PHIPA DECISION 141

Complaint HA17-16-2

A Hospital

February 17, 2021

Summary: This decision addresses a complaint submitted under the Personal Health Information and Protection Act about a hospital. The complainant filed an access request for records containing her personal health information, which the hospital granted. The complainant filed a complaint with this office alleging that the hospital’s search for records was not reasonable. In this decision, the adjudicator finds that the hospital’s search was reasonable and dismisses the complaint.

Statutes Considered: Personal Health Information Protection Act, 2004,  S.O. 2004,   c.3, sections   3(1) , 4(1) , 54(1) (a), (b), and 58(1) .

BACKGROUND AND OVERVIEW

[1] The complainant was admitted to the hospital that is the subject of this complaint for surgery in 2007. Initially, the complainant was scheduled to have one surgery performed but it was rescheduled to enable two doctors to perform different surgeries consecutively. The complainant was placed under general anesthesia for the surgeries. The complainant alleges that she was left in the operating room for an extended period of time waiting for the second surgery and as a result experienced complications that resulted in permanent physical impairment. For the remainder of this decision, I will refer to the complainant’s surgeries in the singular form “surgery.”

[2] The complainant says that she has been trying to obtain access to her medical records from the hospital since 2008.

[3] In 2012, the complainant filed a request under the Personal Health Information Protection Act (PHIPA) to the hospital for records related to her surgery. The hospital granted the complainant partial access to records containing her personal health information (PHI) but withheld access to certain emails claiming that the legal privilege exemption under section 52(1)(a) applied. The complainant filed a complaint with this office claiming that additional records should exist and challenged the application of the exemption claimed by the hospital. Complaint HA12-63 was opened and this office determined that the reasonable search issue should not proceed as the complainant had failed to establish a reasonable basis for believing that further records exist. The issue regarding whether the withheld records contained exempt information proceeded to mediation in Complaint HA12-63-2 but was subsequently withdrawn [1] by the complainant.

[4] This decision addresses the complainant’s subsequent 2016 access request to the hospital. On December 12, 2016, the complainant submitted a 35-page access request to the hospital under PHIPA and the Freedom of Information and Protection of Privacy Act (FIPPA) for access to both general hospital records and records of her own PHI. In response, the hospital issued a decision under both FIPPA and PHIPA and provided an index addressing the 118 parts of the complainant’s request. There is no dispute that the hospital is both an institution under FIPPA and a health information custodian under PHIPA. [2]

[5] The hospital conducted a search for responsive records and granted the complainant full access to the located records. [3] The hospital issued an access decision under PHIPA and FIPPA stating the following, in part:

Access to some of the requested records has been granted as per the attached index of records. The vast majority of records were provided to you in response to your earlier requests. A large portion of the requested records do not exist. We would also advise you that the Hospital is not required to create new records in response to a request ...

With respect to your request for records of personal health information, all records up to April 26, 2013 have been provided to you previously. We enclose a visit history indicating all visits subsequent to April 26, 2013. A chart review documenting tests performed and results is enclosed. All other records in relation to visits subsequent to April 26, 2013[;] Due to the nature of these documents, we ask that you obtain these directly from the physician.

[6] The hospital’s access decision was accompanied by an index setting out each of the paragraphs of her 35-page request, the issues the hospital believes the paragraphs relate to, and the hospital’s response to each paragraph.

[7] The complainant was not satisfied with the hospital’s decision and filed a complaint with this office, alleging that additional records should exist. This office assigned a mediator to explore settlement with the parties. The hospital issued a supplementary decision granting the complainant access to additional records that were located after the complaint was filed. However, the hospital maintained its position that most of the records requested by the complainant do not exist.

[8] At the end of mediation, the complainant indicated that she was not interested in obtaining copies of records [4] the hospital identified as having been previously provided to her. However, the complainant continued to take the position that additional records should exist for 27 [5] of the items identified in the index.

[9] After the issuance of the mediator’s report but before the complaint was moved to adjudication, the complainant sent a letter to the mediator, dated May 8, 2018 in which she asked that the adjudicator assigned to this matter “initially limit their review and examination of my complaint on four specific areas of concern.” The four areas in which the complainant alleges that the hospital failed to conduct a reasonable search are:

1. Original surgical documentation entered into the Operation Room Scheduling Office System by nursing staff on the day of her surgery (ORSOS records of nursing staff) [6] ;
2. Electronic records relating to her surgery and recovery in the Post Anesthesia Care Unit and throughout her entire admission to the hospital for three days in 2007 (electronic records related to surgery and recovery) [7] ;
3. Audit logs or access logs for her Electronic Patient Record (audit reports) [8] ; and
4. Chronological listing of all documentation scanned and held on the hospital’s server relating her 2007 admission to the hospital (chronological lists of all records of PHI) [9] .

