PHIPA DECISION 68

HC13-28, HC13-37, and HC15-17

February 9, 2018

Summary: In this decision, the IPC determines that a medical clinic disclosed the personal health information of the complainant to her estranged spouse, without authority under the Personal Health Information Protection Act, 2004. The IPC also decides that the spouse used the complainant’s health information in contravention of the Act when he signed an Authorization of Release of Records form in an effort to obtain additional records relating to the complainant from a hospital.

Statutes considered: Personal Health Information Protection Act, 2004, section 2 (“agent”), 3, 6, 12(1), 29, 40(1), 41(1), 49

Decisions considered: HO-002

INTRODUCTION:

[1]  In these complaints under the Personal Health Information Protection Act, 2004 (PHIPA or the Act) a former patient of a physician at a medical clinic alleges that her spouse unlawfully obtained her medical records from the clinic and a pharmacy, and subsequently unlawfully used and disclosed those records in family law proceedings. The spouse is a physician who formerly provided health care at the clinic.

[2]  The physician, spouse, clinic, and pharmacy are collectively referred to as “the respondents”. I have not identified the respondents in this decision, as doing so could increase the risk of identifying the complainant and thereby reveal her personal health information.

BACKGROUND:

[3]  At the relevant time, the complainant was a patient of the physician, who has a family practice at the clinic. As noted above, the complainant’s spouse is also a physician who, between August 15, 2011 and July 30, 2012, worked part-time at the clinic. Apart from one prescription, the spouse did not provide health care to the complainant.

[4]  On November 12, 2012, the complainant left the family home, where she lived with the spouse, and took the children of the marriage.

[5]  The next day, in the late afternoon of November 13, the spouse came to the clinic. The only other person present at the clinic at this time was an administrative assistant employed by the clinic. The spouse asked the administrative assistant to assist him with various tasks related to the complainant’s health records.

[6]  Certain facts surrounding the spouse’s visit to the clinic on November 13 are in dispute. It is not at issue that, as a result of his visit, the spouse took copies of some of the complainant’s medical records with him. On the same date, the spouse also obtained the complainant’s Patient History Report from the pharmacy in the same building as the clinic.

[7]  In addition, while at the clinic, the spouse, with the assistant’s help, completed a requisition for the complainant’s medical records, which was faxed to a hospital from the clinic on November 13. As a result of the requisition, the hospital forwarded some of the complainant’s medical records to the clinic on a later date.

[8]  The spouse filed copies of the complainant’s health records with the court as part of a motion brought ex parte on November 14, 2012. The records were then appended to an affidavit filed for another ex parte motion brought by the spouse in January 2013. Also appended to the affidavit was a letter dated November 16, 2012, ostensibly written by the physician, attesting to the complainant’s health. On receipt of this affidavit, the complainant began making inquiries to determine how the spouse had come into possession of these records and, among other things, became aware of the requisition sent to the hospital.

[9]  Once the physician and the complainant became aware of the above events, they both made complaints about the conduct of the spouse to the York Regional Police and the College of Physicians and Surgeons of Ontario (CPSO). The complainant brought complaints against the spouse, the physician and the pharmacy to this office. The spouse was charged with two offences under the Criminal Code  in connection with the requisition sent to the hospital. The IPC placed these complaints in abeyance while those offences were outstanding and, upon being advised by counsel for the spouse that the charges were withdrawn, re-activated the complaints, ultimately commencing this review.

Nature of the complaints

Complaint #1: HC13-28

[10]  The complainant alleges that her physician contravened the Act by using and disclosing her personal health information without her consent and contrary to the Act. Specifically, the complainant alleges the following:

Incident 1

The physician requested and obtained the complainant’s records of personal health information from a hospital, without the complainant’s consent, through an Authorization of Release of Records”, dated November 13, 2012, which appeared to contain the complainant’s signature, but which was not her signature.

Incident 2

The physician sent a letter dated November 16, 2012 containing the complainant’s personal health information to the CAS and the Superior Court of Justice in Brampton.

Incident 3

The physician gave the complainant’s records of personal health information to the complainant’s then-estranged husband without her consent. According to the complainant, she discovered this when the above-noted letter and other records containing her personal health information were disclosed by her estranged husband in a family court proceeding.

Complaint #2: HC13-37

[11]  The complainant alleges that her estranged spouse contravened the Act by collecting, using and disclosing her personal information without her consent and contrary to the Act.

[12]  She alleges that he gained access to her medical records through deception, and that he subsequently wrongfully disclosed her personal health information without her consent.

[13]  Specifically, the complainant alleges the following:

Incident 4

The spouse obtained the complainant’s records of personal health information from the clinic. He subsequently disclosed these records during a family court proceeding.

Incident 5

The spouse completed and signed the “Authorization of Release of Records” dated November 13, 2012 on letterhead belonging to the physician, and sent it to a hospital in an attempt to obtain the complainant’s personal health information in the hospital’s custody. The complainant alleges she did not sign the form and that her spouse placed a signature on the form purporting to be hers.

Incident 6

The spouse wrote the letter of November 16, 2012 on the physician’s letterhead, which contained the complainant’s personal health information, signing it as the physician. The spouse then disclosed that letter in court.

Complaint #3: HC15-17

[14]  The complainant alleges that the pharmacy contravened the Act in the following manner:

Incident 7

The complainant alleges that the pharmacy disclosed her personal health information by giving her Patient History Report to her spouse without her consent.

[15]  As is evident from the above, some of the complainant’s factual assertions conflict. For example, the complainant alleges that both the physician and her spouse authored the letter of November 16, 2012. This is understandable since, on the basis of the information before her when the events came to light, the complainant was aware that her personal health information was used and disclosed during court proceedings, but was not aware of how her spouse came into possession of the records.

Process of the Review

[16]  No mediated resolution of the complaints was possible and the three files were transferred to the adjudication stage.

[17]  Complaint HC13-37 came before me initially. I initiated a review of the complaint under section 57(3) of PHIPA, and issued an interim Decision, PHIPA Decision 16, in that matter. As described in PHIPA Decision 16, the complainant’s spouse requested that I hold the complaint in abeyance pending a proceeding before the CPSO. I denied that request.

[18]  Following the issuance of PHIPA Decision 16, I decided to combine my previously commenced review in Complaint HC13-37, with my reviews of Complaints HC13-28 and HC15-17, given that the three complaints deal with overlapping facts and issues.

