would result in the hospital disseminating a requester’s identity to potentially scores of hospital personnel.

[81]  During the course of this complaint, and despite its position that it has provided the complainant with his complete health record, the hospital initiated a review of its various clinical applications and data repositories to determine where other data about the complainant may still reasonably reside, using the inventory of the complainant’s encounters as the basis of this further investigation. In providing the results of this review, the hospital explained that it recognizes that raw data in native formats from underlying systems such as medical devices will be generated. However, data in diagnostic modality equipment is not stored on a long-term basis, typically only up to 7 days. With this in mind, the hospital’s staff compared the list of applications and repositories against the complainant’s encounters inventory to assess where the complainant’s information may exist. This review resulted in the list of applications and databases described at the outset of my decision.

[82]  The hospital submits that it has employed multiple steps, engaged with multiple staff, and dedicated numerous resources to respond to the complainant’s request. The hospital has worked with clinical and administrative staff, engaged privacy and health records personnel as co-leads, and relied on its IT personnel and individual program areas. The hospital submits that all employees engaged in the search for responsive records were experienced, knowledgeable in their subject matter, and acting in good faith.

[83]  The hospital invited the complainant, if he is not satisfied, to provide further details about additional locations to search, stating that while it can appreciate that he may not be able to pinpoint a database, he may otherwise be aware of a clinical encounter where information was collected elsewhere.

[84]  The complainant was provided with the hospital’s representations in their entirety and invited to respond to them. In his additional submissions, he clarifies that he is not advocating that the hospital adopt a single patient record, but rather that search results should be commensurate with results that would be produced by searching a single patient record. In response to the hospital’s submission that the complainant did not provide sufficient detail that may have assisted with the hospital’s search, and its invitation to provide further detail, the complainant states that he has requested “all” records and suggests that should be sufficient.

Decision

[85]  Based on the information before me, I find that the hospital’s account of the steps taken in response to the complainant’s request demonstrate reasonable and, indeed, extensive, efforts to locate and provide him with his records of personal health information. It provided the complainant with his central health record, family health team records, and diagnostic images. It also provided him with an inventory of all his hospital encounters. Although initially, the hospital was reluctant to consider extending its search beyond these records, it conducted a review of all the systems and data repositories that may hold personal health information, identified the ones likely to be relevant to the complainant’s request (based on his encounter inventory), and provided information about the work and cost required to extract data from those.

[86]  The hospital’s review was performed in recognition of the scope of the complainant’s request – that it included raw data in native format – and having regard to the submissions he made in support of this complaint. There is no single right way to conduct a search, and I am satisfied that the method employed by the hospital, namely, to determine the complainant’s clinical path using an encounters inventory, and then to search any relevant systems or devices, was a reasonable approach to locating records responsive to his request.

[87]  The hospital was presented with a novel request. For one, extending the search into clinical systems and data repositories beyond those previously searched would have required, at a minimum, the creation of custom queries. The creation of custom queries in itself involves effort and expense for which there was no precedent for the hospital’s right to reasonable cost recovery. Second, the hospital legitimately queried whether HL7 data and data that is not available to it through reporting views is subject to the complainant’s right of access and, by this decision, I have confirmed that it is not.

[88]  It may be argued that the hospital’s initial approach to the complainant’s request was inadequate, in that it was unwilling to consider repositories of data outside of the central health record in its searches. Even if that were the case, through the course of this complaint the hospital took further steps which ultimately amounted, for the most part, to a reasonable search.

[89]  As I indicate above, in his representations, the complainant provides a list of activities or types of data about him which he states should be in the hospital’s electronic records. The hospital responded to these representations by describing all of its systems which, in its assessment, could reasonably hold the complainant’s data. It also explained the basis on which it arrived at this information, although it did not address the complainant’s list directly. In responding to the hospital’s submissions, the complainant did not give specific reasons to support his belief that additional records in relation to his list of items exist.

[90]  To the extent the hospital’s approach to the search was based on a review of the complainant’s clinical encounters, its search would have considered the location of any data that might have been generated as a result of those encounters. Its search was also taken having regard to the complainant’s submissions. I am satisfied that, with one exception described below, the complainant’s list does not cast doubt on the reasonableness of the search. I note that some of the items on the list are in the nature of raw data to which I have found he has no right of access because of the application of section 52(3). Given this finding, whether or not the hospital’s inventory of data repositories could have included any medical devices that may have collected raw data for processing, I see no purpose in requiring the hospital to conduct a further search for such data.

