PHIPA DECISION 82

HC15-64

Grand River Hospital

January 18, 2019

Summary: A hospital responded to media requests for information about a deceased patient who had been the subject of a decision by the Health Professions Appeal and Review Board (HPARB). The patient’s family complained that the hospital’s statements to the media contravened the Personal Health Information Protection Act (the Act) by disclosing the patient’s health information without consent. The adjudicator decides that repetition of facts about the patient, when those facts are directly taken from the published decision of the HPARB, is not a disclosure under the Act. The adjudicator decides that some of the hospital’s statements went beyond the HPARB decision and were unauthorized disclosures. The hospital is directed to amend its policies to include a definition of personal health information.

Statutes Considered: Personal Health Information Protection Act, 2004 , SO 2004, c 3 , Sched A, sections 2  (“disclose”), 4, 9(2), 10(1), 12(2) and 16(2).

Decision Considered: PHIPA Decision 44.

BACKGROUND:

[1]  This matter began with the death of an individual at the Grand River Hospital (the hospital), and a subsequent complaint by the family of the deceased individual (or the “patient”) to the College of Physicians and Surgeons of Ontario (CPSO) against the hospital’s Chief of Staff. The complaint led to a decision by the CPSO and then a further proceeding before, and decision by, the Health Professions Appeal and Review Board (HPARB).

[2]  The HPARB decision is publicly available. Among other things, it is on the website of the Canadian Legal Information Institute (CanLII), which publishes decisions of Canadian courts and tribunals. The published version of the HPARB decision contains the name of the hospital, and uses initials to identify the family member who made the complaint and the Chief of Staff.

[3]  The HPARB decision was critical of the conduct of the hospital’s Chief of Staff following the death of the patient. It also described elements of the care given to the patient by hospital staff that contributed to his death.

[4]  Months after release of the HPARB decision, members of the media contacted the hospital about the events described in the decision. The hospital issued a written statement to the press, and its representatives gave oral interviews to certain media outlets. In none of these communications with the media (with one exception which I describe below) did the hospital refer to the patient by name.

[5]  The family of the patient complained to the hospital that its press statements breached the Personal Health Information Protection Act (the Act) by disclosing his health information without consent.

[6]  The hospital reported the allegation of a privacy breach to this office. After it concluded its own investigation, it sent a letter to the family in response to the complaint. The hospital’s position was that in responding to the media requests about the HPARB decision, it did not disclose any information about the patient. The hospital acknowledged that, in one instance, a hospital official inadvertently repeated the name of the patient during an oral interview, after the interviewer used the patient’s name.

[7]  The family filed this complaint with the IPC alleging breaches of the Act by the hospital. The family also made a request under the Freedom of Information and Protection of Privacy Act (FIPPA) for records related to the events. That request also resulted in a proceeding before this office, which has been resolved separately.

[8]  A mediator from this office had discussions with the family’s representative and the hospital and gathered information about the events. As no resolution of the complaint was possible, it was referred to the adjudication stage of the process. I decided to conduct a review of the issues raised by the complaint and received written submissions from the parties. In the following, I refer to the family member who made this complaint, and the other family member acting as that person’s representative, collectively as “the complainant”.

[9]  During this review, the complainant also alleged that statements made by the hospital to officials with the Ministry of Health and Long-Term Care and the Local Health Integration Network, through dissemination of a “Briefing Note”, contained unauthorized disclosures of the patient’s health information. I will refer to all the oral and written communications with the media and these others collectively as the “public statements.”

DISCUSSION:

[10]  Generally speaking, the Act regulates the handling of personal health information by persons who are “health information custodians”. There is no dispute that the person who operates the hospital is a health information custodian and is subject to the requirements of the Act.

[11]  One of the purposes of the Act is to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care. The Act achieves this purpose by, among other things, requiring that collections, uses and disclosures of personal health information occur with the consent of the individual to whom the information relates, unless the Act permits or requires those without consent.

[12]  In this complaint, the key issues are whether some information in the hospital’s public statements was “personal health information” of the patient, and whether the hospital “disclosed” that information without authority under the Act. At a broader level, this complaint raises the issue of whether the Act prohibits a health information custodian from referencing facts specifically contained in a public court or tribunal decision, where those facts relate to a patient of the custodian.

Was the information in the hospital’s public statements “personal health information”?

[13]  The Act defines “personal health information” as follows:

4. (1) In this Act ,

“personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information,

(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,

(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,

(c) is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual,

(d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,

(e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,

(f) is the individual’s health number, or

(g) identifies an individual’s substitute decision-maker.

(2) In this section,

“identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

(3) Personal health information includes identifying information that is not personal health information described in subsection (1) but that is contained in a record that contains personal health information described in that subsection.

(4) Personal health information does not include identifying information contained in a record that is in the custody or under the control of a health information custodian if,

(a) the identifying information contained in the record relates primarily to one or more employees or other agents of the custodian; and

(b) the record is maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employees or other agents.