[19]  I began my combined review by seeking the written representations of the physician and the pharmacy on the facts and issues before me. Among other things, I asked the physician to provide details of the relationship between herself, the complainant’s spouse and the clinic, and address whether the clinic is a health information custodian in relation to any of the incidents in the complaints. After receiving the physician’s representations, I added the clinic as a respondent to the review pursuant to section 58(1) of the Act and invited it to submit its own representations. I then sought and received written submissions from the spouse. I then invited the complainant to provide representations on the issues, in response to those provided by the four respondents. I gave the respondents the opportunity to provide representations in response to a summary of the complainant’s representations.

[20]  I have considered all of the representations provided by the parties, even if not directly referenced below.

[21]  In this decision and for the reasons that follow, I find that the clinic breached its obligations under the Act in allowing the spouse to obtain personal health information relating to the complainant without consent or a purpose permitted under the Act, and in failing to take reasonable measures to safeguard personal health information. I find that‎ the spouse used the complainant's personal health information in contravention of the Act by signing the "Authorization of Release of Records" form referred to below. I do not make any findings against the physician or the pharmacy in relation to their actions in these complaints.

DISCUSSION:

PART 1: HEALTH INFORMATION CUSTODIANS AND AGENTS

[22]  Broadly speaking, the Act regulates the activities of a defined group of persons, referred to in the Act as “health information custodians”, and their agents, with respect to personal health information. [1] The term “health information custodian” is defined, in part, as follows:

3. (1) In this Act,

“health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:

1. A health care practitioner or a person who operates a group practice of health care practitioners.

…

4. A person who operates one of the following facilities, programs or services:

…

iii. A pharmacy within the meaning of Part VI of the Drug and Pharmacies Regulation Act.

[23]  “Health care practitioner” is also defined in section 2 of the Act, in part, to mean:

(a) a person who is a member within the meaning of the Regulated Health Professions Act, 1991 and who provides health care…

[24]  “Health care” is a term defined in the Act, and includes the “compounding, dispensing or selling of a drug”. It is not in dispute that the clinic, physician, and pharmacy provided health care within the meaning of the Act, and further that the spouse, when he was seeing patients at the clinic on or before July 30, 2012, provided health care.

[25]  The Act also applies to the activities of those persons who act for or on behalf of health information custodians in respect of personal health information. These persons are “agents”, defined in section 2 of the Act as follows:

“agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated;

[26]  Section 3(3) of the Act is relevant to whether a health care practitioner is a health information custodian when acting as an agent, stating, in part:

Except as is prescribed, a person described in any of the following paragraphs is not a health information custodian in respect of personal health information that the person collects, uses or discloses while performing the person’s powers or duties or the work described in the paragraph, if any:

1. A person described in paragraph 1, 2 or 5 of the definition of “health information custodian” in subsection (1) who is an agent of a health information custodian.

…

[27]  As a preliminary matter, no party disputes, and I find, that the information in the records at issue in the three complaints constitutes “personal health information” as defined in section 4 of the Act. For ease of reference, I also refer to these as the complainant’s “medical records.”

[28]  The parties were asked to provide submissions, among other things, on whether the respondents are “health information custodians” with respect to the complainant’s medical records. They were also asked to address whether the spouse was acting as an agent of a health information custodian during these events or, if he was neither a custodian nor an agent, whether he was a “recipient” of this information within the meaning of the Act.

[29]  No party disputes that the person who operates the pharmacy is a health information custodian pursuant to section 3(1)4iii of the Act. Further, no party suggests that the spouse was acting as an agent of the pharmacy when he obtained the complainant’s Patient History Report from the pharmacy.

Representations

[30]  The clinic submits that, at all material times, it was the health information custodian pursuant to the Act.

[31]  The clinic submits that the spouse was not its agent at the time of the relevant incidents, although he may have falsely held himself out as an agent of the clinic. It states that until he left the clinic, he practiced medicine there on days and times agreed to from time to time. There was no written agreement between the clinic and the spouse. He was never given a key to the clinic’s premises, but was given access to the electronic medical record (EMR) through a password. The spouse ceased working at the clinic on July 30, 2012. The clinic states that his access to the EMR was maintained to finalize billings. It also states that the spouse had agreed to, if needed, come back to the clinic for “locum” work (ie. replacing physicians on temporary absence).

[32]  In response to an inquiry from me about the status of the administrative assistant, the clinic states that the administrative assistant who assisted the spouse was not acting as its agent at the times material to these complaints. It asserts that the administrative assistant did not act on behalf of the clinic, and merely checked to see if any hospital records had been filed electronically and assisted the spouse in completing a standard form.

[33]  The physician states that she is employed by the clinic. She maintains that, in general, she is a health information custodian as she is involved in patient care and is the custodian of patient health records. However, she submits that the clinic is also a health information custodian pursuant to the Act, and that the clinic is the custodian with respect to the relevant incidents.

[34]  The physician maintains that the spouse is not an agent of a health information custodian (neither herself nor the clinic) in respect of the events. She maintains that the spouse did not act with any authority, as section 2 of the Act requires for a person to be an agent; rather, he entered the clinic and forged her signature contrary to his legal and professional obligations.

[35]  The spouse submits that the physician is an agent of the clinic, and not an independent health information custodian. He submits that physicians are not automatically health information custodians of any particular record of personal health information simply by virtue of being a physician. With respect to the records of the complainant’s personal health information that were created in connection with her treatment and care at the clinic, the spouse submits that the clinic was the health information custodian. He also submits that the pharmacy was the health information custodian of the Patient History Report.

[36]  The spouse states that he was not the health information custodian of the complainant’s personal health information. He states that at no time has he been the complainant’s physician, although on one occasion he wrote a prescription for her. He maintains that for the purposes of the incidents at issue in these complaints, he was acting in a personal and not professional capacity. He states that his actions were those of a father who was exhausted and fearful for the safety of his children. He states that the disclosures were made by him not as a health information custodian but in a personal capacity and for the purposes of the Act, as a recipient of the information from health information custodians.

[37]  He agrees with the clinic that during the time that he practiced medicine at the clinic, he accessed the EMR by way of a password. He states that he had forgotten the password by the time he attended the clinic in November 2012 and required the administrative assistant’s help to obtain access. The spouse states that he assumed that the clinic had terminated his access rights when he stopped working there. He states that he had no outstanding work in connection with the clinic’s patients and, contrary to the clinic’s understanding, that he had made it clear that he was not able to provide locum services after he left the practice in July 2012.

[38]  Whatever may have been the understanding about the spouse’s future availability, it is not in dispute that the clinic never made any request for his locum services following July 2012.

[39]  The complainant maintains that her physician and the pharmacy were health information custodians in relation to the incidents.

