PHIPA DECISION 62

HC14-112 and HC15-14

Group Health Centre

December 1, 2017

Summary: These complaints allege that a physician accessed records of personal health information of two related individuals, without authorization and contrary to the Personal Health Information Protection Act. In response to the complaints, the community health centre in which the physician’s practice is located implemented a number of measures to better safeguard the privacy and security of its patients’ health information. It entered into an agreement with another corporation, in which the physician is a shareholder, clarifying responsibility for patient health information in the electronic medical record used by physicians practicing at the centre. In view of these changes, this decision determines that while the health centre did not comply with its obligations under section 12(1) at the time of the events, it is not necessary to issue any orders against it. Further, while there was no dispute that the physician’s accesses to the complainants’ personal health information were unauthorized, the evidence does not lead to a conclusion that the physician disclosed the complainants’ personal health information in contravention of the Personal Health Information Protection Act.

Statutes considered: Personal Health Information Protection Act, 2004, sections 2, 3(1), 6(1), 12(1), 17.

INTRODUCTION:

[1]  In the fall of 2014, two individuals raised suspicions with the Sault Ste. Marie and District Group Health Association (operating as Group Health Centre) (GHC), about unauthorized access to personal health information held in the electronic medical record of GHC, by a physician having a family practice at GHC. The individuals, who are related, suspected that the physician had accessed the information of one of them and another family member, now deceased. As a result, GHC conducted audits of its electronic medical record, which confirmed a number of accesses by the physician, as suspected by the complainants. GHC concluded that the accesses were not authorized. During meetings with the individuals, GHC shared the results of the audit, its conclusion that the accesses were unauthorized, and recommended that they report the privacy breach to the College of Physicians and Surgeons of Ontario (CPSO) as well as to this office (IPC).

[2]  As a result, the individuals made complaints to the IPC under the Personal Health Information and Protection Act, 2004 (the Act), and to the CPSO.

[3]  Based on the information gathered about these complaints, and summarized below, this office determined that Fera Medicine Professional Corporation, operating as Algoma District Medical Group (ADMG) is a person affected by these complaints, and it has therefore been given an opportunity to make representations on the facts and issues in these complaints under section 60(18) of the Act.

[4]  The physician against whom the allegations are made is a respondent in these complaints and was also given an opportunity to make representations on the facts and issues. I have not identified the physician in this decision, as doing so could reasonably lead to identification of the complainants.

Complaint #1

[5]  Complainant A was a patient of GHC, and is now deceased. A family member, who is authorized to act on behalf of the deceased’s estate, filed a complaint under the Act with this office alleging that the physician accessed complainant A’s personal health information without authority and contrary to the Act. Specifically, he alleges that the physician accessed the complainant’s records of personal health information on September 23, 2005; April 22, 2006; June 7, 2011; August 22, 2011; August 28, 2011 and March 31, 2014. The complaint also alleges that the physician disclosed the information to his family member.

Complaint #2

[6]  Complainant B is a patient of GHC, and is related to complainant A. Complainant B filed a complaint through the same family member representing complainant A, alleging that the same physician accessed her personal health information without authority and contrary to the Act. Specifically, the complainant alleges that the physician accessed her records of personal health information on April 12, 2003; September 23, 2005; April 22, 2006; May 9, 2006; June 7, 2006; August 21, 2006; September 4, 2006; and October 12, 2006. The complainant also alleges that the physician disclosed the information to the physician’s family member.

[7]  In this decision, references to “complainants” refer interchangeably to the complainants’ representative and the complainants themselves, as the context dictates.

[8]  The physician did not dispute the audit findings, although he states that he does not have any recollection of some of the accesses. He states that he did not disclose the information of either complainant to any other person.

[9]  The parties engaged in mediation of the complaints. No resolution was possible and the complaints were transferred to the adjudication stage of the process, along with a Mediator’s Report setting out information gathered by the mediator, positions taken by the parties and the issues in dispute.