[10] For the remainder of this decision, I will refer to the above-noted four items as the complainant’s main concerns.

[11] In her letter to the mediator, the complainant explained her reasons for focussing on these issues:

I believe a focussed approach will provide the Adjudicator with a fundamental understanding of the serious concerns I have with respect to all of my PHI by limiting his or her initial focus to a smaller sample of my Original Complaint.

I am alleging that the [hospital] has, since my original request [in 2008] ... knowingly and fraudulently concealed my original PHI in order to prevent me from obtaining the detailed records from the Surgery and the results of tests performed at the [hospital] which tests, if released to me in their original format would disclose exactly what happened [on the date of my surgery in 2007], the pain I experienced immediately in the Post Operative Care Unit, documentation of the obvious indication of physical damage that should have been documented by the [Operating Room and Post Operative Care nurses].

[12] This matter was then moved to the adjudication stage and assigned to me. With the complainant’s consent, I provided a copy of her May 8, 2018 letter, which outlined her four main concerns, to the hospital for its response. The complainant, however, indicated that she was not abandoning the items identified as outstanding in the mediator’s report but which are not captured by her main concerns. [10] A copy of the complainant’s letter was provided to the hospital along with a Notice of Review, which set out that the scope of my review was limited to the four main concerns identified by the complainant. I also communicated to the hospital that the complainant indicated that she was not pursuing some of the items identified in the mediator’s report as remaining in dispute at this time, but that she was not abandoning her claim that the hospital’s search for these items was not reasonable.

[13] If the complainant wants to pursue any issues identified as remaining in dispute in the mediator’s report, she will have to declare her intentions by writing to this office within 30 days of her receipt of this order.

[14] The hospital submitted representations in response to the Notice of Review and a copy of its complete representations was shared with the complainant who made representations in response. I did not find it necessary to share the complainant’s representations with the hospital for reply.

[15] In this decision, I find that the hospital conducted a reasonable search for records responsive to the complainant’s main concerns and dismiss the complaint.

PRELIMINARY ISSUES:

[16] The parties do not dispute, and I agree, that the information responsive to the complainant’s request under PHIPA is her PHI as defined in sections 4(1)(a) and (b). [11] The records are records of personal information and the reasonableness of the hospital’s search for those records is to be assessed under PHIPA.

[17] The representations of the parties revisit issues related to the complainant’s 2012 PHIPA request. The complainant also discusses at length her requests to obtain her medical records outside of PHIPA. The complainant filed a civil suit to seek damages against the hospital. The complainant states that had all of her medical records been provided to her lawyers she would not have had to submit repeated requests under PHIPA.

[18] Throughout her submissions, the complainant refers to information, such as transcripts, that she or her lawyers obtained as a result of discovery that took place in the civil suit.

Differences between the complainant’s 2012 and 2016 access requests

[19] One of the issues I had to grapple with was how the 2016 complaint (the present complaint) differs from the complaint filed in 2012 as the records sought by the complainant in both matters relate to her surgery performed in 2007. As noted above, this office decided that the 2012 complaint did not warrant a review on the basis that the complainant had failed to establish a reasonable basis to support her belief that further records responsive to her request exist in the hospital’s record holdings other than what was already provided to her.

[20] I decided to conduct a review in the present complaint as it appeared that the four alleged deficiencies identified by the complainant address the portions of her request for electronic records in their scanned original format when they were uploaded to one of the hospital’s information systems, and are therefore distinct from the records she requested in her 2012 request. The complainant takes the position that the hospital should be able to produce a copy of a record as it appeared when it was uploaded to its server. The complainant alleges that the hospital’s search for her electronic records containing her PHI is not reasonable as its search efforts failed to produce electronic records which would allow her to see her health records at the time they were created. The complainant also takes the position that the hospital should be able to locate electronic records which would track what changes were made to the original electronic record or notation.