Analysis

[40]  Applying the definitions set out sections 2 and 3 of PHIPA, I find that the person who operates the clinic as a group practice of health care practitioners, and the person who operates the pharmacy, were at the material times the health information custodians within the meaning of the Act.

[41]  The clinic retained the services of health care practitioners, including the complainant’s physician and the spouse, to provide health care to individuals seeking services from the clinic. It is responsible for hiring and training staff, establishing policies, and authorizing agents to deal with personal health information of its patients. The clinic had custody or control of the complainant’s records of personal health information in connection with the provision of health care to the complainant at the clinic.

[42]  The physician is a member of the CPSO who provided health care to the complainant and was therefore a “health care practitioner” within the meaning of section 3(1) of the Act at all relevant times. However, the physician practiced medicine at the clinic as an employee of the clinic, and dealt with the complainant’s personal health information in the course of that role. Applying the definition of “agent” from section 2 of the Act, and the exception set out in section 3(3) of the Act, I find that the physician was an agent of the clinic, and not an independent health information custodian in relation to the records at issue in these complaints.

[43]  The clinic suggests that its administrative assistant was not acting as an agent under the Act on November 13, 2012, as she did not directly handle the complainant’s records. I find this submission unpersuasive. The status of being an “agent” does not depend on the particular task being performed by an employee from moment to moment. As the IPC stated in its decision HO-002 (para.5),

…the Legislature intended that the phrase, “acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian” should be read as a reference to the person’s usual duties and activities, as opposed to an action taken in the particular circumstances of a complaint.

[44]  This submission is also at odds with the affidavit submitted by the clinic, in which the administrative assistant states that she reviewed the complainant’s file at the request of the spouse. I find that, at all material times, the administrative assistant was acting as an agent of the clinic.

[45]  The spouse is also a member of the CPSO who provided health care to patients at the clinic until July 2012. During that time, he too would have been an agent of the clinic, and not an independent health information custodian.

[46]  It is open to question, however, whether the spouse was acting as an agent in collecting, using and disclosing the complainant’s health records in November 2012 and following. His circumstances are distinguishable from those of the administrative assistant, and from those considered in decision HO-002. On the facts of this case, I find that the spouse was not acting as an agent of the clinic during the events at issue.

[47]  The spouse had not attended the clinic to deliver health care services since July 2012, and he was only able to access the complainant’s records of personal health information with the assistance of the administrative assistant. While he was an agent of the clinic in the past, the act of accessing records of personal health information at the clinic was no longer a part of his “usual duties and activities”. The fact that the clinic did not take steps to terminate his password to the EMR does not detract from my conclusion. This factor alone does not establish that an agency relationship was in effect in November 2012, although it does point to a weakness in the clinic’s practices.

[48]  While the clinic and the spouse contemplated the possibility of his return on a “locum” basis, this does not support the conclusion that he was an agent in November 2012, given the vagueness of this possibility and the fact that the spouse himself ruled out any prospect of his future availability. For all intents and purposes, the spouse had severed his relationship with the clinic. It is also not in dispute that the clinic never made any request for his services as a “locum” following July 2012. With respect to the clinic’s submissions, whether or not the spouse falsely held himself out as an agent of the clinic to the administrative assistant is immaterial to my finding that he was not an agent of the clinic in November 2012 and following.

[49]  As I have indicated, no party suggested that the spouse was an agent of the pharmacy at the relevant times, and I find that he was not.

[50]  As a result of these conclusions, it falls that the spouse’s collection, use or disclosure of the complainant’s personal health information is not governed by the provisions of the Act which apply to health information custodians and their agents. His actions can neither be authorized by the provisions governing the actions of health information custodians and their agents, nor be a breach of those provisions. However, below, I find that the spouse was a “recipient” of personal health information whose actions are governed by the rules in the Act restricting use and disclosure of personal health information by recipients.

[51]  With the above in mind, I turn to the specific incidents at issue in these complaints.

PART 2: USES AND DISCLOSURES

[52]  One of the purposes of the Act is to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information, while facilitating the effective provision of health care. One of the ways in which the Act achieves this purpose is by requiring that collections, uses and disclosures of personal health information occur with the consent of the individual to whom the information relates, unless such collections, uses and disclosures are permitted or required without consent by the Act. In this regard, section 29 of the Act states:

A health information custodian shall not collect, use or disclose personal health information about an individual unless,

(a) it has the individual’s consent under this Act and the collection, use or disclosure, as the case may be, to the best of the custodian’s knowledge, is necessary for a lawful purpose; or

(b) the collection, use or disclosure, as the case may be, is permitted or required by this Act.

[53]  Part III of the Act sets out requirements for a valid consent to collect, use or disclose personal health information. It is not necessary for me to summarize the full consent requirements of the Act for the purposes of this decision. It suffices to say that one condition of relying on an individuals assumed implied consent is that the collection, use, or disclosure be for the purpose of providing health care or assisting in providing health care to the individual. [2]

[54]  Further, sections 37, 38 through 48 and section 50 describe the circumstances in which custodians may use or disclose this information without consent.

[55]  Section 2 of the Act defines the terms “use” and “disclose” as follows:

“use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to handle or deal with the information, subject to subsection 6 (1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning. [3]

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning;

[56]  Section 6(1) further clarifies that the provision of personal health information to an agent is a use and not a disclosure or collection:

6(1) For the purposes of this Act, the providing of personal health information between a health information custodian and an agent of the custodian is a use by the custodian, and not a disclosure by the person providing the information or a collection by the person to whom the information is provided

The events of November 13, 2012

[57]  The parties offer divergent accounts of what happened when the spouse visited the clinic on November 13, 2012, but some facts are not in dispute. It is not in dispute that during his visit to the clinic, and with the help of the administrative assistant, the spouse obtained copies of some of the complainant’s medical records. He also signed a requisition, which was faxed to a hospital, in an effort to obtain additional records relating to the complainant. On the same day, the spouse also obtained the complainant’s Patient History Report from the pharmacy, which is located in the same building. This Report lists medications prescribed to the complainant and dispensed by the pharmacy. The Report contains an entry for one prescription issued by the spouse, and lists the spouse as the prescribing physician.

[58]  It is also not in dispute that the spouse disclosed medical records he received from the clinic and the pharmacy to the court in two motions brought in November 2012 and January 2013. Based on the material before me, it appears that the complainant and the spouse have not concluded those family court proceedings. Each of them was granted sole custody at different times and it appears that the spouse currently has temporary sole custody.