[14]  As set out in the above definition, information about a patient is “personal health information” only if it is “identifying information”. That is, the information in itself identifies the patient (for instance by using the name), or it is reasonably foreseeable that the patient could be identified. The privacy protections in the Act do not apply to information that cannot be associated with an identifiable patient.

[15]  An important threshold issue raised by this complaint is whether the information in the public statements was “identifying information” about the patient.

[16]  As described above, when contacted by members of the media about the HPARB decision, the hospital issued a written statement, and certain hospital representatives gave oral interviews to media outlets. The written statement referred to the medical event underlying the HPARB decision and the hospital’s actions in response to the event, described the decisions of the CPSO and the HPARB and contained an apology. The hospital described some of the changes it was in the process of making in response to the incidents.  In oral interviews, the hospital’s representative also referred to the care given to the patient, and his state of health before death.

[17]  Initial news reports referred to information in the hospital’s statement without naming the patient. About a week after the initial reports appeared, a lengthy news report identified the patient by name and contained considerable detail about the events as well as an interview with the complainant (the “identifying news report”).  This news report was very critical of the hospital.

[18]  In the identifying news report, and afterwards, hospital representatives gave additional statements. The hospital referred to and apologized for the medical error, and described the steps it was taking to prevent a re-occurrence. It acknowledged shortcomings in its communications with the family.

[19]  In addition to the communications with the media, and a few days after it was contacted by the media about the HPARB decision, the hospital sent a “Briefing Note” to officials at the Ministry of Health and the Local Health Integration Network to advise them of the potential publicity about that decision. In the Briefing Note, the hospital refers to the patient, without naming him, and the events forming the basis of the HPARB decision.

Hospital’s representations

[20]  The hospital submits that until the complainant spoke with the media in the identifying news report, the patient had not been named in any of the media reports on the issue. The hospital submits that its statements (written and oral) to the media did not violate patient privacy and, specifically, the provisions of the Act, because:

• it only repeated information that was already in the public domain through the HPARB decision; and
• it did not refer to the patient by name and without the name no one without special knowledge could identify him from the hospital’s statements.

[21]  The hospital takes the position that the information it gave to the media was not personal health information of the patient because it was not “identifying information” within the meaning of section 4(2) of the definition of “personal health information” under the Act. Among other things, it submits that it did not believe that the public information in the HPARB decision could be reasonably linked to other public information to identify the patient to anyone except those with knowledge of the matter, either because of their relationship to the patient or their role at the hospital.

[22]  The hospital acknowledges one instance in which its CEO, in a radio interview, referred to the patient by name, after the interviewer used the name. This interview occurred days after the patient was publicly identified in the identifying news report. The hospital states the repetition of the patient’s name in this interview was inadvertent.

[23]  The hospital also suggests that in referring to the patient’s state of health, it employed a generic term used in medical journals and presentations, which can describe a large pool of hospital patients. It submits that this information was also a summary of more detailed information provided in the HPARB decision.

[24]  The hospital submits that its public statements were intended to reassure the public that it was safe to seek health care at the hospital. Characterization of the information as “personal health information” would prohibit a health care provider from acting to address matters of public concern. It states that it had an obligation in the circumstances to ensure that the public understood that it had identified and acknowledged shortcomings in its processes and taken steps to address them, to enhance patient safety. The media was calling for transparency on the part of the hospital regarding matters of public interest and public safety, and it had an obligation to respond.

[25]  The hospital states that it is crucial to understand that the hospital did not initiate the public discussion of the patient’s case. Rather, it responded to serious allegations, balancing a public need to know with patient privacy through the use of non-identifying information. It submits that its focus was on addressing media coverage that raised concerns without adequately reporting on the changes made to address those concerns.

[26]  In sum, the hospital submits that none of the information released by it, before or after the identifying news report (with the exception of information identifying the patient in one radio interview) constitutes “personal health information.”

Complainant’s representations

[27]  The complainant submits that the information disclosed by the hospital was the personal health information of the patient. He states that the HPARB decision contained enough biographical information to identify the patient. He submits that one journalist was able to determine the identity of the patient within a matter of days after learning of the HPARB decision, without assistance from him. This journalist contacted him and wrote the identifying news report in which the complainant is interviewed. The complainant states that the ease with which this reporter was able to identify the patient demonstrates that this should have been foreseeable to the hospital.

[28]  The complainant includes with his representations a copy of the email from the reporter confirming that she used the date of death, age and sex of the patient, all of which came from the HPARB decision, to locate the death notice identifying the patient.

Analysis

[29]  There is no dispute that if the information in the public statements is identifiable, it meets the definition of “personal health information” under the Act. In referring to the care given to the patient, for instance, the information would fall within sections 4(1)(a) (“physical health”) and (b) (“providing of health care”) of the definition of personal health information under the Act.

[30]  The hospital’s submission is that it did not disclose any personal health information because, without a name, the information could not be linked with an identifiable patient. This was a misconception. The hospital erred in inadequately assessing whether it was reasonably foreseeable that the information in its public statements could be combined with other readily available information to identify the patient it was discussing.