[10]  As the adjudicator, I decided to conduct a review of the issues raised by the complaints. Among other things, given the different corporate entities and number of individuals sharing the electronic medical record (EMR), as well as the circumstances of these complaints, I wished to be satisfied that the relevant health information custodian was complying with the requirements of the Act with respect to the privacy and security of the information in the EMR. I also wished to receive the parties’ evidence on the complainants’ allegations about the disclosure of their personal health information. During the review, I received joint submissions from ADMG and GHC, as well as submissions from the physician and the complainants, which I shared with the others in accordance with the IPC’s process.

BACKGROUND

Relationship between GHC, ADMG and the physician:

[11]  ADMG and GHC are two corporations working together to provide multidisciplinary health care to patients in Sault Ste. Marie. ADMG is a professional corporation whose shareholders are licensed physicians. GHC is a non-profit charitable corporation that operates allied health programs and employs staff such as nurses and social workers, but does not employ the ADMG physicians. ADMG and GHC are co-located in a building owned by GHC, and share patients. Each is independently responsible for the provision of care to shared patients; GHC does not direct or supervise the medical care provided to shared patients by ADMG physicians. GHC personnel provide health care services to shared patients under medical directives issued by ADMG physicians.

[12]  GHC owns the EMR used by both the ADMG physicians and GHC personnel. GHC allows ADMG physicians access to the EMR through a computer network access policy agreement. The EMR includes health records for all joint GHC and ADMG patients. GHC is responsible for the security of, and for maintaining, this personal health information on behalf of both GHC and ADMG.

[13]  The physician is a shareholder in ADMG and operates a family practice located at GHC. He is not remunerated by GHC and receives funding for medical services directly from the Ministry of Health and Long-Term Care under a multi-party Funding Agreement between GHC, ADMG, the ministry and the Ontario Medical Association. GHC and ADMG describe him as “an independent contractor and shareholder providing medical services to ADMG.” GHC and ADMG describe the physician as an agent of ADMG and not of GHC, at the time of the events.

DISCUSSION:

[14]  It is not in dispute that the subject matter of these complaints is “personal health information” as defined in section 4 of the Act. The information accessed by the physician was the complainants’ electronic medical records of personal health information. That information included progress notes, problem lists, laboratory results and reports, counselling medical chart notes, health numbers, contact information and date of birth.

GHC is the health information custodian of the complainants’ records of personal health information

[15]  One of the issues raised by these complaints is who was the health information custodian at the time of the events, with responsibility for the privacy and security of the personal health information of the complainants. The relevant portions of section 3 of the Act, defining a “health information custodian”, state:

(1) “health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:

1. A health care practitioner or a person who operates a group practice of health care practitioners.

…

4.   A person who operates one of the following facilities, programs or services:

…

vii. A centre, program or service for community health or mental health whose primary purpose is the provision of health care.

…

(2) Except as is prescribed, a person described in any of the following paragraphs is not a health information custodian in respect of personal health information that the person collects, uses or discloses while performing the person’s powers or duties or the work described in the paragraph, if any:

1. A person described in paragraph 1, 2 or 5 of the definition of “health information custodian” in subsection (1) who is an agent of a health information custodian.

[16]  Although they do not specify which part of the definition above applies to them, GHC and ADMG submit that they were both health information custodians who worked together in some (but not all) respects to provide coordinated care to shared patients. They state that they were both independent custodians of the personal health information of the complainants in the EMR at the time of the accesses. They also submit that the physician was an agent of ADMG with respect to that information.

[17]  The physician states that he was not a health information custodian in relation to the personal health information at issue in this complaint, and was likely an agent of GHC and/or ADMG.

[18]  The complainants submit that only GHC is a health information custodian in the circumstances of these complaints.

Analysis

[19]  None of the parties submit that the physician was a health information custodian in relation to the personal health information at issue. However, as described above, GHC and ADMG state that they were each a health information custodian in relation to that information.

[20]  The definition of a “health information custodian” begins with the identification of a person who has custody or control of personal health information, in connection with the performance of certain functions described in the Act. From that critical first step flows the other parts of the Act that set out the responsibilities of the custodian, such as responding to requests for access to health records, ensuring that information practices required by the Act are in place and followed, and protecting personal health information from, among other things, unauthorized uses or disclosures.