Representations of the clinic

[59]  The clinic submitted an affidavit from the administrative assistant, setting out her understanding of the events. She confirms that the spouse practiced medicine at the clinic on a part-time basis ending July 30, 2012. She states that, while the spouse worked at the clinic, she assisted him with various tasks including management of patient files and reports. The administrative assistant states that on November 13, 2012, the spouse came to the clinic at about 3 p.m., a time when, for all intents and purposes, the clinic was closed to patients and the general public.

[60]  The administrative assistant states she was misled by the spouse in that he told her he had permission from the physician and the clinic to, among other things, take copies of the complainant’s medical records. She states that she believed him and gave him access to the administrative area of the clinic. She attests that she checked the complainant’s file at his request and then, again at his request, helped him to complete an Authorization of Release of Records form directed to the hospital. The administrative assistant maintains that she did not sign the form, nor witness the spouse signing the form. She states that she witnessed the spouse fax the form to the hospital.

[61]  The administrative assistant states that she also saw the spouse take additional blank copies of the Authorization form, as well as photocopies of the complainant’s medical file. She states that, as he left the clinic, the spouse told her not to worry as he had permission from the physician and the physician’s husband (the clinic owner).

[62]  The clinic submits that it may have disclosed the complainant’s personal health information; however, wherever it did so, such disclosure was to another health care practitioner and was believed on reasonable grounds to have complied with the Act. The clinic maintained that the spouse was a health care practitioner (and therefore a health information custodian pursuant to section 3(1)(a) of the Act) and may have falsely held himself out as an agent of the clinic during the times material to these complaints.

[63]  In answer to additional inquiries that I directed to the clinic, the clinic states that it received health records relating to the complainant on November 26, 2012 from the hospital, without knowing why they had been sent. The clinic filed the records in the complainant’s existing file at the clinic. Given the facts it now knows, the clinic surmises that the records were sent by the hospital as a result of the Authorization faxed on November 13.

Representations of the spouse

[64]  In his affidavit, the spouse describes his version of the events leading to his visit to the clinic and pharmacy.

[65]  He states that as a result of an incident in October 2012, which led to the involvement of the Children’s Aid Society (CAS), the CAS advised him that the complainant could be a threat to herself and to the children. [4] The spouse states that the CAS cautioned him that the children were not to be left alone with the complainant, and that the complainant’s “history of harmful behaviour around the Children led me to be very concerned about their safety prior to and throughout the material time.”

[66]  He states that when he arrived at home after work on November 12, he found the matrimonial home deserted, with the complainant and the children missing. He states that he became very concerned for the safety of the children. He states that on the following morning, the local CAS advised him to obtain a letter from the complainant’s physician indicating that the complainant had mental health issues and to then seek an emergency court order for custody of the children. He states that he was sick with worry.

[67]  The spouse states that he decided to obtain medical records relating to his wife’s mental status from the clinic, and the affidavit proceeds to describe his visit to the clinic. His description of what he told the administrative assistant to support his request for the complainant’s records is brief, indicating only that he told her “what had happened”. He states in his affidavit that he “believed the clinic was permitted to give me my wife’s health records because of the real possibility that the Children and my wife were in danger. I also believed disclosure was permitted for the purposes of the legal proceeding I was trying to bring for the return of the Children.”

[68]  The spouse states that he asked the administrative assistant if the clinic had copies of the complainant’s records from the hospital. The administrative assistant checked and told him the clinic did not have a copy of those records, and suggested they could be obtained. She then provided him with the authorization form to sign. He states that he signed the form with his own name and not that of the physician. He states that the administrative assistant told him she would fill in the remainder of the form and that he did not fax the form himself. [5]

[69]  The spouse also states that the administrative assistant provided him with a copy of certain of the complainant’s other records from the clinic’s file, as he did not have access to any electronic records nor access to the paper records as he did not leave the reception area of the clinic.

[70]  The spouse states in his affidavit that he left the clinic and went to the pharmacy, where he obtained the complainant’s Patient History Report.

Responding representations of the clinic

[71]  In response to the above factual assertions, the clinic states that the administrative assistant did not print out the records that the spouse took with him on this date. It confirms that its audit of the EMR shows that the records were accessed under the login password used by medical assistants (including this administrative assistant). It submits that once the assistant had logged in, any person at the workstation could view or print a patient record and this may explain how the spouse could have obtained the complainant’s records. In a supplementary affidavit of the administrative assistant, she states that the spouse did not share any details of the family issues that the spouse submits were motivating his actions on this date.

The pharmacy

[72]  Where relevant, I refer to the pharmacy’s version of the events, below.

The complainant

[73]  The complainant submits, among other things, that the physician failed to ensure that records of personal health information in her custody or control were protected against unauthorized disclosure. As a result, the physician permitted the spouse to access the complainant’s records without her consent. She also submits that the spouse collected, used and disclosed her personal health information without her consent and contrary to the Act.

Analysis

[74]  In this section, I will address the issues raised by the events of November 13, 2012 and following in this order:

• Did the physician use or disclose the complainant’s personal health information without authority under the Act?
• Did the clinic use or disclose the complainant’s personal health information without authority under the Act?
• Did the pharmacy disclose the complainant’s personal health information without authority under the Act?

[75]  I address the spouse’s subsequent uses and disclosures of the complainant’s health information in a separate section below.

Did the physician use or disclose the complainant’s personal health information without authority under the Act?

[76]  I find no basis to conclude that the physician was responsible for the use or disclosure of the complainant’s personal health information on November 13, 2012. She was not the health information custodian of the personal health information at issue, was not present at the clinic, and the administrative assistant was not acting under her direction or otherwise as her agent with respect to these uses or disclosures.

Did the clinic use or disclose the complainant’s personal health information without authority under the Act?

[77]  Above, I decided that the clinic was the health information custodian with responsibility for the complainant’s personal health information (other than the pharmacy record), in relation to the events of November 13, 2012. There is no doubt that when the complainant’s spouse left the clinic that afternoon, he took with him some of the complainant’s medical records. These include:

• a letter from a hospital, addressed to the physician, dated October 4, 2011,
• a document titled “Triage, Objective, Subjective, Assessment and Plan” dated January 16, 2012,
• Canada Revenue Agency correspondence addressed to the complainant’s physician in regards to the complainant dated June 11, 2012, and
• a LMC Diabetes & Endocrinology Report dated September 4, 2012.