[31]  In this case, the HPARB decision was a public source of information about the unnamed patient. It gives his age, the date of his death and his gender, among other things. It also identifies the hospital. The death notice for the patient was another public source of information about him. I find it reasonably foreseeable that a member of the public could use information in the HPARB decision and the death notice to identify the patient discussed in the hospital’s statements.

[32]  Indeed, my conclusion is supported by an actual, and not just a reasonably foreseeable, outcome. In this case, the evidence is that a reporter used information in the HPARB decision to find the patient’s death notice. The steps the reporter took required no particular expertise or special knowledge.

[33]  I agree with the hospital that the test is not whether someone with special knowledge could identify the patient. Clearly, the family members of the patient could readily identify the patient discussed in the news reports, because of their knowledge of the circumstances. Rather, the test is whether it is reasonably foreseeable, in the circumstances, that others without that special knowledge could identify the patient by combining the information provided by the hospital with other available information. In these circumstances, it was both reasonably foreseeable and it actually occurred.

[34]  To be clear, my finding is not that the hospital’s statements (apart from the radio interview in which its official repeated the patient’s name) in themselves identify the patient. My conclusion is that, regardless of the fact that they did not name the patient, those statements were about a person whom members of the public could reasonably identify. Any information about the physical health or care given to that patient is therefore “personal health information” within the meaning of the Act.

[35]  I have considered the relevance of the hospital’s assertion that none of the information it gave to the media went beyond information found in the HPARB decision. I conclude that, even if this were true, it does not change the characterization of this information as personal health information.  Nothing in the definition of “personal health information” excludes information that is already known to the public. However, as noted below, I do find that where the hospital only gave, to the media or others, information that was specifically contained in the public HPARB decision, the Act should not be interpreted to prevent this.

[36]  It is apparent that the hospital relied too heavily on the fact that the patient was not named in the HPARB decision or in public statements, up until the identifying news report. The assumption that information about an unnamed patient cannot be that patient’s “personal health information” within the meaning of the Act is a fundamental misconception about the nature of personal health information. Such an assumption, if held throughout the hospital organization, could undermine the hospital’s efforts to protect patient privacy. I will return to this issue below, when I discuss the hospital’s policies.

Did the hospital “disclose” the personal health information of the patient and does the Act prohibit this?

[37]  Section 2 of the Act provides the following definition of “disclose”:

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning;

[38]  As described above, the hospital’s primary position is that the patient was not identifiable and therefore its statements concerning the circumstances did not disclose personal health information of the patient.

[39]  In addition to the arguments I have summarized above, the hospital also states that the media was calling for transparency on the part of the hospital regarding matters of public interest and public safety. It suggests that if its actions constitute a breach of patient privacy, health care providers would be prohibited from addressing serious allegations and concerns when the public is asking for a response in order to make decisions on access to health care.

[40]  The hospital submits that it is crucial to the understanding of this complaint that the hospital did not initiate the public discussion of the patient’s case. It responded to serious allegations, balancing a public need to know with patient privacy through the use of non-identifying information. It states that it released no information about the patient that was not already in the public domain and its focus was not on patient information, but rather on the changes it had made.

[41]  As described above, after the complainant approached the hospital with his complaint about the media communications, the hospital reported a potential privacy breach to the IPC. The hospital also asked the IPC for advice on addressing the media inquiries. In responding to the hospital’s request for advice, an analyst from the IPC noted her understanding that the information the hospital discussed with the media had either already been printed in the media, or was in the HPARB decision. The analyst stated her view that the discussion of the patient’s case with the media was arguably a “disclosure” within the meaning of the Act, without authority under the Act. The analyst also indicated that this advice did not bind the IPC in the event of a complaint.

[42]  During this review, the complainant made lengthy submissions to the IPC on the issue of disclosure, much of which was a response to the hospital’s submissions. The crux of his position is that the hospital deliberately disclosed the personal health information of the patient to support a deceitful attempt to avoid responsibility for its actions. He submits that the hospital disclosed the patient’s information to the media numerous times in breach of the Act. The complainant asserts that the decision to disclose the information to the media resulted in potentially thousands of breaches, in that a separate breach occurred for each individual receiving the information through the media.

[43]  The complainant disputes the hospital’s explanations regarding its rationale for speaking to the press. Although he does not dispute that a health care provider may inform the media and the public about process improvements, he submits that, in this case, the hospital’s disclosures were part of a “media relations campaign to dispel legitimate well documented concerns about the hospital’s actions.” He asserts, contrary to the hospital’s position, that the primary focus of the hospital’s communications with the media was not about process improvements, but about the circumstances of this patient’s care.

Analysis

[44]  I will first turn to the most pointed question that arises from this case, which is whether it is an unauthorized disclosure under the Act for a health information custodian to publicly discuss information of a former patient, when that information is already legitimately in the public domain. Having set out this question, I will consider it in the context of the specific facts before me. I do not intend to discuss it in general terms, given the myriad situations in which this issue could arise. There may well be different considerations depending on the particular context and I do not wish to make broad findings that could be applied to unanticipated circumstances.

