Health Information and Privacy

Decision Information

Summary:

The decision deals with a complaint made to this office under the Personal Health Information Protection Act (the Act) about Mackenzie Health (the hospital). In particular, the complainant alleges that the hospital did not respond to her access request in accordance with section 54 of the Act, the records she received from the hospital were not responsive to her request, and the hospital used and disclosed her personal health information in contravention of the Act. In this decision, the adjudicator finds that the hospital responded to the complainant’s request for access to audits of her records of personal health information under section 54 of the Act, the records disclosed to the complainant were responsive to the access request, the complainant’s personal health information was used in accordance with section 20(2) of the Act, and the complainant’s personal health information was not improperly disclosed by the hospital. No order is issued and the complaint is dismissed.

Decision Content

Logo of the Information and Privacy Commissioner of Ontario, Canada / Logo du Commissaire à l'information et à la protection de la vie privée de l'Ontario, Canada

PHIPA DECISION 84

HC15-99

Mackenzie Health

January 24, 2019

Summary: The decision deals with a complaint made to this office under the Personal Health Information Protection Act (the Act) about Mackenzie Health (the hospital). In particular, the complainant alleges that the hospital did not respond to her access request in accordance with section 54 of the Act, the records she received from the hospital were not responsive to her request, and the hospital used and disclosed her personal health information in contravention of the Act. In this decision, the adjudicator finds that the hospital responded to the complainant’s request for access to audits of her records of personal health information under section 54 of the Act, the records disclosed to the complainant were responsive to the access request, the complainant’s personal health information was used in accordance with section 20(2) of the Act, and the complainant’s personal health information was not improperly disclosed by the hospital. No order is issued and the complaint is dismissed.

Statutes Considered: Personal Health Information Protection Act, 2004, sections 2   (definition of agent, disclose and use), 17, 19, 20(2), 29, 52(1), 53 and 54.

Decisions Considered: PHIPA Decisions 35 and 44.

Background:

[1]  An individual was a patient at Mackenzie Health (the hospital) and received health care from a number of individuals, including a physician who had privileges at the hospital, as well as a private practice. During the course of treatment, the patient became dissatisfied with the care provided by the physician, and advised the hospital that she was of the view that the physician and certain hospital staff were inappropriately accessing her record of personal health information. As a result, the hospital conducted a number of audits of the accesses to her record of personal health information. The hospital communicated the results of the audits to the patient. Eventually, the patient requested access to the audit reports under the Personal Health Information Protection Act (the Act), as well as requesting that a “lock box” be placed on her record of personal health information. The hospital issued an access decision under the Act, disclosing audit reports to the patient. The hospital also implemented the lock box. The patient (now the complainant) then filed a complaint to this office.

[2]  This decision disposes of the issues raised as a result of the complaint made about the hospital. The complainant alleges that her records of personal health information in the electronic health records system (EHR) of the hospital were inappropriately accessed by a physician and certain hospital staff. In addition, the complainant alleges that the hospital did not respond to her requests for audits of the physician and staff accesses to her records in the hospital’s EHR in a timely manner, and that the hospital has not provided her with records of the audits that are responsive to her request. The complainant alleges that the actions of the hospital, physician and the identified hospital staff members are in contravention of the Act.

[3]  During the intake and mediation stage of the complaints process, the complainant asserted that she first requested an audit of the physician’s access to her hospital records in January 2015, but did not hear from the hospital about an audit until April 2015.

[4]  The hospital’s position was that it met with the complainant in December 2014 to discuss blocking the physician’s access to the complainant’s records in the hospital’s EHR. The hospital asserted that while the complainant raised a number of concerns about the care provided by the physician, she did not request an audit at that time. The hospital stated that the complainant first requested an audit in April 2015, after the hospital had already initiated an audit to address the complainant’s concerns. The hospital explained that this first audit was done to address the complainant’s concerns about the physician’s access to her mental health records.

[5]  The complainant was dissatisfied with the results of this audit, and ultimately requested four additional audits. She subsequently made an access request to the hospital for a copy of the results of the audits. The complainant raised a number of concerns to this office about the results of the five audits and other issues, including the timeliness of the hospital’s response to her access request, and the responsiveness of the records she received as a result of the access request.

[6]  The complaint then moved to the adjudication stage of the complaints process, where an adjudicator may conduct a review. The adjudicator assigned to the file sought and received representations from both the hospital and the complainant. Portions of the hospital’s representations were withheld, as they met this office’s confidentiality criteria. The complaint was then transferred to me to continue the review. I sought reply representations from the hospital, as well as sur-reply representations from the complainant, both of which were received. I then sought, and received, representations from the parties on the possible application of section 20(2) of the Act.

[7]  For the reasons that follow, I find that the hospital responded to the complainant’s request for access to audits of her records of personal health information in accordance with section 54 of the Act. The records disclosed to the complainant were responsive to the access request. The complainant’s personal health information was used in accordance with section 20(2) of the Act, the physician did not improperly access the complainant’s personal health information, nor was it improperly disclosed by the hospital. No order is issued and the complaint is dismissed.