[78]  I find on the evidence that the administrative assistant also confirmed to the spouse that the complainant’s file did not contain certain records from a hospital, and assisted him in completing a form in order to attempt to obtain those records. I find that the clinic, in providing the spouse with information about the complainant’s medical record, assisting him to access and take copies of certain records and assisting him in completing a requisition for additional records, used and disclosed the complainant’s personal health information within the meaning of the Act. I refer in particular to the definition in the Act of “disclose”, which includes “to make the information available.” [6] The clinic, through its administrative assistant, made the complainant’s personal health information available to the spouse. Although I arrive at the above conclusions about the clinic’s actions on this day, there is no evidence that it provided him with the records it received from the hospital following November 13, 2012.

[79]  Section 29 of the Act applies to the clinic’s actions. This section provides, in part, that a health information custodian may only use or disclose an individual’s personal health information with consent, or as permitted or required under the Act. The clinic does not rely on any of the provisions in sections 37 to 48 and 50 of the Act permitting a health information custodian to use or disclose personal health information without consent. The affidavit of its administrative assistant does not describe any circumstances that fall under those provisions, and the clinic does not suggest it was led to believe that any of these circumstances applied.

[80]  The clinic suggests that it relied on assumed implied consent under the Act as the authority for the uses or disclosures at issue. However, in order for it to use or disclose health information on this basis, it must be for the purpose of providing, or assisting in the provision, of health care to the complainant. [7] The clinic’s evidence, taken at its highest, does not establish that it shared the complainant’s personal health information with the spouse on the basis of a genuine but mistaken belief that the use or disclosure was made for the purpose of the provision of health care, or assisting in the provision of health care, to the complainant. Even accepting the clinic’s evidence that its administrative assistant was misled into believing that this use or disclosure was authorized by the complainant’s physician and the clinic, there is no suggestion that the administrative assistant understood, or was told, that the spouse was obtaining the records as the complainant’s health care provider, for the purpose of health care.

[81]  As indicated above, the clinic does not rely on any of the circumstances in sections 37 to 48 and 50 of the Act that permit use or disclosure without consent. However, the submissions of the spouse raise the application of some of these provisions, and I turn to consider these submissions.

[82]  In his submissions, the spouse relies on section 40(1) of the Act, which permits disclosure without consent to eliminate or reduce a significant risk of serious bodily harm:

A health information custodian may disclose personal health information about an individual if the custodian believes on reasonable grounds that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.

[83]  He also relies on section 41(1)(a), permitting disclosure without consent for the purpose of a contemplated proceeding:

A health information custodian may disclose personal health information about an individual,

(a) subject to the requirements and restrictions, if any, that are prescribed, for the purpose of a proceeding or contemplated proceeding in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding;

[84]  Section 37(1)(h) contains an equivalent provision to section 41(1)(a), permitting uses without consent for the purpose of a proceeding:

A health information custodian may use personal health information about an individual,

(h) for the purpose of a proceeding or contemplated proceeding in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding;

[85]  The spouse submits that he believed the clinic was permitted to disclose the records to him without the complainant’s consent because he intended to use the records of personal health information to prevent or mitigate potential harm to his wife and children. In addition, the spouse maintains that the clinic was permitted to disclose the records to him because they were required for the court proceedings he intended to bring on an emergency basis.

[86]  The difficulty with the spouse’s submissions is that the evidence does not support the conclusion that the administrative assistant disclosed the information for these purposes. The clear evidence from the administrative assistant is that she did not have these purposes in mind when assisting the spouse in obtaining the complainant’s personal health information. I have described the affidavit submitted by the administrative assistant. Nowhere in that affidavit does she state that she was given any information suggesting that the records were necessary to mitigate a risk of bodily harm or were relevant to a proceeding or contemplated proceeding. Nor does she state that these concerns formed the basis of her decision to assist the spouse in accessing the records.

[87]  Further, the affidavit of the spouse states simply that he told the administrative assistant “what had happened.” It provides no detail about what, if anything, he told the administrative assistant about safety concerns or the intended court proceedings. Taken at its highest, the spouse’s evidence is that the clinic could have relied upon the above permitted uses and disclosures without consent.

[88]  Taken in its totality, the evidence does not establish that the administrative assistant assisted the spouse in obtaining the records because she “believe[d] on reasonable grounds that the disclosure [was] necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons”, or “for the purpose of a proceeding or contemplated proceeding”. I prefer the evidence of the administrative assistant as to the actual purposes of the clinic (and the purposes of her own actions) when it provided personal health information to the spouse, and this evidence does not establish that the use or disclosure was authorized under the Act.

[89]  To reiterate, the clinic used and disclosed the complainant’s personal health information without authority under the Act by providing the spouse with information about the complainant’s file and assisting him in obtaining the records.

Did the pharmacy disclose the complainant’s personal health information without authority under the Act?

[90]  I find that the pharmacy disclosed the complainant’s Patient History Report to the spouse on the genuine but mistaken belief that disclosure was made to a physician within the circle of care and was permitted on the basis of the complainant’s assumed implied consent. The spouse was listed as a prescribing physician on the Report. The pharmacy explained, and I accept, that it was not aware at the time of this disclosure that he was the complainant’s spouse. I find this plausible given that the complainant and the spouse have different last names. Further, the spouse phoned the pharmacy from the clinic before obtaining the report, adding to the impression that the spouse (whom the pharmacist understood was the complainant’s physician) needed the Report for health care purposes. Having no basis to suspect otherwise, the pharmacy’s belief that the disclosure was permitted was, in all the circumstances, reasonable. I find it unnecessary to make any further findings or orders with respect to the pharmacy.

[91]  Of course, despite the pharmacy’s understanding at the time, it is now clear the spouse did not obtain the Report for the purpose of providing, or assisting in the provision, of health care to the complainant.

[92]  The spouse submits that disclosure of the Report to him was permitted under the same provisions of the Act he relies on with respect to disclosure of the clinic’s records, that is, sections 40(1) and 41(1)(a). Apart from this assertion, and the facts as outlined above, he provides no evidentiary basis for this position. On the evidence before me, I cannot conclude that the pharmacy disclosed the Report to him in accordance with those provisions. As with the clinic, there is no basis to conclude that the pharmacy took account of these considerations when it disclosed the Report to the spouse. I prefer the evidence of the pharmacy with regard to the actual purposes for which it disclosed personal health information.

Letter of November 16, 2012 addressed “to whom so ever it may concern.”

[93]  This letter bears the letterhead of the physician and the clinic and the physician’s stamp, and contains sensitive health information about the complainant. It is not in dispute that the spouse filed this letter in court, as an exhibit to an affidavit. The complainant alleges that it was also sent to a CAS.