The hospital’s record management practices

[21] A considerable portion of the complainant’s submissions focusses on what she sees as deficiencies in the hospital’s information practices. In particular, the complainant submits that the hospital failed to comply with requirements under PHIPA and the Medicine Act. [12] The complainant also refers to the hospital’s own guidelines along with the College of Physicians and Surgeons of Ontario (CPSO) guidelines and insists that the hospital is required to run various audits and produce further audit reports. The complainant asks that I review the hospital’s information practices and make a finding that the hospital is in contravention of PHIPA.

[22] In this matter, the hospital asserts that it does not have the capacity to create additional audit reports, than what was already provided to the complainant. However, the complainant asserts that additional audit reports or reports which contain more detailed information should exist. I will go on to consider whether the hospital conducted a reasonable search for these types of records.

[23] The complainant did not file a complaint with the IPC about the hospital’s information management practices. The sole issue before me is whether the hospital’s search for records was reasonable. To assess this, the issue is not whether the hospital should have created records other than what it has, but rather whether it conducted a reasonable search of the records in its record holdings.

Complainant’s submissions raise other issues

[24] The complainant’s submissions addressed a number of issues that are not within the scope of my review:

1. issues beyond the scope of the four main concerns identified by the complainant;
2. issues not within the jurisdiction of this office; and
3. issues already decided in the complainant’s previous complaint.

A. Issues beyond the scope of the four main concerns identified by the complainant

Request to inspect electronic records

[25] The complainant wants to view her electronic records at the hospital. She submits that she has not been granted access to “underlying electronic records” and that the hospital has failed to locate “critical documentation.” [13] In support of her position, the complainant states:

... there is evidence that the [hospital] did not provide [me with my] complete medical records, so [I request] to have access to [my] medical records and whatever systems they are in, so that [I can] review these records and request copies thereof, where appropriate. The fact that the [hospital has] withheld so many records is unconscionable [to me, and I] respectfully submit that [I] be permitted to enter the [hospital] and review [my] medical records with individuals who have knowledge of each software system, and [that my] review have nothing to do with [an individual in the hospital’s privacy office].

[26] The complainant goes on to state that she does not want the hospital to print off copies of her medical records “as there are so many.” The complainant argues that she has “the legal right to review her PHI electronically.” The complaint says that instead of ordering the hospital to grant access to additional records, this office has “the legal authority to state that the [hospital] has breached [PHIPA]”. The complainant provided details of her recent efforts to request an appointment to view her electronic records. It is not clear to me whether this request was related to the complainant’s 2016 request or if she had filed another PHIPA request. In any event, the complainant says that the hospital responded that its medical record department was closed to visitors due to the COVID-19 pandemic and as a result an onsite visit could not be scheduled.

[27] I note that section 54(1)(a) [14] provides that upon its receipt of an access request under PHIPA, a custodian shall make the record available to the individual for examination and provide a copy if requested. However, there is no evidence before me suggesting that the hospital has denied the complainant’s request in this regard. Rather, it appears that the complainant’s request to attend the hospital’s premises has been placed on hold given visitation restrictions imposed in response to the COVID-19 pandemic. Accordingly, the complainant will have to wait until current restrictions are lifted and the hospital can consider her request to attend its premises to view her medical records.

Complainant’s request for further investigations or information

[28] The complainant alleges that her PHI was deleted or removed from the Operating Room Scheduling Office System (ORSOS). The ORSOS is used to schedule and keep track of surgeries in the operating rooms.

[29] The complainant also raises concerns about the hospital’s electronic record- keeping practices which, in her view, resulted in factual inaccuracies or omissions in records containing her PHI. The complainant also says that certain electronic entries were not “authenticated” in accordance with the hospital’s policies and that a glitch resulted in her surgery not being properly scheduled in the ORSOS.

[30] The complainant submits that a further investigation is required to address these issues and suggests that I retrieve the hospital’s policies in force at the time of her surgery to determine what was required by hospital staff to authenticate entries in ORSOS. The complainant also submits that the hospital should produce a report noting all the “digital signatures” and that she should have an opportunity to speak directly with an ORSOS system administrator.

[31] I find that the complainant’s request that I consider these issues falls outside the limits of my review. These issues appear to be connected to the concerns that she raised about the hospital’s information practices and focus on a historical review of information practices.

[32] For reasons already stated, I find that the issue of whether the hospital contravened the provisions in PHIPA dealing with a custodian’s information practices is not before me.