[45]  My analysis begins by recognizing the modern approach to statutory interpretation as articulated by Ruth Sullivan in Sullivan on the Construction of Statutes, [1] and adopted by the Supreme Court of Canada in Re Rizzo & Rizzo Shoes Limited, [2] which provides:

Today there is only one principle or approach, namely, the words of an Act are to be read in their entire context, in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament.

[46]  The definition of “disclose” in the Act, as quoted above, refers to a health information custodian (or other person) making personal health information in its custody or under its control available or releasing it to another person. In the context of the Act as a whole, the plain purpose of this definition is to facilitate the broader regulation of how health information custodians (and, in narrow circumstances, other persons) provide personal health information in their custody or control to other organizations or individuals. Yet, how does this definition apply to information that is already plainly and legitimately publicly available via a court or tribunal decision? Is a health information custodian (in this case, the hospital) prohibited from referencing publicly available facts and evidence contained in a court or tribunal decision, where they relate to a patient of the custodian and constitute “personal health information” for the purposes of the Act?

[47]  In my view, the specific words employed in the Act provide no clear answer to this question. To begin with, the definition of “disclose” applies to information in a health information custodian’s “custody or control”. Where personal health information has been legitimately made publicly available by a court or tribunal decision, it is not apparent to me that a health information custodian is making available or releasing information in its custody or control when it references the personal health information contained in the decision.

[48]  On the one hand, the Act does not explicitly distinguish between personal health information that is already publicly available and personal health information that is not. On the other hand, the provisions of the Act make clear that it is not intended to serve as a barrier to the gathering of information in connection with legal proceedings. In this respect, sections 9(2)(c) and (d) provide:

(2) Nothing in this Act shall be construed to interfere with,

…

(c) the law of evidence or information otherwise available by law to a party or a witness in a proceeding;

(d) the power of a court or a tribunal to compel a witness to testify or to compel the production of a document;

[49]  While the above provisions are not directly applicable to the issue in this case, they nonetheless indicate that the Act is not intended to govern personal health information in the hands of courts or tribunals.

[50]  Furthermore, while, generally speaking, the parties to legal proceedings are the source of the evidence put before the decision-maker, it is the role and duty of a court or tribunal to consider the evidence put before it and, where applicable, make findings of fact based on that evidence. Those facts, in turn, become part of the court or tribunal’s reasons, given to explain its findings. In this context, it is arguable that the facts a court or tribunal chooses to include in its reasons are not in the “custody or control” of the parties. In the case before me, it is arguable that the facts in the HPARB decision about the patient are not in the “custody or control” of the hospital.

[51]  I note that the information at issue in this case is contained in a decision of the HPARB, a quasi-judicial tribunal. The HPARB is a tribunal established by statute, acts under authority given to it under the Regulated Health Professions Act, and is subject to common-law and statutory duties of fairness and due process. The HPARB has the duty and authority to make binding decisions on the questions brought before it, and to issue public reasons explaining its decisions. In many respects, the HPARB’s role and responsibilities, albeit in the exercise of statutory powers, are similar to those of the courts.

[52]  If the Act were interpreted to prohibit public repetition of the facts in the HPARB decision, such an interpretation would also extend to court decisions. A glance at court decisions available on CanLII reveals that there are many cases in Ontario and other jurisdictions which arise out of care provided by medical professionals at hospitals to patients. In many of these, the patients are identified. It would surely come as a surprise to many people if hospitals which were parties to such decisions were unable to discuss them, if in doing so they refer to the facts about their patients, contained in these decisions.

[53]  A hospital may wish to address issues of interest to the broader public arising out of a court or tribunal decision. In this case, the complainant does not dispute the hospital’s ability to address systemic issues and improvements in the hospital’s processes as a result of the HPARB decision. Yet, it may be difficult to address those systemic issues without referring at all to the particular facts of the case, as contained in the decision. I do not believe that the policy reasons for the privacy rules in the Act require a prohibition on references to facts and evidence specifically contained in such a decision.

[54]  In considering how the Act should apply to discussion of information contained in tribunal and court decisions, I find I should also have regard to the open court principle, which has been described as “one of the hallmarks of a democratic society”. [3] No one argued before me that the provisions of the Act restrict courts and tribunals in the dissemination of personal health information in their decisions. The Act does not purport to regulate a court or tribunal’s collection, use and disclosure of personal health information (including in its decisions).

[55]  Indeed, in a recent Privacy Complaint Report, PC17-9, this office found that disclosure of personal information in a public decision of a quasi-judicial tribunal is subject to the “open court” principle, and is not governed by the privacy rules covering provincial agencies. In that report, the IPC described the policies underlying the open court principle, and the role of publication of court and tribunal decisions in supporting that principle. In the case of the tribunal discussed in the report, the IPC stated that its decisions

are of vital interest to parties, party representatives and members of the public who are considering filing an application, but also to the general community who wish to understand how the Tribunal does its work. The publication of its decisions supports public confidence in the justice system, serves an educational purpose, promotes accountability by the Tribunal for its decision-making, and ensures that the public has the information necessary to exercise the Charter right to freedom of expression.