[91]   The one area which I do not find adequately addressed by the hospital’s submissions is any billing information that may exist in relation to the complainant. This is an item on the complainants list that may not have been captured by a search based on following the path of clinical encounters, and would likely contain the complainant’s personal health information. As a result, I will direct the hospital to conduct a further search for records, specifically in relation to billing information about the complainant, and issue an access decision if any such information is found. If it seeks to recover the costs for providing access, it must issue a fee estimate.

[92]  In arriving at my conclusions in this case, I have considered the complainant’s submissions (including those not specifically set out here). With respect to the requirements of the Medicine Act , and without determining whether the obligations under that statute apply to the hospital, if the complainant is suggesting that all raw data in the hospital’s electronic systems is subject to those requirements, I see no basis for that conclusion. Moreover, I see no basis for concluding that the search methods employed by the hospital were unable to produce results commensurate with what would be produced by searching a single patient record. I am satisfied that search methods used and/or proposed by the hospital are able to produce a complete holding of what I have determined to be records of personal health information for the purposes of the Act .

[93]  I have also considered the complainant’s submission that all raw data in diagnostic instruments and elsewhere, from which the information in his health record is derived, should be considered part of his health record to which he has a right of access in order that he have the opportunity to seek correction. The complainant points to a concern that data errors can be introduced at any stage and links the necessity of giving patients access to raw data with their ability to seek correction of their health information. The complainant provides an example of a data entry error which led to incorrect information about mammograms being sent to a group of patients of a hospital.

[94]  In considering this submission, I emphasize that a requester’s right to seek correction of their records of personal health information is limited by the language of section 55(1) of PHIPA , which states:

55. (1) If a health information custodian has granted an individual access to a record of his or her personal health information and if the individual believes that the record is inaccurate or incomplete for the purposes for which the custodian has collected, uses or has used the information, the individual may request in writing that the custodian correct the record.

[emphasis added]

[95]  Based on the wording in section 55(1), a requester’s right of correction is limited to records to which he or she has a right of access. In turn, the right of access under PHIPA  is not unlimited. Apart from the exemptions and exclusions described in the Act , PHIPA  also contemplates the possibility that a right of access may be restricted where an individual’s personal health information is not reasonably severable from a record that is not dedicated primarily to the personal health information of that individual. In this case, I have discussed the meaning of reasonable severability in the context of the different types of electronic data that may be held in the hospital’s systems and applied section 52(3) to delineate the scope of the hospital’s obligation to provide access to that data.

[96]  For the reasons above, I have determined that the complainant does not have a right of access to underlying raw data that the hospital cannot itself extract through custom software queries to reporting views. To the extent the hospital will be able to extract additional electronic data from its systems (Carestream PACS, Syngo Workflow, EP Care, MUSE, and Xcelera) through custom queries in compliance with this decision, then the complainant will have a right of correction with respect to those records (subject to the limitations imposed in the Act ).

[97]  Further, and in any event, there is nothing before me to suggest that any data errors in raw data would not be otherwise detectable and correctable in the records derived from this data, to which the complainant has a right of access.

Conclusion

[98]  I find that the complainant has a right of access to data about him that may be extracted through custom software queries against reporting views as described by the hospital. This right of access is subject to the hospital’s right to reasonable cost recovery (provided it issues a fee estimate) in connection with this work.

[99]  In order to ensure clarity about the information that will be available from these systems and the cost of extracting that information, I will order the hospital to issue an interim access decision and fee estimate covering the following systems:

• Carestream PACS
• Syngo Workflow
• EP Care
• Muse
• Xcelera

[100]  If the complainant wishes to dispute the fee estimate, he may file a further complaint with this office, which will be dealt with in an expedited manner.

[101]  In any event, given the hospital’s submissions, I will direct it to provide the complainant with the information relating to him in the Access Database.

[102]  I will also direct the hospital to conduct a further search and issue an access decision as described above.

ORDER:

For the foregoing reasons, I order the hospital to:

1. Issue or confirm its fee estimate in relation to the above-listed systems by October 30, 2017;
2. Provide the complainant with the information relating to him from the Access Database by October 30, 2017;
3. Conduct a further search for the complainant’s billing information, treating the date of this decision as the date of the request.

Original Signed by:		September 29, 2017
Sherry Liang
Assistant Commissioner