B) Issues not within the jurisdiction of the IPC

[33] Throughout her submissions, the complainant raises numerous concerns about the post-operative care she received, particularly with respect to pain management. The complainant also raises questions about the hospital’s external counsel’s role in responding to her PHIPA request and asserts that individuals in the hospital’s privacy office acted inappropriately.

[34] An individual is entitled, pursuant to sections 54(8), 55(7), 55(12), 56(1) and 56(3) of the Act, to complain to this office about a custodian’s response to an access or correction request, or a contravention of PHIPA by any person. However, this office does not have jurisdiction to address a complaint about the care given to the complainant by custodians, or other professional obligations unrelated to the statutes administered by this office. [15] In the circumstances of this matter, I do not have the authority to review or make comments about the care the complainant received as a patient or review the conduct of hospital or medical professionals.

[35] In addition, the complainant argues that the hospital’s lawyer should not have gotten involved in the hospital’s response to her 2016 PHIPA request as this individual was already involved in responding to her civil suit against the hospital. The complainant submits that “Privacy Officers are responsible for ensuring the [hospital] complies with PHIPA and FIPPA and they should perform their role as honestly and objectively as they can to ensure there is transparency and accountability, but to collude with external legal counsel about [my] medical records is quite frankly unconscionable.”

[36] In my view, the complainant’s evidence in this regard also raises issues outside the scope of this complaint. In any event, I know of no requirement that would bar the hospital’s lawyer from providing its client legal advice regarding the complainant’s access request under PHIPA. Accordingly, no further mention of these issues will be addressed in this decision.

C) Issues already decided in the complainant’s previous complaint

[37] As noted above, in response to her 2016 PHIPA access request, the hospital granted the complainant access to records and identified records previously provided to her in response to her 2012 request.

[38] In her representations, the complainant says that her review of the records provided to her in 2012 and 2016, including her review of the audit logs provided to her, suggests that additional records should exist. [16] The complainant submits that it is “inconceivable” that nothing is documented in the medical records she received about the severity, nature or location of her pain that she, her husband and her friend voiced to hospital staff. The complainant argues that there are other gaps in the records provided to her, such as notations relating to medication, a bladder test and the removal of a catheter.

[39] However, this office concluded that the complainant’s 2012 complaint should not proceed further through the complaint process as the complainant failed to provide a reasonable basis to support her belief that additional records responsive to her request, other than those already provided, exist at the hospital. I will not be revisiting this office’s decision communicated to the complainant on April 2, 2013 about her 2012 complaint and will make no further mention in response to her assertion that additional records than what has already been provided to her in respect of the 2012 matter should exist.

DISCUSSION:

[40] The sole issue before me is whether the hospital conducted a reasonable search for responsive records relating to the 2016 request as required by sections 53 and 54 of PHIPA. If I am satisfied that the searches carried out were reasonable in the circumstances, I will uphold the hospital’s decision. If I am not satisfied, I may order further searches.

[41] Section 54 of PHIPA is relevant when reviewing the adequacy of a health information custodian’s search for records that are responsive to a request. This section states, in part:

(1) A health information custodian that receives a request from an individual for access to a record of personal health information shall,

(a) make the record available to the individual for examination and, at the request of the individual, provide a copy of the record to the individual and if reasonably practical, an explanation of any term, code or abbreviation used in the record;

(b) give a written notice to the individual stating that, after a reasonable search, the custodian has concluded that the record does not exist, cannot be found, or is not a record to which this Part applies, if that is the case.

[42] Where a complainant claims that additional records exist beyond those identified by the hospital, the issue to be decided is whether the hospital has conducted a reasonable search for records as required by sections 53 and 54 of the Act. If this office is satisfied that the search carried out was reasonable in the circumstances, the hospital’s decision will be upheld. If this office is not satisfied, it may order further searches.

[43] This office has addressed the issue of reasonable search under both PHIPA and public sector access and privacy legislation (FIPPA, and its municipal counterpart). In particular, in PHIPA Decisions 17 and 18, this office observed that the principles established in reasonable search orders issued under the public sector access and privacy legislation provide guidance in determining whether a health information custodian has conducted a reasonable search under the PHIPA. [17]

Representations of the parties

[44] As referenced above, the four main concerns the complainant identified relating to the hospital’s search for responsive records are:

1. Original surgical documentation entered into the Operation Room Scheduling Office System by nursing staff on the day of her surgery (ORSOS records of nursing staff);
2. Electronic records relating to her surgery and recovery in the Post Anesthesia Care Unit and throughout her entire admission to the hospital for three days in 2007 (electronic records related to surgery and recovery);
3. Audit logs or access logs for her Electronic Patient Record (audit reports); and
4. Chronological listing of all documentation scanned and held on the hospital’s server relating to her 2007 admission to the hospital (chronological lists of all records of PHI).