RECORDS:

[8]  The records consist of nine pages of audit reports.

ISSUES:

  1. Did the hospital respond to the complainant’s request for access to audits of her records of personal health information in accordance with section 54 of the Act?
  2. Are the records provided by the hospital responsive to the complainant’s request for access?
  3. Was the complainant’s personal health information used in accordance with the Act?
  4. Did the physician improperly access the complainant’s personal health information after the implementation of the lock box?

PRELIMINARY MATTERS:

[9]  There appears to be no dispute between the parties that the hospital and the physician are health information custodians within the meaning of section 3(1) of the Act, and that the records which were accessed, as well as those disclosed to the complainant contain her personal health information within the meaning of section 4(1) of the Act.

DISCUSSION:

Issue A: Did the hospital respond to the complainant’s request for access to audits of her records of personal health information in accordance with section 54 of the Act?

[10]  Section 54 of the Act states, in part:

54. (1) A health information custodian that receives a request from an individual for access to a record of personal health information shall,

(a) make the record available to the individual for examination and, at the request of the individual, provide a copy of the record to the individual and if reasonably practical, an explanation of any term, code or abbreviation used in the record;

. . .

(2) Subject to subsection (3), the health information custodian shall give the response required by clause (1) (a), (b), (c) or (d) as soon as possible in the circumstances but no later than 30 days after receiving the request.

(3) Within 30 days after receiving the request for access, the health information custodian may extend the time limit set out in subsection (2) for a further period of time of not more than 30 days if,

(a) meeting the time limit would unreasonably interfere with the operations of the custodian because the information consists of numerous pieces of information or locating the information would necessitate a lengthy search; or

(b) the time required to undertake the consultations necessary to reply to the request within 30 days after receiving it would make it not reasonably practical to reply within that time

(4) Upon extending the time limit under subsection (3), the health information custodian shall give the individual written notice of the extension setting out the length of the extension and the reason for the extension.

(7) If the health information custodian does not respond to the request within the time limit or before the extension, if any, expires, the custodian shall be deemed to have refused the individual’s request for access.

Representations

[11]  By way of background, the hospital submits that the issue of conducting audits was first raised by it with the complainant in December 2014, but the complainant did not request an audit of her records until April 2015. At that time, the hospital submits, the complainant raised specific concerns that the physician had inappropriately accessed her mental health records. As a result, the hospital initiated a privacy breach investigation, i.e. conducted a privacy audit of the complainant’s hospital records.

[12]  The hospital goes on to state that the complainant raised further concerns that the physician had inappropriately accessed other hospital records, and that she stated she was suspicious that her records had been inappropriately accessed by other physicians and staff members on behalf of the original physician. As a result, the hospital submits, it undertook further audits to determine whether any inappropriate accesses had occurred. The hospital advises that it finished its investigation in August 2015, and then met with the complainant to review the audit reports and the hospital’s findings.

[13]  Turning to whether the hospital responded to the complainant’s request for access to audits of her records of personal health information in accordance with section 54 of the Act, the hospital distinguishes between the complainant’s request for an “audit” (an examination and investigation of the accesses to her records of personal health information in the hospital’s EHR) and her request for “audit reports” (access to the results generated from its EHR for a particular audit). In particular, the hospital argues that while the audit process was discussed with the complainant several times beginning in December 2014, the complainant did not request access to any audit reports until August 2015, after the hospital met with her to review its audits.

[14]  The hospital submits that the audit reports were provided to the complainant, as follows:

  • One report was provided in response to email correspondence from the complainant, in which she requested the results of a specific audit;
  • One report was provided to the complainant during a meeting; and
  • The remaining reports were disclosed to the complainant within 30 days after receiving a written access request the complainant made in September 2015.

[15]  The complainant submits that she was not provided with access in a timely manner as required by the Act. She states that she requested an audit on the physician’s access in January 2015, but was not granted access to the audits until August 2015, despite the fact that the record was dated April 2015. The complainant states:

The custodians claim I was provided examination and copy of audits. On more than one occasion, [the Privacy Manager] reminded me that audits are not easy for patients to follow and are not usually given out to patients, she informed me it is sufficient she verbally tells me the results of audits. [The Privacy Manager] did not inform me that I have the rights to view and retain copies of my audits (although I was aware of this right and followed through with my requests).

[16]  In support of her position, the complainant provided copies of email communications that took place between herself and the Privacy Manager in August and September 2015 regarding the audits and the complainant’s wish to access information about those audits.

Analysis and findings

[17]  Section 53 sets out the requirements of a request for access to a record of personal health information. It states:

(1) An individual may exercise a right of access to a record of personal health information by making a written request for access to the health information custodian that has custody or control of the information.

(2) The request must contain sufficient detail to enable the health information custodian to identify and locate the record with reasonable efforts.

(3) If the request does not contain sufficient detail to enable the health information custodian to identify and locate the record with reasonable efforts, the custodian shall offer assistance to the person requesting access in reformulating the request to comply with subsection (2).

[18]  As set out above, section 54 sets out the duties of a health information custodian upon receiving a request from an individual for access to a record of personal health information.