[94]  Both the physician and the spouse provided affidavit evidence and, on this issue, their evidence conflicts.

[95]  The physician states that she did not write this letter and the spouse removed her letterhead from the clinic and used it to forge the letter. [8] The physician notes that if she were to have written such a letter, her professional obligations require that a request for such a letter be in writing, which she would have verified with the requester and the complainant. She submits that she had no knowledge of this letter until she was advised of the complaint to this office, which prompted her to investigate.

[96]  The spouse’s evidence on this issue is brief. In his affidavit, he states only “[a]t no point did I draft or sign a forged letter from [the physician]”. The spouse’s submissions, made through counsel, state that this letter was provided to him by the physician but his affidavit does not speak to this point. Although his affidavit states that the CAS “advised me to obtain a letter form the Complainant’s physician indicating that she had mental health issues”, neither his submissions nor his affidavit provide any details about how and when he requested and received such a letter from the physician.

Analysis

[97]  The physician’s evidence (that she did not write the letter of November 16, 2012) appears to be a more likely explanation than that provided by the spouse. The physician explains how she would have dealt with a request for such a letter, had one been made. She also describes how she investigated the matter once it came to her attention as a result of these complaints, and then made her own complaint to the police and the CPSO. All of this is in contrast to the spouse’s evidence on this allegation, which, as described above, states only that he did not draft or sign a forged letter from the physician. Given the seriousness of the allegation, and his contention that the physician provided the letter to him, it is surprising that the spouse did not provide any details such as when, where and how he asked for and received the letter. This lack of detail casts doubt on the spouse’s denials.

[98]  However, at the end of the day, it is not necessary for me to make a positive finding about the allegation that the spouse forged the letter. In any event, the letter is a use and disclosure of the complainant’s health information for purposes not authorized by the Act.

[99]  If the spouse forged the letter, it is self-evident that this would be an impermissible use of the complainant’s health information. If he did not forge the letter and it is genuine, the clinic disclosed the complainant’s personal health information to the spouse. There is no evidence before me to explain the purpose of this disclosure. For her part, the physician claims that she made no such disclosure and therefore does not address this. As described above, the spouse’s evidence is sparse, and also does not address whether the physician provided the letter to him for a purpose authorized by the Act.

[100]  Ultimately, no party has offered any clear legal authority for the creation of this letter and its provision to the spouse, even assuming it is genuine. Ultimately, the clearest evidence I have is the letter itself. It does not suggest it was prepared for use in a proceeding, for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, or for any purpose permitted by the Act without consent. The letter simply provides some details about the complainant’s health and refers to the CAS’ involvement. I conclude that this letter was not prepared and provided to the spouse for a purpose authorized under the Act.

PART 3: SUBSEQUENT USES AND DISCLOSURES BY THE SPOUSE

[101]  Above, I found that the uses and disclosures of the complainant’s records by the clinic were not authorized either on the basis of consent under the Act, or the provisions permitting use or disclosure without consent. I found that the pharmacy’s disclosure was based on a mistaken, but reasonable, belief that it had assumed implied consent, in that it believed it was providing the Report to the complainant’s physician for a health care purpose.

[102]  With these findings in mind, I turn to discuss whether the spouse’s own uses and disclosures of this information were authorized.

Record obtained from the pharmacy

[103]  Although the disclosure by the pharmacy of the Report was based on assumed implied consent (for the purpose of health care), the receipt of this information from the spouse’s point of view had nothing to do with health care of the complainant. The spouse was not acting as a health information custodian, or an agent of the pharmacy, in receiving the information.

[104]  As I stated above, the spouse’s actions in using and disclosing the complainant’s information are therefore not governed by the provisions applying to health information custodians and their agents. Instead, they are governed by the provisions relating to “recipients” of personal health information from custodians.

[105]  I refer here to section 49(1) of the Act, which sets out rules for recipients of personal health information from health information custodians, in the following terms:

Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a health information custodian and to whom a health information custodian discloses personal health information, shall not use or disclose the information for any purpose other than,

(a) the purpose for which the custodian was authorized to disclose the information under this Act; or

(b) the purpose of carrying out a statutory or legal duty.

[106]  Section 2 of the Act, at the time of the events, defines the term “use”, as to “handle” or “deal with the information”. Based on the material before me, including the spouse’s own evidence, I find that he used and disclosed the complainant’s personal health information that he obtained from the pharmacy when he incorporated that information into materials filed for the purpose of a court proceeding.

[107]  Based on section 49(1), the question before me is whether this use and disclosure was a) permitted or required by law, b) done for a purpose for which the pharmacy was authorized to disclose the information to him, or c) done for the purpose of carrying out a statutory or legal duty.

[108]  With respect to (b), I found above that the pharmacy’s disclosure was premised on assumed implied consent, in that it believed it was giving the Report to the complainant’s physician for the purpose of health care. The spouse did not use and disclose the information for this purpose. As a result, the exception in section 49(1)(a), permitting a recipient to use and disclose personal health information for the purpose for which the health information custodian was authorized to disclose the information under the Act, does not apply.

[109]  There remains the question of whether his use and disclosure of the information was “permitted or required by law” or for the purpose of carrying out a statutory or legal duty.

[110]  This puts me in a difficult position. I am being asked to decide whether the use or disclosure of the personal health information as part of a court proceeding was “permitted or required by law” or pursuant to a “statutory or legal duty”, within the meaning of section 49(1) of the Act. On the one hand, I am concerned about the prospect of recipients of such information unilaterally filing this material in court, with the potential for public dissemination. This concern is highlighted when, as in this case, the material was filed as part of a motion brought ex parte, in which the complainant had no immediate opportunity to question the use of her health information in this manner.

[111]  On the other hand, based on the material before me, it is evident that the court has relied on this personal health information, finding it relevant to its proceedings. I refer to the endorsement of the Superior Court Justice, made on March 19, 2014, in which the court refers in turn to a previous ruling of a judge relying on that evidence (Exhibit “A” to the affidavit of the spouse). Above, I found that the spouse used and disclosed the information for purposes beyond those for which the pharmacy disclosed the information to him. However, whether the spouse’s use and disclosure are also beyond the bounds of any legal authority or duty is a matter, on the facts of this case, best left to the court. The complainant is free to draw the court’s attention to this decision and seek whatever remedies are available to her through the court process.