[56]  While the present case does not directly deal with a court or tribunal’s dissemination of decisions, it addresses the ability of health information custodians to publicly refer to facts and evidence specifically contained in public decisions of courts or tribunals.

[57]  Having regard to the broader public context described above and, in particular, the nature of legal proceedings and the role of courts and tribunals, I conclude that where there is doubt, the Act should not be interpreted to prohibit repetition of facts and evidence in public court or tribunal decisions. Returning to the definition of “disclose” in section 2 of the Act, I find that the facts contained in the HPARB decision are not in the “custody or control” of the hospital. Repetition of those facts does not amount to a “disclosure” within the meaning of the Act and is thus not governed by the restrictions on disclosure of personal health information.

[58]  Above, I found that the hospital was wrong in assuming that the patient was not reasonably identifiable, in the period before the identifying news report. I concluded that its public statements contained personal health information of an identifiable patient. However, for the reasons stated above, I conclude that the statements did not contravene the Act where the information in them was specifically contained in the public HPARB decision.

[59]  I reach the same conclusion regarding the hospital’s communications about the patient following his identification in the identifying news report. Both before and after the identifying news report, the information the hospital provided to the media was about an identifiable patient. To the extent that the information was a repetition of information found in the HPARB decision, I find there was no contravention of the Act.

[60]  I recognize that my determination may be inconsistent with statements made to the hospital by the IPC analyst, as described above. As the analyst states in her letter, her comments are not binding. The letter does not amount to an authoritative disposition of the issues following a review under the Act. I therefore do not place any weight on the opinions expressed in that letter.

[61]  There are three exceptions to my findings above that the hospital did not disclose the patient’s health information. Two of these involve statements attributed to a hospital representative. In one news broadcast, a reporter purports to quote a hospital representative’s description of the patient’s general state of health. In another news article, a different reporter also purports to quote the same representative, referring again to the patient’s general state of health. The hospital submits that the phrases in question are generic, not sensitive, and are applicable to many elderly patients. It also suggests that they are no more than a summary of information from that decision.

[62]  Assuming these quotes accurately reflect what the representative told these journalists (and the hospital does not deny they do), the phrases are not taken directly from statements in the HPARB decision. I have reviewed the HPARB decision and I find that while the phrases may well apply to many elderly patients, they nonetheless described this patient’s physical health using words that were not the same as those in the HPARB decision. I therefore find that, on these two occasions, the hospital disclosed personal health information of the patient, although it did not believe, at the time of these news reports, that the patient was identifiable.

[63]  Although these were disclosures of personal health information, I note that they amounted to broad statements about the state of health of the patient, without any detail as to any specific condition, diagnosis or medical care.

[64]  In addition, the hospital’s repetition (albeit inadvertent) of the patient’s name, in the radio interview, also amounts to a disclosure of his personal health information, in that it served to confirm the identity of the patient who had, in the HPARB decision, been referred to only by his initials.

[65]  In his submissions, the complainant relies on Investigation Report I95-024M, decided under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). In that Investigation Report, this office considered an institution’s argument that its disclosure of information about legal proceedings brought by a complainant was permitted under MFIPPA.  The IPC rejected the institution’s argument that the information was already publicly available, and that the complainant consented to the disclosure.

[66]  I am satisfied that the facts and statutory provisions at issue in the above Report were quite different from those under consideration in this complaint. The case did not involve discussion of facts in a court or tribunal decision but, rather, facts in legal pleadings. I therefore do not find the above Investigation Report helpful in my determination of this complaint.

[67]  Before I conclude this section, I note that the complainant also requests that I review the records at issue in his related request under FIPPA, to determine whether they support findings of additional unauthorized disclosures. As background, after he appealed the hospital’s decision in response to his request, and following my order in that appeal, the complainant received unredacted copies of all the records remaining at issue. He has not raised any additional issues based on his review of those records and, on my own consideration of the records, I am satisfied they do not raise issues beyond the existing scope of my review.

[68]  Finally, I observe that it is apparent from the information before me that the news coverage of the HPARB decision, and the hospital’s statements to the media about the events, took the patient’s family by surprise. As I describe above, the media only approached the hospital about the HPARB decision a number of months after it was issued. It appears that neither the media nor the hospital informed the family in advance of the impending publicity about these events. From the family’s perspective, therefore, it appears that publication of the hospital’s statements about the patient came as a shock.

[69]  I found above that, with specific exceptions, the hospital’s actions did not amount to disclosures within the meaning of the Act. The hospital was not required to seek consent when referring to information in the HPARB decision. However, the facts of this complaint demonstrate clearly the hazards of the hospital’s approach to these media inquiries. Ultimately, the hospital may wish to consider whether it could have notified the patient’s family of its media statement.

Did the hospital comply with its obligation to give notice under sections 12(2) and 16(2)?