[19]  Section 53 of the Act requires that an access request be in written form. From my review of the material before me, I find that the complainant made a written request to the hospital for access to records of her personal health information, and the hospital issued an access decision within 15 days of that request. In addition, approximately 10 days prior to the written request, there was some discussion in emails between the complainant and the Privacy Manager concerning access to the audit results. The time frame of the hospital’s responding emails was also within the 30 day requirement set out in section 54. In either case, the complainant received the records at issue within 30 days of both her email and paper requests.

[20]  While the complainant is of the view that she made an access request in prior discussions with the Privacy Manager, and while there may have been some miscommunication between the complainant and the hospital, the fact remains that an access request under the Act must be made in writing. As this was not done until the time frame of the emails and the written access request described above, I find that the hospital complied with the requirements set out in section 54 of the Act.

Issue B: Are the records provided by the hospital responsive to the complainant’s request for access?

[21]  In its decision letter, the hospital advised the complainant that it was granting full access to nine pages of records in response to her request for a copy of the audit reports of the accesses to her personal health records by all Minor Surgery Ambulatory Clinic staff, three physicians, and other staff members mentioned during her meeting with the Privacy Manager.

[22]  The complainant asserts that the copy of the audit reports she received is incomplete. She raises concerns about the lack of printing information (names and dates) or page numbers on all the pages but one (which bears the notation “Page 49”), and the fact the accesses do not appear in chronological order.

[23]  Section 52(1) of the Act sets out an individual’s right of access to records of personal health information about the individual that is in the custody or under the control of a health information custodian, subject to enumerated exceptions.

[24]  Section 53 of the Act imposes certain obligations on requesters and health information custodians when submitting and responding to requests for access to records. This section states:

(1) An individual may exercise a right of access to a record of personal health information by making a written request for access to the health information custodian that has custody or control of the information.

(2) The request must contain sufficient detail to enable the health information custodian to identify and locate the record with reasonable efforts.

(3) If the request does not contain sufficient detail to enable the health information custodian to identify and locate the record with reasonable efforts, the custodian shall offer assistance to the person requesting access in reformulating the request to comply with subsection (2).

[25]  This office has addressed analogous provisions in public sector freedom of information legislation. Through its jurisprudence under these statutes, the IPC has determined that institutions should adopt a liberal interpretation of a request in order to best serve the purpose and spirit of freedom of information legislation, and that, generally, ambiguity in a request should be resolved in the requester’s favour. [1]

[26]  This office has also determined that to be considered responsive to a request, records must “reasonably relate” to the request. [2]

Representations

[27]  The hospital provided the following information about the scope of the systems involved in the audits, and the nature of the information contained in the systems:

  • HPF: This electronic system is the hospital’s main patient repository for historical patient records (e.g., lab work, consultation notes, dictated reports on imaging or pathology, emergency records, nursing documentation, etc.). All paper and electronic records are scanned and/or submitted to HPF once the patient is discharged. Users are able to access and view records for authorized purposes (providing or assisting in care).
  • HED: This electronic system is for inpatient nursing and allied health documentation. User[s] are able to access, view, add and modify patient data entered in this system.
  • PACS: This electronic system is used to store patient diagnostic imaging scans.

[28]  The hospital also clarified that while records of diagnostic imaging reports are contained in HPF, the images themselves (without the reports) are contained in PACS.

[29]  With respect to the records at issue, the hospital submits that they are responsive to the complainant’s request, and that the request was sufficiently detailed to enable the hospital to identify and locate the records with reasonable effort. In particular, the hospital submits that the audit reports it prepared reflected the scope of the audits that were conducted at the complainant’s request, and that the audit reports disclosed to her are the audit reports that were the subject matter of the access request. The hospital submits that there are no other reports. The records, it argues, reasonably relate to the complainant’s request and are responsive to the request.

[30]  With regard to the complainant’s concerns about the pagination of the audit reports (specifically the appearance of “page 49” at the bottom of the page), the hospital argues that it explained to the complainant that the audit reports disclosed to her with respect to the physician’s accesses to her hospital record is the complete record of the physician’s accesses. The hospital further submits that audit reports are pulled by IT staff with subject matter expertise on the relevant application. When an audit is pulled in the HPF (Horizon Patient Folder) application (which stores a patient’s legal medical record), the entire audit is sent to the hospital’s Privacy Manager for review. The audit sometimes includes raw data, and log data is displayed in a spreadsheet and not in order of access. During the Privacy Manager’s review, she extracted the relevant information, based on the scope of the audit request. In this case, the complainant requested audits on specific individuals; as such, the Privacy Manager extracted audit data for those individuals for the purpose of her investigation, and explained to the complainant that the page numbers are irrelevant because the information is extracted from the audit reports generated and limited to the specific individuals named in the request.

[31]  Lastly, the hospital submits that there is no audit report for the PACS system relating to one of the physicians and the named staff members, because the physician did not access the complainant’s images in PACS, and the three staff members do not have access to PACS. The hospital submits that it communicated this information to the complainant.