Records obtained from the clinic

[112]  Again, since I have found the spouse was not acting as an agent of the clinic, his use and disclosure of the records he obtained from the clinic is governed by the provisions relating to “recipients” of personal health information from custodians. I found above that there the clinic disclosed personal health information to the spouse for no purpose authorized under the Act. As a result, the exception in section 49(1)(a), permitting a recipient to disclose the personal health information for the purpose which the health information custodian was authorized to disclose the information under the Act, does not apply. [9]

[113]  However, there also remains the question of whether his use and disclosure in the court proceedings was “permitted or required by law” or pursuant to a “statutory or legal duty”, within the meaning of section 49(1) of the Act. Again, I find that whether the complainant’s personal health information has been used or disclosed in the court process, beyond the bounds of any legal authority or duty, is a question best left to the court. The complainant is free to bring this decision to the attention of the court.

[114]  With respect to the letter of November 16, 2012, I have no specific evidence on whether it was disclosed to a CAS and make no finding on this allegation.

Spouse’s signature on Authorization of Release of Records form

[115]  As referenced above, during the spouse’s visit to the clinic on November 13, 2012, and once he confirmed that the clinic did not have certain records from a hospital in its files, he signed a form requesting the complainant’s records of personal health information from the hospital. The spouse signed the part of the form that states “I hereby authorize any physician, practitioner, and members of hospitals or clinics to forward my records to the above physician.” The spouse signed above the signature line stating “Signature of the Patient”. The spouse’s signature is illegible.

[116]  There is no dispute that the spouse was not the “patient” referred to in this form. The form refers to the physician by name and also contains the name, date of birth, address, contact information, and health card number of the complainant. It is not clear whether the complainant’s information was on the form at the time it was signed by the spouse but in any event, the spouse intended the complainant to be identified on the form in order for the hospital to provide her records. The spouse’s own version of events makes it clear that he signed this form with the intent that it be sent to the hospital for the purpose of obtaining the complainant’s personal health information.

[117]  The spouse’s actions amount to a “use” of the complainant’s personal health information within the meaning of section 49(1). The spouse placed a signature on a form, intending for a recipient of the form to rely on it as the signature of the patient (complainant). The spouse was plainly not the patient referred to in this form. I found above that the clinic disclosed the complainant’s personal health information to the spouse for no purpose authorized under the Act. Again, the exception in section 49(1)(a), permitting a recipient to use the personal health information for the purpose which the health information custodian was authorized to disclose the information under the Act, does not apply.

[118]  No party explains how this use of the complainant’s personal health information could be authorized by the Act. I conclude that, in signing the form on the patient signature line, in his own signature, the spouse’s actions were an unauthorized use of the complainant’s personal health information.

[119]  While I have found that the spouse's actions in signing the form were unauthorized, there is no evidence that the spouse retained this form, or the records received from the hospital in response to this form. As such, I do not need to consider whether I should order the spouse to destroy any records of personal health information.

PART 4: SECURITY OF PERSONAL HEALTH INFORMATION

[120]  Section 12(1) of the Act sets out the obligation of health information custodians to implement steps that are reasonable in the circumstances to protect personal health information against, among other things, unauthorized use or disclosure. It states:

A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

Did the clinic and pharmacy take reasonable steps to protect personal health information in their custody or control as required by section 12(1) of the Act?

[121]  Given my conclusion that the pharmacy’s disclosure of the complainant’s personal health information to the spouse was based on a mistaken but honest belief, on reasonable grounds, that the disclosure was made within the complainant’s circle of care pursuant to section 20(2), I make no finding against the pharmacy under section 12(1).

[122]  The clinic submits that it did and continues to take reasonable steps to protect personal health information from unauthorized uses and/or disclosures. The clinic maintains that no reasonable administrative procedure would fully prevent against the deception and false pretense that occurred in this case, and that “it would be impossible to pre-empt a doctor intent on deceit or fraud and abusing the confidentiality of health records.”

[123]  With regard to the specific incidents, the clinic submits that it would not have been reasonable for the administrative assistant on site to have doubted the complainant’s spouse’s motives for being at the clinic in November 2012, especially given that he was a locum physician at the time.

[124]  In support of the clinic’s submissions, the physician submits that had it not been for the spouse’s deception, the clinic’s privacy policies ought to have reasonably protected the complainant’s privacy. She refers, in particular, to the following policies in place at the time:

• All requests for disclosure of patient records be received in writing and verified by the source of the request as well as the subject patient;
• If a copy of a patient’s medical record is requested from the clinic, the patient herself must retrieve it; and
• The EMR is password protected.

[125]  On my review of the material before me, I conclude that the clinic failed to take reasonable steps to protect the complainant’s personal health information from unauthorized use and disclosure.

[126]  Even accepting the clinic’s evidence that its administrative assistant was deceived by the spouse, the extent of the alleged deception was that the spouse had the clinic’s permission to be on the premises and to have access to patient files to complete outstanding work. The administrative assistant knew him to be the complainant’s spouse. She knew the complainant was a patient of the physician. Whether or not she was aware that the clinic intended to call on the spouse for locum work, as of this date, he had never performed such work following his departure. Further, although the spouse indicated that he was on the premises to perform outstanding work, the patient file in which he expressed an interest and sought assistance in viewing and obtaining was that of the complainant (his wife). Finally, the spouse requested and received her assistance in completing an authorization form containing two signature lines (one for the physician and one for the complainant), neither of which the spouse could sign. Then (on the assistant’s evidence) he faxed this form to the hospital. To a properly trained employee, and even accepting the clinic’s version of events, these circumstances together should have raised red flags about the spouse’s actions and purpose in obtaining the records.

[127]  The clinic submits that the administrative assistant and other medical assistant staff have received training on the management of personal health information and that her actions on that date, as described by her, were fully permitted and authorized by the clinic and its policies. Despite my requests to be provided with copies of its training materials, none were provided. On the evidence before me, I find that any training the administrative assistant received was not adequate and, if indeed the administrative assistant’s activities were authorized by the clinic’s policies at the time, the policies themselves fell short of the standard required by the Act.

[128]  I find that the clinic did not take reasonable steps to prevent the unauthorized use and disclosure of the complainant’s personal health information. In arriving at this finding, I stress that I am not laying blame with the administrative assistant. I acknowledge the questions raised by the clinic about whether it would be reasonable to expect a clinic employee, who ordinarily takes direction from the doctors, to “cross-examine and/or disbelieve” a doctor in this type of circumstance. In this respect, I recognize the reality of the power imbalance between the administrative assistant and the spouse. Even recognizing this, however, the evidence strongly suggests that the administrative assistant did not have the tools to understand and raise necessary questions about the spouse’s actions on November 13. I find it likely that the administrative assistant had an inadequate understanding of the requirements of the Act and was not well-equipped or properly trained to properly respond to the spouse’s requests for assistance.

