Health Information and Privacy

Decision Information

Summary:

The complainant, a patient of a regional cancer centre within a public hospital, alleged that Cancer Care Ontario collected and used his personal health information, obtained through a cancer symptoms survey, without his valid consent and without legal authority. He also expressed concerns about the survey, including that it should have clearly stated that its completion was voluntary. Cancer Care Ontario responded that various sections of the Personal Health Information Protection Act, 2004 and its regulations authorize it to provide the survey to the hospital, collect personal health information from the hospital and store personal health information from the survey in a database. In some of these transactions, Cancer Care Ontario acts in its capacity as a health information network provider, while in others, it acts in its capacity as a prescribed entity. Cancer Care Ontario also took steps to address the complainant’s concerns, including updating the survey to make it clearer that completion of the survey was voluntary.
The adjudicator determines that Cancer Care Ontario has responded adequately to the complaint and there are no reasonable grounds to conduct a review. As a result, she declines to conduct a review and she dismisses the complaint.

Decision Content

Logo of the Information and Privacy Commissioner of Ontario, Canada / Logo du Commissaire à l'information et à la protection de la vie privée de l'Ontario, Canada

PHIPA DECISION 166

Complaint HC18-00148

Ontario Health [1] : a prescribed entity and health information network provider

December 14, 2021

Summary: The complainant, a patient of a regional cancer centre within a public hospital, alleged that Cancer Care Ontario collected and used his personal health information, obtained through a cancer symptoms survey, without his valid consent and without legal authority. He also expressed concerns about the survey, including that it should have clearly stated that its completion was voluntary. Cancer Care Ontario responded that various sections of the Personal Health Information Protection Act, 2004 and its regulations authorize it to provide the survey to the hospital, collect personal health information from the hospital and store personal health information from the survey in a database. In some of these transactions, Cancer Care Ontario acts in its capacity as a health information network provider, while in others, it acts in its capacity as a prescribed entity. Cancer Care Ontario also took steps to address the complainant’s concerns, including updating the survey to make it clearer that completion of the survey was voluntary.

The adjudicator determines that Cancer Care Ontario has responded adequately to the complaint and there are no reasonable grounds to conduct a review. As a result, she declines to conduct a review and she dismisses the complaint.

Statutes Considered: Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, sections 2 (definitions of “collect,” “disclose,” and “use”), 10(4), 45(1), 45(3), 45(5), 57(2)(c), 57(3) and 57(4); and O Reg 329/04, sections 6(2), 6(4) and 18(1).

BACKGROUND:

[1] This decision determines that Cancer Care Ontario (CCO), which is now part of Ontario Health, responded adequately to the complainant’s concerns about CCO. Those concerns relate to CCO’s actions regarding the personal health information the complainant provided in his answers to a cancer symptoms survey (the survey) that he completed at a regional cancer centre (the cancer centre) of a hospital (the hospital). This decision also determines that there are no reasonable grounds to conduct a review of the complaint under the Personal Health Information Protection Act, 2004 (the Act). A separate complaint about the hospital, in relation to the same events, is the subject of a related decision, PHIPA Decision 167.

[2] CCO is the Ontario government’s principal cancer advisor, with a mission to improve the cancer system. [2] CCO’s purposes include collecting and analyzing data about cancer services, and monitoring and measuring the performance of the cancer system. CCO equips health professionals, organizations and policymakers with up-to-date cancer knowledge and tools to prevent cancer and deliver high-quality patient care.

[3] The survey, “Your Symptoms Matter – Prostate Cancer Assessment Tool,” is part of CCO’s Expanded Prostate Cancer Index Composite survey, [3] found on the Interactive Symptom Assessment and Collection (ISAAC) tool at the cancer centre. ISAAC is an e-tool, available on touchscreen kiosks at regional cancer centres, and developed and hosted by CCO as part of its initiative to promote a set of accessible and standardized symptoms assessment and management tools based on patients’ self-reporting of their symptoms.