[21]  The evidence before me does not support the claim that ADMG and GHC were both health information custodians of the personal health information recorded in the EMR. Based on the information before me I conclude that, at the time of the events, GHC was the health information custodian with custody or control of the personal health information of the complainants. GHC was either the person who operated a group practice of health care practitioners or the person who operated a centre, program or service for community health or mental health whose primary purpose is the provision of health care. It was the owner of the EMR, and controlled access by ADMG physicians to the information in the EMR. It was responsible for responding to patient requests for access to their records, and for monitoring, auditing and maintaining personal health information in the EMR. It was GHC that responded to the complainants’ concerns about unauthorized access to their personal health information, conducted an investigation, performed an audit and met with the complainants to review the results of its audit. Based on the material before me, it does not appear that ADMG had any documented responsibilities in relation to maintaining and providing for the security of the EMR.

[22]  GHC states that it performed these functions “on behalf of both GHC and ADMG”. This appears to have been based on an informal arrangement, rather than a written agreement. Based on the parties’ description of their relationship, it is plausible to view ADMG as a group of physicians who contributed to and accessed GHC’s EMR to perform their work for joint patients, but did not in itself have custody or control over the information in the EMR.

[23]  Ultimately, whether GHC and/or ADMG was/were the custodian(s) of the personal health information at issue in this case does not affect whether the actions of the physician were authorized under the Act. Both GHC and ADMG, as the potential health information custodians of the information at issue agree that the accesses in these complaints were not authorized under the Act.

[24]  Further, whatever may have been the case at the time of the events, as a result of these complaints, GHC and ADMG have formalized and clarified their relationship in an agreement in which they explicitly recognize that GHC is the health information custodian for all shared patients, and that ADMG and its physicians are GHC’s agents for the purposes of the Act. I will discuss this agreement in more detail below.

The physician used the personal health information of the complainants without authorization and contrary to the Act

[25]  Under sections 17 and 37(2) of the Act, a health information custodian which is permitted to use personal health information may permit its agents to use that information in order to carry out their duties. Under section 6(1) of the Act, the sharing of information between a custodian and its agents is a “use” of the information, rather than a “disclosure”. The terms “agent”, “disclose” and “use” are defined in section 2 of the Act as follows:

“agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated;

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning;

“use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to handle or deal with the information, subject to subsection 6 (1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning. [1]

[26]  One of the purposes of the Act is to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care. One of the ways in which the Act achieves this purpose is by requiring that collections, uses and disclosures of personal health information occur with the consent of the individual to whom the information relates. Generally speaking, health care practitioners can assume individuals’ implied consent to the sharing of their personal health information for the provision of health care. Further, the Act permits certain collections, uses and disclosures of personal health information even without the consent of the individual to whom the information relates.

[27]  The complainants assert, and the physician does not deny, that they did not consent to his accesses to their personal health information. The physician states that he was never the family physician for the complainants at the GHC, although he also states that over the years, they asked him to be involved in their health care at times, such as to facilitate referrals for them and to “provide episodic care”. He states that he was given the opportunity to review the audit reports and has no reason to dispute the information in them, although he has no memory of the accesses. He accepts for the purposes of these complaints that he was not providing or assisting in providing health care to the complainants at the time of the accesses at issue. He indicates that it must have been concern for the complainants’ well-being that led him to access their information in the EMR, and that he had a mistaken belief at the time that this was permissible given that he had a medical practice located at the GHC. No one, including the physician, takes the position that his accesses would have been permitted without consent. There is no dispute, and I find, that the accesses by the physician were not authorized by the Act.

[28]  It is less clear whether the physician was acting as an agent of GHC or ADMG at the time he accessed the personal health information of the complainants. GHC and ADMG submit that at the time of the accesses the physician was not an agent of GHC, and was an independent contractor and shareholder providing medical services to ADMG. As I indicate above, the physician submits that while the relationship had not at that time been formalized in writing, it is likely he was an agent of GHC and/or ADMG. The complainants submit that the physician was an agent of GHC.

[29]  Having regard to my conclusion above that GHC was the health information custodian with custody or control of the personal health information at issue in the EMR at the time of the events, as well as the other information before me, I also find that the physician was provided access to the EMR as an agent of GHC, and therefore the physician’s accesses to the information of the complainants were “uses” – albeit uses that were not permitted by GHC. Of course, as discussed below, the physician’s status as an agent was never formally documented, resulting in much of the confusion at issue in this case.