[129]  In this respect, it is the clinic’s obligation to ensure that it has adequate privacy policies and procedures, including adequate training of its agents, in order to meet its obligations under section 12(1).

[130]  In the Notice of Review, I invited the clinic to describe any administrative, technical and physical safeguards and practices it had in place to meet its obligations under this section. The clinic did not provide information about its prior practices, but the clinic and the physician made submissions on the improvements made to the clinic’s policies as a result of these events, and provided me with a copy of its new Privacy Policy and Confidentiality Agreement.

[131]  Having reviewed these documents, with an eye to the circumstances of these complaints, I find that they fall short of reasonable measures under section 12(1), with respect to the following subject areas:

• Training of staff and other agents;
• Physicians as agents;
• Rules on EMR access

[132]  As noted above, the events underlying these complaints indicate a failure to adequately train agents. In the new policy, the only reference to the training of agents states that staff must read and understand the Privacy Policy and sign the Confidentiality Agreement confirming such. I find this to be inadequate in that the clinic seems to be placing the burden entirely on staff to educate themselves. Without identifying a person responsible for ensuring that privacy policies and practices are adhered to, for answering any questions from staff about those, and for overseeing staff training and education with respect to the principles and obligations under the Act, simply asking staff to read the policy and sign the agreement is not sufficient. I will therefore direct the clinic to revise the policy to ensure adequate provision for training of staff.

[133]  Second, I found above that the clinic is the health information custodian responsible for the security and privacy of the complainant’s personal health information. I also found that the complainant’s physician is an agent of the clinic, for the purposes of the Act. Until he left the clinic, the spouse was also an agent of the clinic. However, neither the physician nor the spouse was party to an agreement which made clear the respective roles and responsibilities of the clinic and its physicians, regarding the personal health information of patients. These complaints highlight the need for the clinic to make clear to physicians and staff the privacy obligations of physicians and the circumstances under which they, as agents of the clinic, may collect, use and disclose personal health information of the clinic’s patients. The new policy fails to address this topic adequately. I will therefore also direct the clinic to revise the policy to ensure that it does so.

[134]  Third, the clinic surmises that the spouse gained access to the clinic’s EMR using the administrative assistant’s credentials. Regardless of any other issue raised by the events of November 13, 2012, this evidence points towards the need for the clinic’s policy to address the sharing of credentials. Although the clinic describes its system of password protection, the value of having password protection as a security measure is nullified if users access the EMR using other users’ accounts, as the clinic states occurred here. The policy does not adequately address this topic and I will direct the clinic to revise it to do so.

[135]  I highlighted, above, three flaws in the clinic’s policies directly related to the facts of these complaints. However, on my review of the clinic’s new policy, I find it to contain significant errors and deficiencies over and above these three gaps. For example:

• The policy on disclosures by “physicians and custodians” states, among other things, that “[p]hysicians and custodians may be required by law, in a variety of circumstances, to share or disclose personal health information for Health-Care Purposes without the consent of the patient within the Circle of Care.”

[136]  This provision appears to confuse several distinct concepts under the Act. “Circle of Care” is a term widely understood in the health sector to refer to the collection, use, or disclosure of personal health information on the basis of assumed implied consent. ^[10] Importantly, disclosure on the basis of assumed implied consent is not done “without the consent of the patient”.

• The policy states that it addresses only disclosure, and not collection and use of personal health information.

[137]  This is a significant shortcoming to this privacy policy. In effect, the clinic’s privacy policy only addresses one-third of the privacy obligations applicable to collections, uses, and disclosures. This is a deficiency.

• The policy states, in a section titled “Employees – Disclosure of Personal Health Information”, that “[n]on regulated health professional employees are governed under Freedom of Information and Protection of Privacy Act.” This section also states that “applicable privacy legislation” includes “PIPEDA.”

[138]  I am unable to discern a basis on which the Freedom of Information and Protection of Privacy Act (FIPPA) has any application to the clinic. The clinic is not an institution to which that statute applies, and it is even more difficult to imagine any situation in which FIPPA could apply to non regulated health professional employees of the clinic. Further, the reference to the Personal Information Protection and Electronic Documents Act (PIPEDA) also raises questions. I note that there is an exemption order stating that PIPEDA does not apply to any health information custodian to which PHIPA applies in respect of the collection, use and disclosure of personal information that occurs within the Province of Ontario. ^[11]

[139]  Given its significant flaws, using this new policy as the means to ensure compliance by staff and other agents with the duties under the Act is, in my assessment, unlikely to achieve this goal. I will therefore direct the clinic to conduct a thorough review and revision of the privacy policy in light of the above comments, and to further train its agents on this policy. In reviewing and revising its policy, the clinic should review the guidance documents available on the website of this office, which describe the core obligations imposed on health information custodians under the Act and, practically, the steps that should be taken by health information custodians to best ensure compliance.

CONCLUSION:

[140]  To conclude, I find that the clinic disclosed records of the complainant’s personal health information to the complainant’s spouse, without authority and not for a permitted purpose. Although I find that the spouse’s use and disclosure of the information in the court process were not for any purpose for which the clinic and pharmacy were authorized to disclose the information to him, whether it was permitted or required by law is a matter I leave to the courts. I find that‎ the spouse used the complainant's personal health information in contravention of the Act by signing the "Authorization of Release of Records" form. Finally, the circumstances of the clinic’s disclosure lead me to conclude that it failed to take reasonable measures to protect the complainant’s information from unauthorized use or disclosure.

[141]  I wish to address the complainant’s request that I take into consideration the outcome of the CPSO proceedings in my determination of these complaints. The complainant drew my attention to the decision of a Discipline Committee of the CPSO, and provided me with two documents in relation to that decision. I asked the parties to address the question of whether I could rely on this material, in light of section 36(3) of the Regulation Health Professions Act, 1991. After reviewing their submissions, I find that the prohibition in that section prevents me from relying on the material provided by the complainant, and I have not taken account of it in any of my findings above.

[142]  Counsel for the spouse requests that I turn my mind to whether my receipt of these materials from the complainant raises a reasonable apprehension of bias. I am satisfied that the mere review of records whose admissibility is challenged creates no reasonable apprehension of bias preventing me from fairly determining these complaints.

ORDER:

For the foregoing reasons, and pursuant to section 61(1)(c) of the Act, I order the clinic to review and revise its Privacy Policy in light of the above comments, and train its agents on this policy.

Original Signed by:		February 9, 2018
Sherry Liang
Assistant Commissioner