[32]  The complainant submits that the hospital has not provided her with the complete original audit results, and that she is still requesting the remaining 49 pages of the original audit retrieved to see accesses by the physician to her record of personal health information. The complainant also expressed concern about the organization of the data in the audit reports. She notes that accesses are not listed in chronological order, which she believes “indicates that these audit trails may have been tampered with and altered.”

Analysis and findings

[33]  The complainant’s written access request was for access to a copy of the audit report of accesses to her record of personal health information made by all Minor Surgery Ambulatory Clinic staff, three physicians and two other staff members over a specified time period. In response, the hospital issued an access decision under the Act, granting full access to nine pages of records.

[34]  Having reviewed the parties’ representations and the records themselves, I find that the audit reports that were disclosed to the complainant are responsive to her access request, as they not only “reasonably relate” to her request, they directly relate to her request. The reports show the accesses to the complainant’s record of personal health information made by the individuals listed in her access request.

[35]  I am also satisfied with the hospital’s explanation regarding the reference to “page 49” on the bottom of one of the pages of the audit reports, and I find that, given this explanation, there is no reason to conclude that further audit reports relating to the individuals referred to in the access request exist.

Issue C: Was the complainant’s personal health information used in accordance with the Act?

[36]  The complainant alleges that a number of hospital staff and physicians inappropriately accessed her personal health information on specified dates. The complainant therefore alleges the improper use of her records of personal health information by the above-named agents of the hospital, in breach of the Act.

[37]  In its representations, the hospital explained that in addition to having a private practice, the physician also has privileges at the hospital. The hospital takes the position that when the physician is providing treatment to hospital patients and accessing personal health information in the hospital’s EHR pursuant to these privileges, he is acting as an agent of the hospital within the meaning of the Act.

[38]  The hospital also agrees that the accesses to the hospital’s EHR that are at issue in this complaint are “uses” by its agents of the records of the complainant’s personal health information.

[39]  The Act applies to the activities of those individuals who act for or on behalf of the health information custodian in respect of personal health information. These individuals are referred to as “agents.” Section 2 of the Act defines the terms “agent” and “use” as follows:

“agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated;

“use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to view, handle or otherwise deal with the information, subject to subsection 6 (1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning.

[40]  Section 17 provides that agents of a health information custodian may only collect, use, disclose, retain or dispose of personal health information in accordance with the Act. It also provides that a health information custodian remains responsible for any personal health information that is collected, used, disclosed, retained or disposed of by its agents, regardless of whether these actions were carried out in accordance with the Act.

[41]  Section 20(2) of the Act states:

A health information custodian described in paragraph 1, 2, 3 or 4 of the definition of “health information custodian” in subsection 3(1), that receives personal health information about an individual from the individual, the individual’s substitute decision-maker or another health information custodian for the purpose of providing health care or assisting in the provision of health care to the individual, is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information for the purposes of providing health care or assisting in providing health care to the individual, unless the custodian that receives the information is aware that the individual has expressly withheld or withdrawn the consent.

[42]  Section 29 of the Act states:

A health information custodian shall not collect, use or disclose personal health information about an individual unless,

(a) it has the individual's consent under this Act and the collection, use or disclosure, as the case may be, to the best of the custodian's knowledge, is necessary for a lawful purpose; or

(b) the collection, use or disclosure, as the case may be, is permitted or required by this Act.

[43]  Section 37 of the Act sets out permitted uses of personal health information, some of which are set out below.

Representations

Background - The Five Audits

[44]  During the intake and mediation stages of this complaint, the hospital described the scope and outcome of each of the five audits that were conducted over the period April to September 2015. This information was included in the Notices of Review that were provided to the parties during the review of this complaint.

Audit #1 – To determine if the physician accessed the complainant’s mental health records in the HPF electronic system up to April 20, 2015.

[45]  The hospital stated that it initiated this audit in response to the complainant’s concerns that the physician was inappropriately accessing her mental health records.

[46]  Outcome: The hospital determined that the physician had not accessed any of the complainant’s mental health records.

[47]  The complainant stated that this audit should have included in its scope all her personal health records, and not just those relating to mental health. She also states that in May 2015, she requested an audit of the OR nurses, not of the physician, because she had already requested an audit of the physician’s accesses in January 2015.

[48]  The hospital reported that the complainant was not satisfied and asked for an audit of all of the physician’s access to her records. The hospital subsequently followed up with the complainant to clarify the scope of the next audit.

Audit #2 – To determine if the physician and a named nurse accessed the complainant’s health records in the HPF, HED and PAC systems from March 1, 2014 to May 28, 2015.

[49]  The hospital initiated this audit in response to an email request from the complainant to the hospital in May 2015.

[50]  Outcome: The hospital determined that the physician did not access the complainant’s records in HED or PACS. It determined, however, that the physician accessed the complainant’s records in HPF on October 15, 2014. As the hospital identified that the complainant did not have an appointment at the hospital on that date, it investigated the result, including through an interview of the physician by the hospital’s Chief of Staff. The hospital reported:

The explanation provided by [the physician] was that he was providing care to [the complainant] and the access was medically relevant to the care he was providing at the hospital and in his private practice. [The Chief of Staff] confirmed the explanation provided was reasonable as physicians are authorized to access the previous medical records of patients that they are providing care to.