A) ORSOS records of nursing staff

[45] Throughout her submissions, the complainant argues that the electronic records provided to her are devoid of nursing records that she says should have been created during her surgery. The complainant states “there were no records that specifically related [to the surgery] that the nurses would have prepared during the time [I] was in the [operating room].” The complainant believes that nursing records should exist because she was in the operating room for “almost 7 hours and had two separate procedures.”

[46] The hospital maintains that it has already responded to the complainant’s multiple requests for ORSOS records.

Background

[47] The hospital submits that it granted the complainant “a copy of her ORSOS record” in response to her 2012 request and subsequently provided her screenshots. The hospital also submits that the complainant attended its premises and examined the electronic ORSOS records in person in 2013.

[48] The hospital submits that the complainant still had questions about the ORSOS records and subsequently requested an audit of her PHI held in the ORSOS. The hospital says that at the time, the complainant was told that the audit function was not enabled at the time of her surgery and as a result ORSOS audit records could not be produced.

[49] The complainant was not satisfied with the hospital’s explanation and contacted the software vendor to make inquiries and obtained confirmation that the version of the ORSOS used by the hospital at the time of her surgery had audit capabilities.

[50] The hospital does not dispute that the version of the ORSOS used at the time of the complainant’s surgery had auditing capabilities. However, the hospital submits that this function was not turned on. In support of this position, the hospital referred to its response to this office in HA12-63, which addressed the complainant’s request for audit records and explained that:

...when [the hospital] switched versions of the ORSOS records the ability to log all changes to the fields was not activated and therefore an audit report of changes to the fields was not available. Instead, staff were instructed to write a short summary in the “Comments” section if they made any changes to the record.

2016 Complaint

[51] The complainant’s arguments regarding the ORSOS records are two-fold. First, the complainant submits that the hospital should have available a copy of the record that captures her PHI recorded during the timeframe of her surgery. In support of this argument, the complainant submits that the record the hospital provided her is “not the original nursing report” and states that the record provided to her:

... is not the original record from [the date of her surgery] or the original record was modified or an alternate ORSOS Record was prepared and sent to [me], or the original ORSOS was modified. There is no evidence provided by [the hospital in its affidavit that the former privacy officer] asked anyone experienced in the ORSOS software for a copy of [the] original ORSOS Record, which record likely commenced on [date of the surgery]...

[52] The complainant argues that it is reasonable to believe that the “original nursing report” exists as the hospital has a legal requirement to maintain a copy in its record holdings. The complainant also takes the position that it is reasonable to expect that a copy of the original record should be able to be retrieved by a system backup.

[53] Second, the complainant does not accept the hospital’s explanation that there are no audit records relating to her PHI stored in the ORSOS. The complainant argues that the ORSOS’ audit capabilities were in fact turned on during her surgery.

[54] The hospital maintains that the ORSOS records provided to the complainant “accurately reflect her personal information as stored in the system”. The hospital also submits that all of the records concerning the complainant “that are maintained in the ORSOS system have been provided to her and its search for ORSOS records was reasonable.”

B) Electronic records related to surgery and recovery

[55] The complainant submits that the hard copy of the general anesthesia and Post Anesthesia Care Unit (PACU) records provided to her in response to her 2012 and 2016 requests were “almost completely illegible” and fail to note when the doctors started and completed the two surgeries.

[56] The complainant takes the position that the hospital’s search for electronic records related to her surgery and recovery in the PACU and throughout her three-day admission at the hospital was not reasonable. The complainant submits that additional records containing her PHI must exist over and above what was provided to her. The complainant says she is seeking access to “all anesthesiology related records pertaining to her [surgery], including electronic records prepared by anesthesiology (monitoring, documentation of care during surgery) as well as reports related to all medications given to [her].” In support of this position, the complainant submits that in 2007, when her surgery took place, the hospital’s anesthesia department used an electronic information system [18] and that additional records should be able to be retrieved from this system.