[4] During the course of this complaint, CCO advised that there are two ISAAC databases on which the survey answers are stored, the ISAAC Production Database (the production database), and the ISAAC Replication Database (the replication database). CCO explained that it has two distinct roles in relation to the personal health information found in the ISAAC databases: that of a health information network.

[5] Provider (HINP) in respect of the production database and that of a prescribed entity in respect of the replication database. As a HINP, CCO provides the production database to the hospital and the regional cancer centres for their use. As a prescribed entity, CCO collects information from the replication database to plan, manage and improve cancer services in the province. I discuss the two databases and CCO’s two roles more fully, below.

[6] At the outset, it is important to note that the words “collect,” “disclose” and “use” are defined terms under the Act. Section 2 of the Act contains the respective definitions, which apply in this decision, and states:

“collect”, in relation to personal health information, means to gather, acquire, receive or obtain the information by any means from any source, and “collection” has a corresponding meaning;

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning;

“use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to view, handle or otherwise deal with the information, subject to subsection 6(1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning.

The complaint

[7] The complainant, a patient of the cancer centre who completed the survey, filed a complaint with the Information and Privacy Commissioner of Ontario (the IPC) about the survey. The complainant alleged that CCO “collected” and “used” his personal health information in an unauthorized manner because it did not first obtain his “informed” consent. He complained that he was not told that the survey was voluntary and that he could have declined to complete it. He also complained that the kiosk he used to complete the survey was in a public space of the hospital allowing others to view his survey responses, which were composed of sensitive, personal health information. Finally, he complained that a hospital volunteer, who was supposed to assist him with the survey, stood next to him while he inputted his sensitive personal health information and completed the survey.

CCO’s response to the complaint

[8] In response to his complaint, CCO provided the complainant with information about the survey and the ISAAC tool. It advised the complainant that the survey is an assessment tool that allows health care practitioners to identify and create a plan to manage symptoms that a patient may be experiencing as a result of their cancer diagnosis or treatment. CCO explained its two distinct roles in relation to the personal health information in ISAAC: that of a HINP with respect to the production database, and that of a prescribed entity with respect to the replication database.

[9] When patients enter their personal health information into the ISAAC kiosks at the cancer centre, the personal health information is stored in the production database that is under the hospital’s custody, and is used by the hospital’s cancer centre. CCO’s role in relation to the production database is limited to that of an IT service provider: specifically, a HINP as defined in section 6(2) of Ontario Regulation 329/04 of the Act. CCO advised that, in its role as a HINP, it does not handle the survey data entered by the patient for its own purposes, and therefore it does not “collect,” “use,” or “disclose” the survey data within the meaning of those terms in the Act.

[10] Regarding its role as a prescribed entity, CCO explained that under section 45(5) of the Act it is permitted to collect personal health information from a health information custodian (such as the hospital) for the purposes of analysis or compiling statistical information for the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services. CCO advised that the regional cancer centres are authorized to disclose personal health information to it in its role as a prescribed entity, without the consent of the individual to whom the personal health information relates [section 45(1)]. CCO stated that in its role as a prescribed entity, it never collects personal health information directly from patients; it collects personal health information from the hospital, the health information custodian, pursuant to section 45(5) of the Act, which does not require the consent of the patient. CCO explained that the personal health information collected from the hospital is entered into the replication database and is used by CCO for prescribed entity purposes consistent with section 45(1) of the Act. Finally, CCO stated that in order to maintain its designation as a prescribed entity, CCO’s information practices must be reviewed and approved every three years by the IPC.

[11] CCO also took a number of steps in response to the complainant’s concerns. First, it updated the language on the survey instruction page to clearly state that completion of the survey was not mandatory, and it gave the complainant a copy of this updated language. Second, CCO confirmed that it recommended that the hospital provide refresher training to staff and volunteers who assist patients with the survey, and it subsequently confirmed that this refresher training was provided. Third, CCO confirmed with the hospital that all the ISAAC kiosks that display the survey have privacy screens that prevent anyone who is not directly in front of the screen from seeing the inputted information. Finally, CCO removed the complainant’s name and survey responses from both the ISAAC production and replication databases, at the request of and on behalf of the hospital, after the complainant asked for the removal. In addition, CCO explained that although it has developed operational supporting processes that health information custodians may use to train their staff on how to implement the survey, it has no authority to require them to implement these processes or monitor whether or how these processes have been adopted; the health information custodians implement these processes.