[51]  The complainant advised that this access was not relevant to the care the physician was providing her. As a result, the hospital sought additional information from the physician and the Operating Room Manager. The hospital reports that the subsequent explanation revealed there was incidental access to the complainant’s health records. In other words, the physician clicked on more tabs in HPF than was necessary to access the complainant’s personal health information relevant to providing the complainant with health care. The hospital reports that, in light of this new information:

[The physician] was cautioned and it was explained that accessing previous medical records by clicking on all tabs in HPF is not appropriate. He was also offered additional HPF training. After careful consideration and review, there is no evidence to suggest intentional or malicious access.

[52]  The hospital also determined that the nurse did not access the complainant’s health records in HED, HPF or PACS.

[53]  The hospital met with the complainant to review the audit results for the physician, at which time the complainant requested further audits.

[54]  The complainant disagreed with the hospital’s finding of no inappropriate access by the physician, and its conclusion that his accesses to her personal health records were “medically relevant” without an audit report being provided to her. She stated that she had evidence that the physician was threatening her with her personal health information that he was retrieving at the hospital, and that:

I sent [the Privacy Manager] an email that same day [August 4, 2015] reminding her that I have solid evidence of the physician’s access to my MRI [imaging] and other health records. Only then did she [disclose] to me that there was a single access to an MRI that was done in 2013.

[55]  The complainant states that in August 2015, she asked to see the full audit trail of the physician, but that the Privacy Manager did not show it to her and did not admit that it was incomplete.

Audit #3 – To determine if the physician accessed the complainant’s health records in HPF, HED and PACS from January 1, 2012 to December 31, 2013.

[56]  The hospital initiated this audit to address the complainant’s concerns that the physician was accessing records dating from before her first visit with him at the hospital, which she reports was on July 31, 2014.

[57]  Outcome: The hospital determined that there was no access by the physician during this time period.

[58]  After reviewing this audit result, the complainant raised concerns that other staff were accessing information on the physician’s behalf. The complainant stated that the audit showed that the physician’s access to her personal health information was not just “a single access to an MRI,” as she was informed by the Privacy Manager, but instead included access to a CT scan from a kidney imaging report and an ultrasound for a breast biopsy.

[59]  She stated that she asked the Chief of Staff to explain how the physician’s access to this information was medically relevant to the care he was providing her with, and that she has not received an explanation to date.

Audit #4 – To determine if all minor surgery ambulatory clinic staff, an operating room clerk and a social worker accessed the complainant’s health records in HPF from January 1, 2012 to August 25, 2015, and if two radiologists and the physician accessed the complainant’s health records in PACS for the same time period.

[60]  The hospital initiated this audit after discussions with the complainant that resulted in the narrowing of her August 2015 email request for an audit of all individuals who accessed her records.

[61]  Outcome: The hospital determined there was no access to the complainant’s personal health information by the named radiologists.

[62]  The hospital determined that the clerk accessed the complainant’s health records in HPF on October 15, 2014, and that all accesses were to records of the complainant’s health records authored by the physician. The hospital explained that the clerk provided clerical support to the physician to help him navigate the information in order to find the relevant information most efficiently. It noted that the use of the electronic record application is one of the main duties of clerical staff, and that it is not unusual for two users to be logged on at the same time in order to receive assistance. The hospital concluded there was no evidence these records were accessed inappropriately or for any other reason. As a result, the hospital determined that the clerk’s accesses to the HPF were reasonable.

[63]  The hospital determined that the social worker accessed the complainant’s health records on November 12, 20, 26 and 27, 2014. The hospital explained that the social worker provides an intake and triage function for mental health referrals that requires her to obtain a detailed psychological history. It confirmed with the Manager of Mental Health that this is the standard process for all referrals to the psychiatry program, and that this patient referral was not unique. It therefore determined that the social worker’s accesses to the complainant’s health records were in keeping with her job duties.

[64]  The hospital also determined there was no evidence that the social worker accessed records on behalf of the physician. It noted that the social worker is an employee of the outpatient mental health unit, which has no relation to the physician’s specialty of surgery, and that the psychiatry and surgery programs are in different areas of the hospital and have no interaction.

[65]  The hospital determined that a nurse accessed the complainant’s health records on July 2, 2014. The hospital interviewed the nurse, who had no recollection of the patient or the access. The hospital noted it is common practice for nurses and unit secretaries to assist physicians with patient care, which includes accessing and printing recent test results. The hospital confirmed that on July 2, 2014, the nurse was working with a second physician and preparing for his clinic. It determined that the nurse was likely accessing and printing a copy of an MRI (which was ordered by a third physician and copied to the original physician) on the instruction of the second physician. Although the complainant reports that the second physician did not discuss the MRI with her during her appointment with him, the MRI may have been reviewed, but determined not to be relevant to that appointment.