[57] The hospital maintains that it conducted a reasonable search for the requested records and already provided the complainant with copies. In support of its position, the hospital submits:

• The PACU nursing record provided to the complainant in response to her 2012 access request is the only responsive record located;
• The original paper copy was scanned into the complainant’s EPR and subsequently destroyed as per the hospital’s policy;
• In addition, in 2013, the former privacy advisor:
• sent an email to a doctor requesting “any documentation related to anesthesiology in any other system (or in the EPR)” and received a response that the only anesthetic record located was the one scanned in the EPR; and
• requested an audit “for all activities in [the Clinical Anesthesia Information System (CAIS)]” related to the complainant for the period of May 1, 2007 to July 2013 and received a response from a system administrator that no records relating to the complainant could be located in CAIS. The system administrator provided the explanation that CAIS records are generally created for patients assessed in the preadmission clinic and the complainant was not assessed in this clinic.

[58] In support of its position, the hospital provided copies of emails exchanged between its privacy office and hospital staff, including a doctor, system administrators and a site manager in an effort to coordinate a search for responsive records and identify if any audit reports may be available. Copies of these emails were provided to the complainant with her copy of the hospital’s representations.

[59] The complainant responded:

As for a reasonable search for [my] Anesthesiology and PACU Records, it is [my] opinion that there are electronic records associated with both, however the only search performed was an email between [the former Privacy Officer] and [a named doctor], with [the doctor] stating [that] the only anesthetic note is the anesthetic record itself which is in EPR as a Scanned Document/Operations and Procedure.

...

[The former Privacy Officer] should have asked the administrator of the software systems used by anesthesiology to perform a search.

[60] The complainant goes on to say that she called the hospital’s anesthesiology department and spoke to an anesthesiologist who answered the phone. The complainant says she asked the anesthesiologist “what about all the monitoring performed on patients, how does this information get filed in the patient chart?” The complainant submits that she was told that “reports from all monitoring equipment are printed off and scanned in the patient’s chart.”

[61] The complainant does not dispute that the hospital’s policy was to scan anesthesiology reports and that original hard copies may no longer be available. Her point is that “she believes the anesthesia department had its own electronic system it used [at the time of her surgery] that has not been disclosed.” In support of this position, the complainant referred to the evidence of a hospital perioperative nurse provided in response to questions asked by her lawyer during an examination for discovery that took place related to her civil suit.

[62] The complainant also argues that electronic records should exist which would document “which drugs were used and how much, or any other substantive comments by the anesthesiology department respecting the [surgery], including what happened in the PACU.” The complainant submits that she also contacted the hospital’s pharmacy and asked how drugs were dispensed in the OR. Based on that conversation, the complainant concluded there must be some tracking system in place at the hospital related to the dispensation of drugs and that this information “may be included in the electronic software” used in 2007. The complainant also asserts that:

... the anesthesiologist would have electronically charted all the medications administered to the patient in the OR and PACU. From a detail perspective, the [hospital] must have strict controls on medications so the fact that the [hospital] never disclosed what medications were administered in the OR leads [me] to believe that the entire anesthesia system was not disclosed as there may be documentation in the electronic anesthesia record as to when [my surgery] actually started and what happened in the PACU.

C) Audit reports

[63] The hospital takes the position that it conducted a reasonable search for any audit records requested by the complainant. The hospital submits that upon its receipt of the complainant’s prior access request in 2012:

• the former privacy advisor conducted a review of the patient record to identify the locations and systems where the complainant’s PHI could be located and coordinate a search by contacting the individuals responsible for each system’s operation to determine whether audit reports could be generated;
• in October 2013, the complainant was provided with seven audit reports from the EPR, as well as reports from the JDMI [19] and PHS [20] systems. The hospital’s letter to the complainant says that four other information systems, including the ORSOS [21] were identified in which the complainant’s PHI may be stored but stated that these systems “do not have audit report capability”; and
• updated audit reports from the EPR were provided to the complainant in November 2013 and 2017.

[64] In support of its position, the hospital provided copies of email exchanges between its privacy office and system administrators, including an email exchange with a site manager who was asked to identify the individuals responsible for each information system. [22]

[65] The complainant makes a distinction between audit and access logs. The complainant argues that she has been only provided access logs, which she asserts are unsatisfactory as they only identify who accessed her PHI. The complainant argues that the hospital should be required to provide her audit logs which would capture “any changes, modifications, deletions etc.” to her PHI in a record. The complainant states:

... if individuals have unique IDs and passwords, the system has an electronic footprint of who accessed the system and when, and what they did. To say otherwise is absurd.