[30]  In any event, regardless of whether the physician was acting as an agent of GHC or ADMG at the relevant time, he viewed this information without consent, and for no authorized purpose under the Act. They amount to either unauthorized uses or disclosures of the complainants’ personal health information.

[31]  The original complaints made certain generalized allegations of further unauthorized uses of the information following the accesses (for example, the assertion that information was used to “intimidate” one of the complainants). Apart from the allegation of disclosure of information to the physician’s family member, no details were provided beyond these statements, and I have no basis to make any findings of additional unauthorized use of the information. Below, I will discuss the allegation of unauthorized disclosure.

The physician did not disclose the personal health information of the complainants

[32]  The main concern raised by the complainants is their belief that the physician disclosed the personal health information of complainant A to his family member. There is no suggestion that the physician had a valid consent to disclose any of the personal health information he viewed as part of the accesses at issue in these complaints. Sections 38 through 48 and section 50 set out the circumstances in which personal health information may be disclosed without consent. There is no dispute that any such disclosure, if it occurred, would not have been authorized under these provisions.

[33]  The complainants’ representative describes the basis of the complainants’ belief about the disclosure at issue as follows:

As [physician] knows very well, I visited [physician’s family member] on March 31, 2014 at the home of [physician] and [physician’s family member] at approximately 3:30 p.m. and I asked [physician’s family member] if she would meet with [complainant A] who was suffering severely with [a health condition]. [Complainant A] had asked me if possibly I could convince [physician’s family member] to see her. I explained to [physician’s family member] that [complainant A] was in a horrible place and also that I feared for her life. [Physician’s family member] agreed immediately that she wanted to see [complainant A] and said she would join me the next morning at 10:00 a.m. to go to [complainant A’s] apartment to have coffee with her. When I got home I phoned [complainant A] at approximately 5:00 p.m. and told her that [physician’s family member] would see her the next morning for coffee. A couple of hours later, [physician] was again illegally into [complainant A’s] EMRs, as confirmed by GHC audits at 7:02:54 p.m. A few minutes later, at about 7:08 p.m., [physician’s family member] called my home and informed me that she had changed her mind and decided that she should not be involved with [complainant A]!! When I realized what happened that afternoon/ evening of March 31, 2014, it clearly suggested to me that this breach of privacy was immediately followed by disclosure by [physician] to [physician’s family member], and immediately followed by horrible advice by [physician] to reject and abandon [complainant A]!!

[34]  GHC and ADMG state that they do not know whether the physician disclosed the complainants’ personal health information.

[35]  The physician and his family member, to whom he is alleged to have disclosed the information, submitted affidavits setting out their accounts of the events. While not disputing the access shown in the audit and referred to above, they state that the physician did not discuss the personal health information with anyone, including this family member. The affidavit of the physician states, among other things:

Specifically with respect to the audit report dated March 31, 2014, I believe that I must have accessed [complainant A’s] EMR after [complainant’s representative] asked [physician’s family member] earlier that day if there was anything she and I could do to help [complainant A], who had apparently agreed to attend a treatment facility but then refused to go. [Complainant’s representative] previously confirmed in a letter to the College that he asked us if we could join him in an intensified effort to help [complainant A]. I assume that he specifically asked for my assistance because I am a physician.

I know now that proceeding in this way was misguided and wrong. While I obviously proceeded with ignorance, it would never have been with the intention of causing any harm or of using the information to [complainant A] or [complainant B’s] detriment in any way, nor would it have been in order to disclose it to anyone.

I never disclosed or shared any of [complainant A] or [complainant B’s] personal health information with anyone, including my [family member]. This would have been a breach of confidentiality. While I did not fully understand the related but distinct concept of patient privacy, I have always understood and respected doctor-patient confidentiality.

I graduated from medical school in 1973 and have always understood and taken doctor-patient confidentiality very seriously. It is sacrosanct and I have never disclosed information from anyone’s medical records to a third party without authorization. However, I did not fully appreciate the related but distinct concepts of patient privacy, the circle of care and the “need to know” principle.