[70]  Section 12(2) of the Act requires a health information custodian to notify individuals of a breach of privacy relating to their health information. At the time of the events, this section read:

Subject to subsection (3), and subject to the exceptions and additional requirements, if any, that are prescribed, a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost or accessed by unauthorized persons.

[71]  Although this section was amended in 2016, the changes do not affect the issues in this complaint.

[72]  Section 16(2)(a) speaks to notice of deviations from a custodian’s public statement of its information practices:

If a health information custodian uses or discloses personal health information about an individual, without the individual’s consent, in a manner that is outside the scope of the custodian’s description of its information practices under clause (1) (a), the custodian shall,

(a) inform the individual of the uses and disclosures at the first reasonable opportunity unless, under section 52, the individual does not have a right of access to a record of the information;

[73]  The complainant alleges that the hospital failed to comply with its obligations under these sections. He alleges that the hospital disclosed the patient’s personal health information without consent or authority under the Act. He contends, in addition, that the disclosure was contrary to the hospital’s own public statement of its information practices, which he provided with his submissions. He states that, to this date, the hospital has not provided the required notifications under these provisions.

[74]  The complainant takes the position that the hospital knew it had disclosed personal health information and is now “feigning ignorance” or else had constructive knowledge, was reckless or wilfully blind.

[75]  The hospital submits that notice under section 12(2) is only required where the hospital has determined there is an unauthorized disclosure. Further, it states that it investigated the matter and provided notice to the complainant at the conclusion of its investigation.

Analysis

[76]  As described above, when the complainant became aware of the media reports about the HPARB decision, he complained to the hospital, taking the position that it had unlawfully disclosed the patient’s personal health information. He also took the position at the outset that the hospital was required to give notice to the family of a privacy breach.

[77]  After conducting an investigation, which included a review of the media reports and an audit of the patient’s electronic health record, the hospital’s Chief Privacy Officer wrote to the complainant setting out her response to the complaint. Among other things, the letter attached a summary of all the hospital’s communications with the media about the HPARB decision.

[78]  The Chief Privacy Officer provided her assessment that until the identifying news report, it was not reasonably foreseeable that any information in the hospital’s media statements could be associated with the patient. This information was thus not, in her view, personal health information and the hospital’s statements did not disclose any such information. In this letter, the hospital acknowledged that in one interview, the hospital’s representative inadvertently used the name of the patient after the reporter used it. The hospital gave the date and the media outlet to which this statement was given. The letter included the IPC’s contact information and advised the complainant that the hospital had notified the IPC of its findings.

[79]  The Chief Privacy Officer also stated that the complainant had made serious allegations in the identifying news report that it had reason to believe would cause patients to be fearful of receiving care at the hospital. She indicated that the hospital’s responses to media inquiries focused on changes made to its processes in response to the events. The hospital’s intent was to demonstrate to patients and the general public that it had addressed the issues that gave rise to the allegations in the media.

[80]  I find that this letter from the Chief Privacy Officer to the complainant fulfilled the hospital’s obligations under section 12(2) of the Act. It set out all the instances in which it had communicated with the media. It served the purpose of providing the complainant with the results of its investigation into his allegations. It informed him of its conclusions that in one radio interview, the hospital used the patient’s name, but that other media statements did not disclose personal health information. The complainant clearly and vigorously disagreed with the hospital’s conclusions, but it cannot be said that he was not informed of them. He was aware of the hospital’s communications with the media and he was aware of the circumstances that supported his complaint to this office.

[81]  Although the complainant alleges a failure to provide notice under the Act, it is apparent that his core concern was the hospital’s conclusions that its media statements did not disclose personal health information. The alleged failure was that, with one exception, the hospital did not believe a breach had occurred.

[82]  Even though I have concluded that the hospital was wrong in its assessment that the patient was not identifiable, and found two instances (in addition to the one which the hospital acknowledged) in which it disclosed personal health information, it would serve no purpose to order the hospital to give notice of these two instances.  The hospital’s failure was not a lack of notice, but rather, an incorrect assessment of the merits of the privacy complaint.

[83]  For the same reasons, I arrive at the same finding with respect to section 16(2)(a). The hospital’s letter to the complainant set out the facts of the alleged privacy breaches and its response to the complaint. The fact that the hospital did not recognize it had departed from its written public statement of its information practices does not lead me to find a failure of notice under section 16(2)(a).

[84]  Finally, the evidence does not support the complainant’s assertions regarding feigned ignorance or wilful blindness.

Did the hospital have and comply with information practices in accordance with sections 10(1) and (2) of the Act?

[85]  Section 10(1) of the Act provides as follows:

A health information custodian that has custody or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations.

[86]  Section 10(2) of the Act requires a health information custodian to comply with its information practices.

[87]  Information practices are defined in section 2 of the Act to mean “the policy of the custodian for actions in relation to personal health information.” The definition refers to “when, how and the purposes for which the health information custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information” and “the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information.”

[88]  The hospital submits that it had written policies meeting the requirements of the Act. The hospital acknowledges that its investigation of the complaint revealed issues with its “policy management” in that a program of policy review, initiated in 2011, was under resourced and led to policies not being reviewed, amended, retired or created quickly enough. The hospital states that it has in excess of 1,000 policies.