[66] The complainant goes on to say that the hospital has two versions of the ORSOS, one for day-to-day operations and the other for testing purposes. The complainant argues that the hospital should be ordered to conduct additional searches for audit records relating to her PHI stored in both versions. The complainant also argues that during her civil suit she heard testimony which leads her to believe that the EPR has the capability to produce audit logs.

D) Chronological List of all records of PHI

[67] The complainant argues that the hospital failed to provide her with a chronological list of all documents containing her PHI that was scanned and held on its server. In support of this position, the complainant states, in part:

I do not believe any of the electronic PHI provided to me is original... I have repeatedly requested a chronological listing of all documentation scanned and stored on [named] server, documentation I can cross-reference to my [Electronic Patient Record], as well as chronological entries made into other systems for which the [hospital] has never provided me with any documentation. I have chart copies of some clinic notes, however all were printed out months after they were originally prepared and the doctors who apparently wrote them have authenticated NONE.

...

I did ask the [hospital] for a chronological listing of all documentation scanned and held on the secure website that can be assessed through the [hospital’s] Desktop, but the [hospital’s] response was that these records do not exist.

[68] In its representations, the hospital submits that it conducted a reasonable search for the requested lists. The hospital states that it contacted staff responsible for the maintenance of its Electronic Patient Record system (EPR) along with staff in the Health Records Department but was told “the system cannot generate a listing as requested.”

[69] The hospital submits that though the requested lists could not be generated, the complainant:

• has had an opportunity to review her records in person in every system in which they were stored. During these reviews, the complainant “would have been able to see which records had been barcoded and scanned into the system.” In addition, staff were available to answer any questions the complainant had during her review of the electronic records; and
• was provided with a detailed index in response to her 2016 request.

[70] The complainant’s representations in response to the hospital’s representations did not specifically address this issue.

Analysis and Decision

[71] PHIPA does not require the custodian to prove with absolute certainty that further records do not exist. However, the custodian must provide sufficient evidence to show that it has made a reasonable effort to identify and locate responsive records. [23] To be responsive, a record must be "reasonably related" to the request. [24]

[72] A reasonable search is one in which an experienced employee knowledgeable in the subject matter of the request expends a reasonable effort to locate records which are reasonably related to the request. [25]

[73] A further search will be ordered if the hospital does not provide sufficient evidence to demonstrate that it has made a reasonable effort to identify and locate all of the responsive records within its custody or control. [26]

[74] Although a complainant will rarely be in a position to indicate precisely which records the hospital has not identified, the complainant still must provide a reasonable basis for concluding that such records exist. [27]

[75] A complainant’s lack of diligence in pursuing a request by not responding to requests from the institution for clarification may result in a finding that all steps taken by the hospital to respond to the request were reasonable. [28]

[76] The complainant paints a picture in which individuals in the privacy office responded to her access requests without consulting individuals responsible for maintaining the hospital’s information systems. This is not the case. For the reasons stated below, I find that the hospital’s search for records in response to the complainant’s 2016 request was reasonable and dismiss the complaint.

The hospital’s search for ORSOS records was reasonable

[77] The complainant’s submissions hinge on her belief that the hospital’s audit capability for the ORSOS was turned on when her surgery occurred. The reasons she provides for rejecting the hospital’s evidence that the audit function was turned off are the results of inquiries she made to the hospital’s service provider. In support of her position, the complainant provided copies of emails she exchanged with the service provider.

[78] In my view, these emails fall short of establishing a reasonable basis for believing that the audit function was turned on. In making my decision, I took into consideration that the complainant’s inquiries with the service provider were made years after her surgery. I also place little weight on the emails the complainant provided in support of her position that the hospital made inquiries with the service provider about the audit function and received audit training. In my view, this evidence was obtained out of context and is based on the vague non-specific recollection of the service provider who admits that other stakeholders attended the training session in question.

[79] The remainder of the complainant’s submissions detail her criticisms of the hospital’s information practices and the lack of documentation authored by nurses in records containing her PHI. As I have already noted, the hospital’s information practices are not an issue before me.