Mediation of the complaint

[12] The IPC attempted to mediate the complaint; however, a mediated resolution was not possible. [4] The complainant maintained his belief that patients should be asked for their consent before their personal health information is shared with CCO and used for purposes beyond their care. The complainant also maintained that CCO should be responsible for how the survey is implemented because it provides the survey and the funding for the survey to the hospital, which would not otherwise require patients to complete the survey. Accordingly, the complaint was moved to the adjudication stage of the complaint process where an adjudicator may conduct a review.

Preliminary assessment that no review is warranted

[13] As the adjudicator in this matter, I considered all of the information in the complaint file. My preliminary assessment was that the complaint did not warrant a review under the Act. I advised the complainant of my preliminary assessment that his complaint should not proceed to the review stage for the reasons set out below. I invited the complainant to provide representations in response if he disagreed with my preliminary assessment. I advised the complainant that, before making my final decision, I would consider any representations he provided to explain why his complaint should proceed to the review stage of the complaint process. The complainant did not provide representations.

[14] For the reasons that follow, I decline to conduct a review in this complaint because CCO has responded adequately to the complaint and there are no reasonable grounds to conduct a review.

DISCUSSION:

Should the complaint proceed to a review under the Act?

[15] The only issue in this decision is whether I should conduct a review of the complaint under the Act. Sections 57(3) and (4) of the Act give me the authority to decide whether to conduct a review of this complaint. These sections state, in part:

(3) If the Commissioner does not take an action described in clause (1)(b) or (c) or if the Commissioner takes an action described in one of those clauses but no settlement is effected within the time period specified, the Commissioner may review the subject-matter of a complaint made under this Act if satisfied that there are reasonable grounds to do so.

(4) The Commissioner may decide not to review the subject-matter of the complaint for whatever reason the Commissioner considers proper, including if satisfied that,

(a) the person about which the complaint is made has responded adequately to the complaint[.]

[16] Having considered the circumstances of this complaint and the applicable legislative provisions, I am satisfied that CCO’s reliance on its status as a HINP and a prescribed entity under the Act is a complete response to the complainant’s concerns about CCO’s transactions involving his personal health information. I am also satisfied that there are no reasonable grounds to review the subject-matter of the complaint. In my reasons below, I discuss the legislative provisions that apply in the circumstances of this complaint and set out CCO’s powers and duties under the Act with respect to the personal health information at issue.

[17] The legislative provisions that I discuss, below, confirm that CCO acted within its statutory authority as a HINP in receiving the complainant’s personal health information from the hospital through the survey and storing it in its production database for the hospital’s use (in the hospital’s cancer centre). They also confirm that CCO acted within its statutory authority as a prescribed entity in collecting the complainant’s personal health information from the hospital for prescribed entity purposes consistent with the Act. Finally, CCO responded adequately to the complainant’s concerns about the hospital’s implementation of the survey.

CCO did not “collect,”’ “use” or “disclose” the complainant’s personal health information in its capacity as a HINP

[18] In its capacity as a HINP, CCO functions as an IT service provider and it does not “collect,” “use,” or “disclose” the survey data entered by patients and stored in the production database for its own purposes. CCO provides the survey kiosks to the cancer centre of the hospital and runs them as a function of its role as a HINP, in accordance with section 10(4) of the Act and section 6 of Regulation 329/04 of the Act, to enable the hospital to, among other things, collect patients’ personal health information. Section 10(4) of the Act reads:

10(4) A person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any.