[89]  During the course of the complaint, it revised or replaced the specific policies it identified as relevant to the complaint. It also states that, with respect to some matters, identifying the applicable policy was not simple.

[90]  In his submissions, the complainant alleges that the policies the hospital provided in its response to this complaint are extremely limited in scope. He states that without the hospital’s full policy umbrella, the IPC is unable to properly adjudicate the issue of whether the hospital violated section 10(2) of the Act, by failing to comply with its information practices at the time of the events at issue in this complaint.

[91]  The complainant further submits that the hospital has deliberately withheld relevant policies to deceive the IPC, relying on a number of exchanges between himself, the hospital, and the IPC mediator. He asks the IPC to exercise its authority to order the hospital to provide its “whole policy umbrella” in order for the IPC to ensure that the hospital complies with sections 10(1) and (2) of the Act.

[92]  In response to this, the hospital asserts that it provided the policies it used at the applicable times, in response to what it understood the IPC was requesting. It did not provide every hospital policy but those it referred to at the applicable times. The hospital also states that while it had a draft media relations policy at the time of the events, it did not rely on it during its investigation of the complaint.

Analysis

[93]  Previous decisions under the Act have reviewed information practices of other health information custodians and found them deficient. One of the themes in some decisions is that policies that are unclear or confusing, and which leave staff with uncertain guidance about their obligations under the Act, fall short of the requirements in section 10(1). [4]

[94]  The facts of this case reveal much confusion about the applicable policies. I attribute part of this to the existence of multiple overlapping policies, which in turn is related to the hospital’s multi-year-long process of amending its policies. This created confusion about which policies were in place at what time, which documents were “policies”, parts of other policies, or draft policies. Contrary to the complainant’s submissions, my review of the complaint and the information and clarifications sought and received does not lead me to find any deliberate deception on the part of hospital staff about its policies, but rather a lack of precision and consistent language.

[95]  A commonality in the hospital’s policies, based on the rules in the Act, is a focus on obtaining consent of a patient for disclosures of the patient’s information. The policies speak to the circumstances when consent is or is not necessary to a disclosure. The underlying assumption in the policies is that they govern health information of known, named patients. The hospital’s draft policy on communications with the media, for example, provides guidance by referring to certain situations when the media is interested in information about an identified patient.

[96]  The hospital indicates in its submissions that it did not consult its policy on media relations in investigating this complaint. It is evident that it assumed the policy did not apply since it was not (in its view) discussing health information of a named patient, as addressed in that policy.

[97]  From the above, I conclude that a gap exists in the hospital’s policies, in that they fail to address the possibility that personal health information can be disclosed even when a patient is not named. The hospital conducted itself throughout as though the absence of a name allowed it to refer to the patient’s health information in its statements to the media and others. Although I have ultimately concluded that most of its communications were not disclosures within the meaning of the Act, I found that hospital disclosed the patient’s personal health information on several occasions. On two of these occasions, the hospital provided more information about the patient than was set out in the HPARB decision. On these occasions, the hospital wrongly assumed that avoiding the use of the patient’s name meant that the information it provided was therefore not about an identifiable patient.

[98]  I also conclude that, however well-intentioned the hospital’s efforts to review its policies, the length of time taken to complete the effort resulted in confusion about which policy or policies applied to the circumstances of this complaint. This is demonstrated by the multiple exchanges between the complainant, the mediator and the hospital about the hospital’s policies.

[99]  As described above, the complainant wishes the IPC to order the hospital to produce all of its policies, in the belief that it has hidden some which are relevant to this complaint. I do not find it necessary to take this step. On my review of the material before me, I am satisfied that the hospital ultimately produced the ones relevant to this review.

[100]  I find that the hospital fell short of the requirements of section 10(1) of the Act, in two ways. Its policies do not contain a definition of “personal health information” that serves to inform staff that information about a patient, even without a name, can be identifying information within the meaning of the Act. Second, the existence of multiple and overlapping policies created confusion and a lack of clarity for staff about their obligations under the Act.

[101]  The hospital has already taken steps to remedy the confusion about its policies. It has accelerated its review and rationalization of all hospital policies, prioritizing policies that relate to personal health information. By the time it provided its submissions in this review, it had replaced the most pertinent policy, concerning media relations.

[102]  Even this policy, however, does not contain a definition of personal health information that addresses the first deficiency indicated above. For this reason, I find it appropriate to order the hospital to ensure that its relevant policies clarify that information about a patient need not contain a name in order for that information to be “personal health information” within the meaning of the Act. The hospital must ensure that its staff understand this.

[103]  I find it unnecessary to make any findings under section 10(2). As I have described above, the issues with respect to the hospital’s policies stem from an inadequate articulation of the meaning of “personal health information.” It would serve no purpose to consider whether the hospital did, or did not, comply with deficient policies.

Did the hospital respond appropriately to the complaint of unauthorized disclosure of personal health information?