[66]  The hospital reported that the Manager of the Minor/Ambulatory Clinic had followed up with staff and that, in future, staff will only be accessing information for patients that are registered to receive care that day.

[67]  The complainant advised that the physician stated in a response to a complaint she made to the College of Physicians and Surgeons of Ontario that he has accessed her “diagnostic imaging,” not diagnostic imaging reports. She also reported that a September 2015 email from the physician to the Manager contained the statements: “At [the complainant’s] request, I had accessed her medical records to review her relevant diagnostic [imaging],” and “Any access to unrelated diagnostic imaging was due to trying to find and open the relevant diagnostic imaging.”

[68]  The complainant stated that the explanation that the clerk accessed her health records for chart reconciliation purposes and for the physician to have an up-to-date and accurate chart for his private practice contradicts information provided to her in August 2015, when the hospital advised her that it:

. . . did not disclose your records to the physician to maintain and use at his private clinic. While he was providing care to you at the hospital, he would have received copies of reports and tests he ordered in his physician mailbox at the hospital.

[69]  The complainant disagreed with the hospital’s note in the audit report for the physician indicating that he reviewed her health records “in response to [the complainant’s] request to discuss the final reports with her to her MRI and CT scan.” She denied ever having made this request to the physician.

[70]  The complainant also disbelieved the hospital’s explanation for the clerk’s and the physician’s accesses to her health records at approximately the same time on October 15, 2014. She disputed that the purpose of the clerk’s access was to provide clerical support and relief to the physician while he was providing patient care in the OR.

[71]  The complainant disagreed with the hospital’s finding that there was no evidence to suggest that the social worker accessed the complaint’s health records on behalf of the physician. In support, she referred to phone calls and text messages from the physician to her in which he revealed his awareness of who she was seeing at the hospital’s mental health department. She also noted that shortly after the social worker’s four accesses to her records (in November 2014), the physician made a clinic note dated December 3, 2014 stating that the complainant was suffering and receiving care for mental health issues. She inferred that the social worker’s access was linked to the physician’s knowledge and notation of her mental health issues.

[72]  The complainant also questioned the hospital’s explanation that the social worker needed to access her health records in order to assist with a referral to a new physician, as she reported the hospital has never provided her with mental health services.

[73]  The complainant continued to assert that the nurse accessed her MRI report at the physician’s request. She noted that the audit report showed the nurse printed, and not only viewed, an MRI report on a date when the complainant was not at the hospital receiving care. She objected to the hospital’s explanation that the nurse’s access was likely related to her visit with the second physician. She stated that she was seeing that physician for a condition, which is unrelated to the specific MRI that was viewed (which was ordered for her face). She reiterated that the second physician never discussed this MRI report with her.

Audit #5 – To determine if the physician accessed the complainant’s children’s medical records from January 1, 2008 to September 1, 2015.

[74]  In an email sent in August 2015, the complainant requested an audit of her children’s medical records to determine whether the physician had accessed their personal health information. The hospital determined there was no access by the physician to her children’s health records.

The “use” of the complainant’s personal health information

[75]  The hospital submits that section 20(2) of the Act applies because the hospital was entitled to assume implied consent for its agents to access and use the complainant’s personal health information. The hospital goes on to argue that the complainant’s personal health information was collected and used for the purposes of providing health care to her, and the hospital was not aware of any restrictions on the collection, use or disclosure of the complainant’s personal health information at the time it was accessed. The hospital further submits that the complainant did not withdraw her consent to use or disclose her personal health information respecting the physician until August of 2015.

[76]  The hospital also takes the position that the accesses to the complainant’s records by hospital staff that are at issue in this complaint were permitted uses, without the complainant’s consent, under sections 37(1)(a) and 37(2) of the Act. The hospital argues that staff are authorized by the hospital to use personal health information to perform administrative and other tasks in order to directly support clinical care providers, as well as for other functions reasonably necessary for the purpose of providing health care to a patient, such as the scheduling of appointments and the preparation of charts.

[77]  The hospital submits that its audits for each staff member involved the generation of a audit report, interviews with the named staff members regarding their recollection of events and the purpose for which they access the records, and a review with each staff member’s Manager to analyze the accesses and explanations in the context of her assigned roles and responsibilities at the hospital. The hospital submits that it is satisfied with the explanations provided by the staff members involved, and that the accesses in question were for authorized purposes and occurred in accordance with sections 20(2) and 37(2) of the Act, and did not breach the complainant’s privacy.

[78]  With respect to the possible application of section 20(2), the complainant submits that she withdrew her consent for the physician to access her record of personal health information by way of an email to the hospital on April 16, 2015 and on many other occasions.

Analysis and findings

[79]  One of the purposes of the Act is to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care. One of the ways in which the Act achieves this purpose is by requiring that collections, uses and disclosures of personal health information occur with the consent of the individual to whom the information relates, unless such collections, uses and disclosures are permitted or required without consent by the Act. [3] Unless the Act requires express consent, the consent may be express or implied. Hospitals, such as this one, may rely upon assumed implied consent where the collection, use or disclosure is for the purpose of providing health care or assisting in providing health care, in specific circumstances. [4]

[80]  The hospital is claiming that sections 20(2), 37(1)(a) and 37(2) of the Act apply in the context of this complaint.