[19] Sections 6(1) and 6(3) of Regulation 329/04 of the Act set out prescribed requirements, which are not at issue in this complaint. [5] However, sections 6(2) and 6(4) of Regulation 329/04 of the Act are relevant and they apply to this complaint. Section 6(2) defines a HINP, while section 6(4) confirms that a health information custodian (the hospital in this complaint) that uses services supplied by a person in section 10(4) of the Act (CCO in this complaint) shall not be considered to be “disclosing” the information within the meaning of section 2 of the Act, as long as the person complies with certain requirements. These sections read:

6(2) In subsection (3),

“health information network provider” or “provider” means a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.

6(4) A health information custodian who uses goods or services supplied by a person referred to in subsection 10(4) of the Act, other than a person who is an agent of the custodian, for the purpose of using electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall not be considered in so doing to make the information available or to release it to that person for the purposes of the definition of “disclose” in section 2 of the Act if,

(a) the person complies with subsections (1) and (3), to the extent that either is applicable, in supplying services; and

(b) in the case of a person supplying goods to the health information custodian, the custodian does not, in returning the goods to the person, enable the person to access the personal health information except where subsection (1) applies and is complied with.

[20] Applying section 10(4) of the Act and sections 6(2) and 6(4) of Regulation 329/04 to the circumstances of this complaint, when the hospital uses CCO’s HINP services to collect, use, modify, disclose, retain or dispose of personal health information through the survey, the hospital “shall not be considered in so doing to make the information available or to release it to that person for the purposes of the definition of “disclose” in section 2 of the Act.” Accordingly, CCO’s storage of the complainant’s survey responses in the production database in its role as a HINP is not a disclosure of personal health information by the hospital to CCO, and is not a collection of personal health information by CCO. Patient consent is not required for CCO to act in this capacity.

CCO is permitted to collect personal health information from the hospital in its capacity as a prescribed entity under the Act

[21] Turning to CCO’s role as a prescribed entity, I begin by noting that section 18(1) of Regulation 329/04 of the Act confirms that CCO, which became Ontario Health on December 2, 2019, is a prescribed entity. It states:

18(1) Each of the following entities, including any registries maintained within the entity, is a prescribed entity for the purposes of subsection 45 (1) of the Act:

5. Ontario Health.

[22] In its capacity as a prescribed entity in the circumstances of this complaint, CCO did not collect personal health information directly from the complainant; the hospital did. The hospital, as the health information custodian, collects patients’ personal health information through the survey kiosks that CCO operates, [6] and then discloses it to CCO (in CCO’s capacity as a prescribed entity), without patient consent, as it is authorized to do by section 45(1) of Act. Section 45(1) of the Act permits disclosure of personal health information by a health information custodian (the hospital) to a prescribed entity (CCO) for the planning and management of the provincial health system, without the consent of the patients to whom the personal health information relates, if the prescribed entity meets the requirements under section 45(3) of the Act. Section 45(5) of the Act authorizes a prescribed entity to collect personal health information from a health information custodian. These sections state:

45(1) A health information custodian may disclose to a prescribed entity personal health information for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services, if the entity meets the requirements under subsection (3).

. . .

45(3) A health information custodian may disclose personal health information to a prescribed entity under subsection (1) if,

(a) the entity has in place practices and procedures to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information; and

(b) the Commissioner has approved the practices and procedures, if the custodian makes the disclosure on or after the first anniversary of the day this section comes into force.

. . .

45(5) An entity that is not a health information custodian is authorized to collect the personal health information that a health information custodian may disclose to the entity under subsection (1).

[23] Regarding the requirement in section 45(3)(b), I confirm that CCO has had the required prescribed entity approval of the Commissioner at all relevant times. All of CCO’s prescribed entity three-year reviews and approvals documentation is available on the IPC’s website. [7] The IPC conducted and approved CCO’s most recent three-year review in 2020.

[24] Applying the legislative provisions above to the circumstances of this complaint, CCO was authorized under section 45(5) to collect the complainant’s personal health information from the hospital, which, in turn, was authorized under sections 45(1)  and 45(3)  to disclose the complainant’s personal health information to CCO as a prescribed entity.