[104]  The complainant alleges that the hospital’s investigation of his complaints reached self-serving conclusions, failed to consider relevant hospital polices, engaged in repeated attempts to hide the existence of relevant policies, and misled its own counsel. His extensive submissions describe communications between himself, the hospital, and the IPC, in support of his contention of deliberate wrongdoing by the hospital during the course of responding to his complaint.

[105]  The complainant also suggests that the decision to conduct an audit was part of a deliberate attempt to misconstrue his complaint.

[106]  The complainant requests that the IPC exercise its authority to demand the production of documents to determine who provided the hospital’s counsel with false information, as well as to provide the IPC with all relevant policies, which it has failed thus far to do.

[107]  The hospital’s submissions describe the steps it took to respond to the complainant. It states that it began by collecting the relevant media materials. It notified the IPC of the complaint. The hospital decided to audit accesses to the patient’s electronic health record over a period of five years, up to the date of the audit. The hospital explained that an audit is a standard step in its investigation of a privacy breach complaint.

[108]  Following all of the media communications at issue, the hospital requested advice from the IPC about the issues raised by the complaint, and advised the complainant of this. As described above, an analyst from the IPC responded to the hospital, providing a non-binding assessment.

[109]  In its investigation, the hospital concluded that most of the media communications did not identify the patient, with the exception of the radio interview in which the patient’s name was used by the interviewer initially, and then confirmed by the hospital spokesperson. It also reviewed the audit results and concluded that there were no unauthorized accesses to the patient’s information. As described above, the hospital’s Chief Privacy Officer informed the complainant of her conclusions, by letter.

[110]  The complainant alleges that, in asking the IPC’s analyst for advice, the hospital gave false information to the IPC, in that it describes the information it discussed with the media as being limited to what was documented in the HPARB. He states that this was either a deliberate deception or the result of an incompetent investigation of his complaint. The complainant also states that the hospital’s eventual conclusion about whether there had been a breach ignored the IPC’s advice, was self-serving, and was not supported by the facts.

Analysis

[111]  In PHIPA Decision 44, I observed that a hospital’s responsibility to investigate and respond to a privacy complaint arises from its obligations under section 12 of the Act. The duty to take reasonable steps to ensure that personal health information in a hospital’s custody or control is protected against theft, loss and unauthorized use or disclosure includes a duty to respond adequately to a complaint of a privacy breach. A proper response will, amongst other things, help to ensure that the breach, if any, is contained, and will not re-occur. The standard in section 12 is “reasonableness”. It does not require perfection, and the section does not provide a detailed prescription for what is reasonable.

[112]  In this case, in response to the complaint, the hospital’s Chief Privacy Officer gathered all the statements it had made to the media and analyzed them. In addition, the hospital requested and analyzed an audio clip and transcript of a radio interview. The hospital also reported the complaint to the IPC. As part of its investigation, the hospital conducted an audit of the patient’s electronic medical record. It is not clear to me that the investigation of this complaint required such an audit. The complaint was about disclosure of information to external parties, and not accesses to the electronic medical record. However, there is no evidence that the hospital’s decision to conduct the audit was made in bad faith or as part of a deliberate attempt to obfuscate the complaint, as suggested by the complainant.

[113]  In its written response to the complainant, the hospital provided the complainant with the results of its investigation and audit, and reasons for its conclusion that it had not released any personal health information to the media. The hospital acknowledged that, in one instance, it referred to the patient by name in a radio interview.

[114]  Considering all of the above, I find that the hospital’s response to the complaint met the requirements of section 12. Although the hospital’s response to the complaint does not accord with some of my findings in this decision, being incorrect in its conclusions does not itself amount to a contravention of the Act

[115]  I find no basis for concluding that the hospital provided its own counsel with any false information, or failed to provide the IPC with all relevant policies. As I have stated elsewhere in this decision, I attribute the confusion about the policies to a lack of precision and consistent language, and not any deliberate deception.

[116]  In sum, I do not find the hospital’s response to the complaint to have fallen short of the duties imposed by section 12 of the Act.

Offences under the Act

[117]  The complainant requests that I comment on whether the actions of the hospital and its employees are capable of constituting offences under the Act. He acknowledges that the IPC has no jurisdiction to conduct the trial of a provincial offence. He states, however, that the IPC does have jurisdiction to provide guidance to the public and health information custodians regarding how the Act should be interpreted.

[118]  I decline to provide the comments requested by the complainant. It would be inappropriate for me to provide such an opinion as part of my adjudication of this complaint. This would usurp the role of the courts and call on me to pronounce on a question for which this office has been granted no decision-making authority, based on evidence that has been submitted without the usual procedural protections accompanying a quasi-criminal proceeding, and without a police investigation.

ORDER:

For the foregoing reasons, I issue the following order:

I direct the hospital to amend its policies on the disclosure of patient information to include a definition of “personal health information.”  This definition should make it clear that such information includes information about unnamed patients, if it is reasonably foreseeable that they could be identified by members of the public.

Original Signed by:		January 18, 2019
Sherry Liang
Assistant Commissioner