[81]  To recap the findings of the audits, the complainant’s personal health information was accessed by the following individuals:

  • The physician, the clerk and the nurse on one occasion each; and
  • The social worker on four occasions.

[82]  I find that the accesses by the above individuals were “uses” of the complainant’s personal information, and that where a health information custodian provides personal health information to an agent of the custodian, this is a use and not a disclosure. [5]

[83]  Having determined that the accesses were uses, I must now consider whether these types of uses of the complainant’s personal health information were authorized by the Act. I have carefully considered the representations of the parties, and I find that the uses of the complainant’s personal health information were authorized under the Act, and that the hospital was entitled to rely on assumed implied consent under section 20(2).

[84]  There is no dispute that the hospital is an entity which may rely on assumed implied consent under the Act. The following conditions must also be met:

  • the hospital must have received the personal health information from the complainant, the complainant’s substitute decision-maker or another health information custodian; and
  • the hospital must have received that information for the purpose of providing health care or assisting in the provision of health care to the complainant; and
  • the purpose of the hospital’s use of that information must be for the purposes of providing health care or assisting in providing health care to the complainant; and
  • the hospital must not be aware that the complainant has expressly withheld or withdrawn the consent. [6]

[85]  I accept the submissions of the hospital and I am satisfied, on the basis of the material before me, that the above conditions have been met. With respect to the accesses made by the clerk and the nurse, I am satisfied with the explanations provided by the hospital. In particular, I am satisfied that both the clerk and the nurse were directly part of the complainant’s circle of care, and accessed the complainant’s record of personal health information for the express purpose of assisting physicians in navigating the complainant’s health information relevant to the provision of health care to her, which was the purpose of collecting the personal health information in the first place. I find that the hospital was entitled to rely on section 20(2) for these accesses, or uses of the complainant’s personal health information.

[86]  Similarly, regarding the accesses made by the social worker, I accept the arguments made by the hospital that a referral was made to the hospital’s outpatient mental health unit regarding the complainant, and that as part of its intake and triage process, the social worker accessed the complainant’s personal health information in order to obtain a detailed psychological history, which was part of providing health care to the complainant. Consequently, I find that the hospital was entitled to rely on section 20(2) for these accesses, or uses of the complainant’s personal health information. I also note that the complainant has not provided evidence that the social worker accessed her personal health information on behalf of, or at the behest of, the physician.

[87]  Lastly, turning to the sole access made by the physician, which took place on October 15, 2014, the hospital advised that the physician explained that he was providing health care to the complainant and that the access was relevant to the care he was providing at the hospital and in his private practice. The Chief of Staff confirmed that physicians are authorized to access the previous medical records of patients to whom they are providing care.

[88]  After seeking further information from the physician and the Operating Room Manager, the hospital determined that some of the physician’s access on October 15, 2014 was incidental, as the physician had clicked on all of the tabs in HPF, rather than only the tabs necessary to access the complainant’s personal health information required to provide care. The hospital further advised that it had cautioned the physician and offered additional HPF training to him. The hospital concluded that there was no evidence to suggest intentional or malicious access.

[89]  I find that the hospital was entitled to rely on section 20(2) for the physician’s accesses or uses of the complainant’s personal health information for the express purpose of providing health care to her. I also note that the complainant’s withdrawal of her consent took place after the physician had accessed and used her personal health information. With respect to the fact that the physician clicked on all of the tabs in the complainant’s HPF (see above), I am satisfied that this access was accidental, not done for any purpose other than providing health care to the complainant, and did not constitute an intentional unauthorized access. [7]

[90]  In sum, I find that the health information custodian and its agents did not improperly use the complainant’s personal health information; it was authorized to use her personal health information under section 29, relying on assumed implied consent under section 20(2) of the Act; and the complainant’s personal privacy was not breached by the use of her personal health information. Given that section 20(2) of the Act applies, it is not necessary for me to determine whether sections 37(1)(a) or 37(2) apply.

Issue D: Did the physician improperly access the complainant’s personal health information after the implementation of the lock box?

[91]  The complainant alleges that the physician improperly accessed her records in the hospital’s EHR on October 15, 2014 and September 24, 2015, after she had asked the hospital to place a lock box blocking the physician’s access to her records of personal health information.

[92]  Section 2 of the Act defines the term “disclose” as follows:

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning[.]

[93]  The term “lock box” is not defined in the Act. It is a term commonly used to describe the right of individuals to withhold or withdraw their consent to the collection, use or disclosure of their personal health information for health care purposes. Section 19 of the Act states that an individual may, with limited exceptions, withhold or withdraw her consent, whether the consent was express or implied, at any time for the collection, use or disclosure of her personal health information, by notifying the health information custodian.