Analysis

[36]  Given the relationship between the parties, the complainants have a reasonable basis for their concern that the physician disclosed their information to his family member. Their belief is based on and supported by the timing of some of the events, as described in their submissions. These events, while not direct evidence, provide powerful circumstantial evidence that such a disclosure occurred.

[37]  On the other hand, I have sworn affidavits from the physician and his family member which state unequivocally that no such disclosure occurred. In assessing the reliability of their statements, I take into account the physician’s own acknowledgements about the events, and his willingness to accept responsibility for the unauthorized accesses. I take into account the physician’s acknowledgement that he did not fully understand his obligations under PHIPA regarding patient privacy, while understanding and respecting the importance of doctor-patient confidentiality. On balance, I accept the physician’s sworn statement on the allegation of disclosure. It provides direct evidence in support of his position and in all the circumstances I find it persuasive.

[38]  My finding here is based on the evidence before me and should not in any way be seen to diminish the seriousness and sincerity of the complainants’ concerns. I am sympathetic to their circumstances and appreciate the impact of these events on them.

Duty to protect personal health information

[39]  Section 10 of the Act requires health information custodians to have and comply with information practices in relation to the collection, use and disclosure of personal health information that they maintain, as well as technical and other safeguards in relation to that information. Section 12(1) requires custodians to take reasonable steps to protect personal health information in their custody or control against theft, loss and unauthorized use or disclosure, among other things.

[40]  The circumstances of this case raised the issue of the adequacy of the information practices of GHC and ADMG, and whether reasonable steps were taken to protect personal health information against unauthorized use or disclosure.

[41]  At the time of the accesses, GHC and ADMG had no formal relationship. Between them, they had certain policies and practices which addressed, directly and indirectly, the privacy and security of personal health information in the EMR:

• GHC had its own privacy policies, which set out in detail its practices and procedures in relation to the collection, use and disclosure of personal health information, including policies regarding consent, security, access, correction requests, and responding to privacy breaches.
• The parties state that ADMG “adopted” these policies and expected its physicians to comply with them but provided no detail about how this was effected.
• GHC had no authority to discipline ADMG physicians over non-compliance with privacy policies.
• GHC and ADMG were independently responsible for training and disciplining their own personnel relating to privacy. GHC offered privacy training programs to ADMG physicians but could not require ADMG physicians to participate. Prior to these complaints, the physician last participated in a GHC privacy training program in February 2005.
• As the owner of the EMR, GHC allowed ADMG physicians access to the EMR through a Computer Network Access Policy agreement. The physician signed this agreement. GHC states that although it could deny access to the EMR to a ADMG physician, it has never done so and relied on ADMG in matters of discipline of physicians.
• Although GHC requires its staff to sign a Pledge of Confidentiality with respect to patient information, this was not required of ADMG physicians.
• GHC had the ability to monitor and audit ADMG physicians’ access to patients’ personal health information, using its former EMR software application (Clinicare) from 1997 to February 2014, and a new application as of 2014, Epic EMR.
• GHC operated the health records office where shared patients could request access to their records. This office housed personal health information from both GHC and ADMG, for all shared patients.

[42]  In general, therefore, GHC owned and maintained the EMR, permitted ADMG physicians access to the EMR and was the entity responsible for monitoring, auditing and maintaining personal health information in the EMR.

[43]  In their submissions, GHC and ADMG stated that they acted as independent health information custodians and acknowledged that acting as such may have created gaps with respect to the protection of personal health information, specifically in the area of responsibility for the discipline of physicians for privacy breaches. In response to the issues raised by these complaints, they have taken steps to formalize their relationship and clarify their respective responsibilities under PHIPA. Among other things, they have entered into an agreement under which GHC is the health information custodian for the personal health information of all shared patients. The agreement includes a detailed allocation of responsibilities for the protection of personal health information amongst GHC, ADMG, and ADMG physicians, including the provision of privacy training to staff and agents. GHC and ADMG state:

In this new model, GHC is the health information custodian and ADMG and its physicians are PHIPA agents. A joint Privacy Committee with equal representations from GHC and ADMG: reviews and makes recommendations with respect to any new or amended GHC privacy policies or information management practices; investigates any alleged breaches by GHC staff or volunteers or ADMG members of any GHC privacy policies or information management practices; and makes discipline recommendations arising from confirmed breaches of GHC privacy policies or information management practices.

