PHIPA DECISION 152

Complaint HI19-00016

A Public Hospital

July 21, 2021

Summary: The Office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) about a public hospital (the hospital)’s redaction of its employees’ names from an audit of a patient’s health records. This led to an investigation by this office into the hospital’s practices with respect to responding to access requests for these audits.

This decision concludes that the hospital’s practices were not in accordance with section 54(1) of the Act. However, in light of the steps taken by the hospital to amend these practices, this decision finds that a review of this matter is not warranted.

Statutes Considered: Personal Health Information Protection Act, 2004, sections 1(b), 3(1), 4(1) and (2), 52(1) and (3), 53(1) and 54(1).

Decisions Considered: PHIPA Decision 17.

BACKGROUND:

[1] Under the Personal Health Information Protection Act, 2004 (the Act or PHIPA), the Office of the Information and Privacy Commissioner of Ontario (the IPC or this office) received an access complaint about a public hospital (the hospital).

[2] The complainant advised that, in response to his written access request for an audit of his son’s medical record, the hospital gave him a copy of the audit with the names of its employees redacted.

[3] The complainant was dissatisfied with the copy he received because of the redactions and, further, the hospital did not give him a reason(s) for them. As a result, he made three additional requests to the hospital for a copy of the audit with its employees’ names unredacted.

[4] The hospital refused the complainant’s first and second requests and explained to him that the names could not be disclosed due to privacy regulations. However, in response to the complainant’s third and final request, the hospital gave him a copy of the audit with its employees’ names disclosed. According to the complainant, the hospital only did so after he advised that he would make a complaint to this office, which he did. This complaint was resolved at the Intake Stage of the IPC’s PHIPA process.

[5] The circumstances described above raised questions about the hospital’s practices for responding to requests by individuals for access to their records of personal health information, and the IPC decided to initiate its own file to inquire into the matter.

[6] During Intake Stage of this file, the hospital advised that its general practice with respect to the disclosure of its employees’ names, was to refuse to identify employees upon general request unless special circumstances applied or where it was able to notify staff and/or union representatives in advance.

[7] Further, the hospital advised that it did not disclose its employees’ names and/or their contact information without an order or direction made under the Regulated Health Professionals Act (the RHPA) from an investigating college. [1] Under such an order or direction, the hospital explained that these names would be disclosed to an investigator upon request.

[8] Moreover, the hospital advised that it followed the aforementioned disclosure process where the request related to litigation or an IPC privacy complaint. In such circumstances, the hospital advised that it would release an employee’s name to the legal team representing the parties involved in litigation or to the IPC.

[9] In this matter, the hospital advised that it followed its practices, but ultimately decided to disclose all of its employees’ names to the complainant even though it did not involve a privacy complaint.

[10] The matter moved to the Investigation Stage of the IPC’s PHIPA process and I was assigned as the Investigator. As part of my investigation, I requested and received written representations from the hospital.

[11] In this decision, I find that the hospital’s practices as described above do not comply with its obligations under section 54(1) of the Act. The hospital applied a pre- determined approach to records that contain staff names, rather than responding by either granting access to the records or providing a written notice setting out its reasons for refusing access to all or part of the records.

[12] However, in light of the steps taken by the hospital to amend these practices, I conclude that no review is warranted under the Act.

PRELIMINARY ISSUES:

[13] There is no dispute that the hospital is a “health information custodian” within the meaning of section 3(1) of the Act.

[14] Further, the hospital does not dispute that that an audit of a patient’s health record contains personal health information within the meaning of section 4(1) of the Act. Personal health information” is defined in this section, in part, as follows:

“personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information,

(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,

(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,

[15] Moreover, section 4(2) of the Act defines “identifying information” as follows:

“identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

ISSUES:

[16] This decision addresses the following issues:

1. Did the hospital’s practices comply with section 54(1) of the Act?
2. Is a review warranted under Part VI of the Act?

DISCUSSION:

Issue 1: Did the hospital’s practices comply with section 54(1) of the Act?

[17] Part V of the Act, generally, sets out the rules governing an individual’s right of access to their health records, how an individual can exercise this right and the obligations of a health information custodian (custodian) in responding to requests for access.

[18] Under section 52(1) of the Act, generally, “an individual has a right of access to a record of personal health information about the individual that is in the custody or under the control of a health information custodian”.

[19] However, section 52(3) of the Act limits this right of access, as follows:

Despite subsection (1), if a record is not a record dedicated primarily to personal health information about the individual requesting access, the individual has a right of access only to the portion of personal health information about the individual in the record that can reasonably be severed from the record for the purpose of providing access.

[20] In PHIPA Decision 17, Assistant Commissioner Sherry Liang considered the difference between records that are and are not primarily dedicated to personal heath information about an individual.