[94]  While the withdrawal or withholding of consent to disclose is not retroactive, a health information custodian must stop disclosing the personal health information in accordance with the withdrawal as soon as the notice of withdrawal is received. Once consent has been withdrawn, a health information custodian subject to the withdrawal of consent, or to an express instruction regarding withdrawal of consent, cannot collect, use or disclose the personal health information for health care purposes, unless the individual provides express consent, or unless the Act permits the collection, use or disclosure to be made without consent.

Representations

[95]  The hospital submits that on August 25, 2015, the complainant provided the hospital with a signed “Request for Lock box Implementation” form, withdrawing her consent to the use or disclosure of her personal health information to the physician. The hospital advises that as of August 25, 2015, this lock box has been in place and it has been confirmed that the physician has not had any further access to the complainant’s personal health information.

[96]  The hospital further submits that the complainant alleges that she withdrew her consent for the physician to access her personal health information in August 2014, but there is no evidence to support this claim. The hospital argues that in order to give effect to a request to withdraw consent to the collection, use or disclosure of personal health information for health care purposes under the Act, it has an established process. Between December 2014 and August 2015, the hospital advised the complainant of the option of a lock box on a number of occasions; the complainant chose not to pursue this until August 25, 2015. The hospital also submits that the physician’s access on October 15, 2014 pre-dated the complainant’s request for the lock box. In addition, the hospital advises that at the time of the implementation of the lock box, the physician was no longer providing care to the complainant.

[97]  The hospital goes on to argue that the complainant also alleged that the physician accessed her personal health information on September 24, 2015 and printed clinic notes from August, September and October 2014. The hospital submits that it has no record of the physician accessing the complainant’s hospital records on September 24, 2015 or any other date following the implementation of the lock box. The hospital further submits that at the time the physician was providing care to the complainant at the hospital, including the time between August and October 2014, he would have received copies of reports and test results where he was the attending or ordering physician. The hospital states:

To clarify, reports could have been delivered to his physician mailbox at the Hospital, delivered by fax or sent to his electronic health record for retrieval. The method of delivery or results routing would depend on the physician’s preference and the arrangements that the physician had in place with the Hospital.

[98]  With respect to the lock box, the hospital submits that it can only implement a lock box as it relates to records of personal health information in its custody and control. The restrictions, it argues, do not apply to personal health information that has already been disclosed to other health information custodians prior to the withdrawal of the individual’s consent. The hospital further submits that this information was communicated to the complainant at the time she requested the lock box.

[99]  The hospital also submits that in April 2016, the complainant contacted the hospital and requested that it investigate the disclosure of her personal health information to the physician on September 24, 2015. The hospital advises that it reviewed its release of information logs and audit records, and confirmed that the hospital did not disclose any of the complainant’s personal health information to the physician, or to his office, nor was any personal health information requested by the physician to the hospital.

[100]  The complainant submits that the hospital was fully aware that she had withdrawn her consent for the physician to access her personal health information in August 2014 and that the physician had been notified of this withdrawal of consent prior to October 2014. The complainant then goes on to state that she made her lock box request by email in April 2015. The complainant further submits that, overall, the hospital deliberately misled her during the time she raised her complaint to the hospital (prior to filing a complaint with this office).

Analysis and findings

[101]  As I have made my findings regarding the physician’s October 15, 2014 access above, in this section I consider only whether the hospital breached the complainant’s privacy by disclosing her personal health information to the physician after the implementation of the lock box.

[102]  I find that at the time of the implementation of the lock box, the physician was acting in his capacity as an independent health information custodian, and not as an agent of the hospital because he was no longer providing health care to the complainant. I further find that there is no evidence that the physician accessed the complainant’s personal health information on September 24, 2015.

[103]  I am satisfied with the hospital’s explanation that the physician did not access the complainant’s personal health information after the implementation of the lock box, nor did the hospital disclose any of the complainant’s personal health information to the physician, or to his office. I base my finding on the fact that the hospital specifically reviewed its release of information logs and audit records in response to the complainant’s allegation that the physician had accessed her personal health information on September 24, 2015. I accept that the hospital found that the complainant’s record of personal health information had not been accessed on that date, nor had her personal health information been disclosed on that date or any other date after August 24, 2015.

[104]  While I appreciate the complainant’s frustration, I find that she has simply not provided evidence that she requested the lock box on either August 2014 or April 2015. In addition, she has not provided evidence that the physician accessed her record of personal health information on September 24, 2015, after the implementation of the lock box.

[105]  Consequently, I find that there was no improper access by the physician of the complainant’s personal health information, and that there was no improper disclosure of the complainant’s personal health information by the hospital to the physician.

No ORDER:

1.  For the foregoing reasons, no order is issued and the complaint is dismissed.

Original Signed by:

 

January 24, 2019

Cathy Hamilton

 

 

Adjudicator

 

 

 



[1] Orders P-134 and P-880, issued under the Freedom of Information and Protection of Privacy Act  .

[2] Orders P-880 and PO-2661.

[3] See section 29.

[4] See section 20(2).

[5] See section 6(1) of the Act.

[6] See, for example, PHIPA Decision 35.

[7] See PHIPA Decision 44, which examines authorized “uses” of personal health information, including section 20(2).

 You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.