[44]  GHC and ADMG state that, in the case of GHC staff or volunteers, the GHC CEO will have the final authority to determine and impose discipline after considering the Privacy Committee’s recommendations. In the case of ADMG members, the GHC Board will be empowered to determine and impose discipline after considering the Privacy Committee’s recommendations and any submissions of the ADMG Board. Discipline may include suspension or termination of ADMG members’ access to the EMR. Other consequences may include retraining, suspension, notifying a sponsoring agency, school or institution, restriction or revocation of privileges, and dismissal.

[45]  Since these events arose, the physician has:

• been “formally reprimanded” by GHC and ADMG;
• attended the live webcast of a presentation by this office addressing the issues and challenges of unauthorized access;
• completed the CMPA’s e-Learning module on Privacy and Confidentiality and reviewed the CMPA’s Electronic Records Handbook;
• organized and completed (at his own expense) an individualized privacy ethics preceptorship at the Canadian Medical Association;
• presented on the topic of privacy at the Sault Area Hospital grand rounds, speaking about his personal experience to a hospital-wide audience;

[46]  Also since these events arose, GHC and ADMG have also provided privacy training to all staff and physicians, and GHC has enhanced its auditing of accesses to the EMR.

[47]  GHC and ADMG have confirmed that the boards of directors of both organizations have approved the agreement and it is in effect.

[48]  In their submissions, the complainants indicate that they are satisfied that GHC and ADMG comply with sections 10 and 12(1) of the Act.

Analysis

[49]  The facts of this case demonstrate some of the challenges with ensuring the privacy and security of personal health information where parties have not meaningfully documented and formalized their relationship. Here, both GHC and ADMG claimed to be health information custodians of the same records of personal health information. However, neither could point to any document that clearly articulated this intention and set out their respective roles and responsibilities under the Act.

[50]  Although GHC undertook many of the responsibilities of a health information custodian for the shared information, such as responding to access requests, investigating potential privacy breaches and monitoring access, this was pursuant to informal arrangements. The lack of a more formal arrangement and identification of the health information custodian meant that there was no clear entity with the authority to require privacy training of all personnel who had access to the EMR, or to discipline staff and professionals in a meaningful way with respect to non-compliance with privacy breaches. The fact that the physician received his only privacy training in February 2005, and by his own admission did not have an understanding of the Act’s rules on collection and use of personal health information, illuminates the hazards and inadequacy of the informal arrangements.

[51]  It is particularly important in a multi-party setting such as the one before me for a health information custodian to document the identity of persons granted access to its EMR, the legal authority for the access, and the relationship between the custodian and those persons. Among other things, such documentation establishes the obligations of the custodian with respect to that person, whether it be to provide training, or to ensure that another custodian provides training (where the person is an agent of another custodian). In this case there was an absence of such documentation and, indeed, a clear understanding, about whether the physician was an agent of a health information custodian and, if so, of what health information custodian. Despite the existence of detailed privacy policies applying to GHC’s own staff, this gap contributed to the breaches at issue in these complaints, since the physician did not understand his own obligations in being granted access to the EMR.

[52]  I therefore find that the failure at the time of the events to clearly articulate and document the relationship between GHC, ADMG, and the physician was a breach of section 12(1) of the Act, regardless of which entity was the health information custodian and which was the agent. It is unnecessary for me to also consider whether this was a breach of section 10.

[53]  In response to these complaints, GHC and ADMG have since conducted a thorough review of the steps needed to ensure compliance, going forward, with their obligations under sections 10 and 12(1) of the Act. While it is unfortunate it took these complaints for GHC and ADMG to clarify their relationship, on my review of the submissions and evidence before me, and summarized above, I am satisfied that they have adequately addressed the gaps in their information policies and practices and no order is required.

NO ORDER:

For the foregoing reasons, no order is issued.

Original Signed by:		December 1, 2017
Sherry Liang
Assistant Commissioner