[21] She explained the importance of this distinction as follows:

The distinction is important because if a record is dedicated primarily to the personal health information of the individual, the individual has a right of access to the entire record, even if it incidentally contains information about other matters or other parties. If a record is not dedicated primarily to the personal health information of the individual, the right of access only applies to the information about the individual that can reasonably be severed from the record. [2] [emphasis added]

[22] With respect to determining the limit on an individual’s right of access, Assistant Commissioner Liang stated:

The determination of whether a record is or is not dedicated primarily to personal health information about an individual is therefore an important first step in defining the individual’s right of access in PHIPA. [3]

[23] To exercise a right of access to a health record, section 53(1) of the Act requires that an individual do the following:

An individual may exercise a right of access to a record of personal health information by making a written request for access to the health information custodian that has custody or control of the information.

[24] In response to an access request, section 54(1) of the Act requires that a custodian take one of the following steps:

A health information custodian that receives a request from an individual for access to a record of personal health information shall,

(a) make the record available to the individual for examination and, at the request of the individual, provide a copy of the record to the individual and if reasonably practical, an explanation of any term, code or abbreviation used in the record;

(b) give a written notice to the individual stating that, after a reasonable search, the custodian has concluded that the record does not exist, cannot be found, or is not a record to which this Part applies, if that is the case;

(c) if the custodian is entitled to refuse the request, in whole or in part, under any provision of this Part other than clause 52 (1) (c), (d) or (e), give a written notice to the individual stating that the custodian is refusing the request, in whole or in part, providing a reason for the refusal and stating that the individual is entitled to make a complaint about the refusal to the Commissioner under Part VI; or

(d) subject to subsection (1.1), if the custodian is entitled to refuse the request, in whole or in part, under clause 52 (1) (c), (d) or (e), give a written notice to the individual stating that the individual is entitled to make a complaint about the refusal to the Commissioner under Part VI, and that the custodian is refusing,

(i) the request, in whole or in part, while citing which of clauses 52 (1) (c), (d) and (e) apply,

(ii) the request, in whole or in part, under one or more of clauses 52 (1) (c), (d) and (e), while not citing which of those provisions apply, or

(iii) to confirm or deny the existence of any record subject to clauses 52 (1) (c), (d) and (e).

[25] In this matter, the hospital responded to the complainant’s first and second request for audit records showing accesses to his son’s personal health information by providing redacted copies of the records without explaining its reasons for refusing access to the redacted portions. Therefore, the hospital failed to comply with section 54(1)(c) and/or (d) of the Act.

[26] The hospital does not dispute that a patient has a right of access to audit records containing their personal health information, subject to any limits on this right under section 52(3), as well as any applicable exceptions and exclusions set out in the Act.

[27] Further, with respect to section 52(3), the hospital advised that, in its view, audit records such as the ones at issue in this case are generally dedicated primarily to personal health information about the patient. In this case, the audit was generated at the request of the complainant, and was specifically directed at his son’s medical record.

[28] Moreover, the hospital advised that there is nothing in the Act, the RHPA or otherwise that supported its practice of routinely redacting its employees’ names and/or their contact information from audit records when responding to access requests.

[29] I find that the hospital’s practice of redacting employees’ names and/or their contact information from audit records when providing access under the Act, did not comply with its obligations under section 54(1). The hospital routinely redacted information in response to access requests without providing the written notices required by section 54(1)(c) or (d) explaining its reasons for refusing access to the redacted portions.

[30] In response to the issues raised in this investigation, the hospital advised that it reviewed its practices and that, going forward, when responding to an access request for audit records, it will provide access in full, unless there is a provision under the Act that allows it not to do so.

[31] More specifically, the hospital explained that all requests for audit records will be forwarded to its Chief Privacy Officer, who, going forward, has committed to granting access to such records without any redactions of employees’ names unless the Act permits otherwise.

[32] I make no comment on the potential for the existence of valid reasons under the Act to refuse access to such information, or for section 52(3) to apply to limit access to audit records, depending on the facts. The hospital must consider each request on its own merits, in keeping with its obligations under section 54(1).

Issue 3: Is a review warranted under Part VI of the Act?

[33] Section 58(1) of the Act sets out the Commissioner’s discretionary authority to conduct a review as follows:

The Commissioner may, on his or her own initiative, conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of this Act or its regulations and that the subject-matter of the review relates to the contravention.

[34] In accordance with my delegated authority to determine whether a review is conducted under section 58(1) and for the above reasons, I find that a review is not warranted.

[35] Although I have found that the hospital’s previous practices did not comply with its obligations under sections 54(1) of the Act, during the course of this investigation it has taken steps to comply. Therefore, there is no purpose to be served by conducting a review.

DECISION:

For the foregoing reasons, no review of this matter will be conducted under Part VI of the Act.

Original Signed by:		July 21, 2021
John Gayle
Investigator