[80] Having regard to the evidence of the parties, I am satisfied that the hospital’s search for electronic ORSOS records was reasonable. I am also satisfied that the hospital’s search was coordinated and completed by experienced individuals knowledgeable in the subject matter of the request who made a reasonable effort to identify and locate responsive records. Finally, I am satisfied with the hospital’s explanation regarding its search efforts and response to the complainant’s inquiries about whether the audit function of ORSOS was turned on at the time records related to her surgery were created.

The hospital’s search for electronic records was reasonable

[81] In my view, the complainant has failed to establish a reasonable basis for her belief that additional electronic records related to her surgery and recovery exist. Again, the crux of the complainant’s argument is her belief that more records than have been located should exist given the circumstances of her admission to the hospital. The complainant also argues that the hospital’s anesthesiology department had the ability to create electronic records in an electronic information system that has the capability of retrieving records in their original format.

[82] I considered the evidence of the parties and am satisfied that the hospital provided sufficient evidence establishing that it made a reasonable effort to identify and locate responsive records in addition to the paper nursing record that was provided to the complainant.

[83] The complainant asks that I prefer her evidence over that of the hospital which outlined the steps it took in consulting medical staff, the site manager and system administrator. The complainant argues that the hospital’s privacy office should have done more, including by continuing its investigation into whether additional anesthesiology software systems were used at the time of her surgery. The complainant insists that additional electronic records should exist given the checks and balances one would expect to be in place relating to the dispensing of drugs and the nature of her surgery. The complainant also relies on information she obtained in response to a telephone inquiry she made to the hospital’s anesthesiology department years after her surgery. Again, the complainant argues that additional electronic records should exist because she expected a certain standard of care in the medical services she received and the hospital’s documentation of same. In my view, most of the complainant’s arguments relate to the hospital’s information practices and I already decided that these issues are not before me.

[84] For the reasons stated above, I find that the hospital has outlined in sufficient detail the steps it took to respond to this part of the complainant’s request and am satisfied that it conducted a reasonable search. In making my decision, I accept the explanation provided by the hospital’s system administrator that it is likely that no further records exist in its electronic systems as the complainant was not assessed in the preadmission clinic.

The hospital’s search for audit records from the EPR and ORSOS was reasonable

[85] I have reviewed the evidence of the parties and am satisfied that the hospital has established that its search for audit records was reasonable. I note that the hospital’s evidence explains the steps it took to review the patient record and identify possible locations and systems where the complainant’s PHI could be located. In addition, the hospital contacted various individuals responsible for operating the identified systems to determine whether audit records could be generated. I note that the hospital provided the complainant with seven audits from the EPR in October 2013 and updated audits were provided to her in 2013 and 2017. I am also satisfied that the hospital’s search was coordinated and conducted by experienced individuals knowledgeable in the subject matter of the request and that it provided sufficient evidence establishing that it made a reasonable effort to identify and locate responsive records. Finally, I am satisfied with the hospital’s explanation regarding its search efforts and response to the complainant’s inquiries about its audit capabilities regarding electronic records that would have been created at the time of her surgery.

[86] Accordingly, I find that the hospital’s search for audit records relating to the EPR and ORSOS was reasonable.

The hospital’s search for chronological lists was reasonable

[87] The complainant’s representations did not specifically respond to the hospital’s evidence that it conducted a reasonable search for the requested list. I am satisfied the hospital outlined with sufficient detail the steps it took to respond to this part of the complainant’s request. In particular, the hospital submits that it consulted experienced individuals in its Health Records Department along with individuals knowledgeable in the maintenance of its Electronic Patient Record system. I am satisfied that the hospital has established that it made a reasonable effort to identify and locate responsive records. I am also satisfied with the hospital’s explanation that its electronic systems cannot generate the lists requested by the complainant.

[88] Accordingly, I find that the hospital’s search for the chronological lists was reasonable.

Summary

[89] For the reasons set out above, I find there is no reasonable basis to believe that additional records exist that are responsive to the four main concerns identified by the complainant in her 2016 access request, and that the hospital conducted a reasonable search for records.

NO ORDER:

I make no order in this matter. If the complainant wants to pursue any issues identified as outstanding in the mediator’s report, not addressed in this decision, she will have to declare her intentions by writing to this office within 30 days of her receipt of this order.

Original Signed by:		February 17, 2021
Jennifer James
Adjudicator