CCO has responded adequately to the complaint

[25] CCO stated that it is the hospital, as the health information custodian, that implements the operational supporting processes that CCO has prepared regarding the implementation of the survey. Nonetheless, CCO took a number of steps to address the complainant’s concerns, including confirming with the hospital that all kiosks that display the survey have privacy screens and that when a privacy screen is implemented, only someone directly in front of the screen can view the inputted information.

[26] CCO also amended its instruction page for the survey to notify individuals that their participation in the survey is voluntary. The amended instruction page now states:

Welcome to Your Symptoms Matter – Prostate Cancer Assessment Tool. This tool helps you to rate your symptoms so that your health care providers understand how you are feeling now and can look back over time to see how things may have changed. Any responses you choose to provide will help your healthcare team work with you to personalize your treatment plan to manage your symptoms and side-effects. You will be asked 17 questions with four or five answers to choose from. Some questions contain sensitive information, including questions about your sexual function, urinary patterns, and bowel function. Choose the answer that best describes how you are feeling. You may skip any question by pressing the ‘continue’ button on the right hand corner of the screen. A family member or caregiver may also help you fill out this tool, but the answers chosen should show how you feel. At the end of the questionnaire, look at your answers to make sure they are accurate and press ‘Submit’.

Please ask your health care team if you have any questions or concerns.

[27] Regarding training, CCO confirmed that it provided initial training to the regional leads at the cancer centre that included a privacy component and specifically instructed staff and volunteers not to stand next to the patient completing the survey. CCO also confirmed that additional training on sexual health was provided by an expert from Princess Margaret Cancer Centre via webinar. Following this initial training, regional leads at the cancer centre were responsible for training additional staff at the hospital, including new staff, those who missed the initial sessions, and volunteers. CCO stated that, following the complaint, it recommended that the hospital provide refresher training reminding staff and volunteers that they should advise patients that answering the questions is voluntary but encouraged to improve symptom management. CCO also subsequently confirmed that the hospital provided further training to its staff to address the privacy concerns the complainant raised. Finally, CCO removed the complainant’s name and survey responses from both the ISAAC production database and the ISAAC replication database, at the request of and on behalf of the hospital.

[28] While CCO bears some responsibility for how the survey is implemented, considering all the steps (outlined above) that CCO took in response to the complaint, in addition to the initial training and operational supporting processes that CCO provided to the hospital, I am satisfied that CCO responded adequately to the complaint.

Conclusion

[29] In light of the foregoing, I find that CCO responded adequately to the complaint. I further find that there are no reasonable grounds to conduct a review because no purpose would be served by conducting a review of issues that have been addressed. I exercise my authority under sections 57(3)  and 57(4)  to decline to conduct a review of this complaint. I issue this decision in satisfaction of the notice requirement in section 57(5) of the Act.

NO REVIEW:

For the foregoing reasons, no review of this matter will be conducted under Part VI of the Act.

Original Signed by:

 

December 14, 2021

Stella Ball

 

 

Adjudicator

 

 

 



[1] Generally, the IPC does not identify respondents in decisions not to conduct a review under the Act. However, I identify the respondent in this decision for ease of reading, as it has two distinct statutory roles in relation to the personal health information at issue in this complaint. When the complaint was filed, the respondent was Cancer Care Ontario, which was transferred into Ontario Health on December 2, 2019, when the Connecting Care Act, 2019 took effect. For clarity, I refer to Ontario Health as ‘Cancer Care Ontario’ in the remainder of this decision.

[3] Current information on the survey can be found on CCO’s web site at the following link: https://www.cancercareontario.ca/en/guidelines-advice/symptom-side-effect-management/symptom-assessment-tool.

[4] Mediation privilege, noted in section 57(2)(c) of the Act, does not attach to any of the information set out in this decision.

[5] Section 6(1) sets out prescribed requirements for the purposes of section 10(4) of the Act with respect to a person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, and who is not an agent of the custodian. Section 6(3) sets out prescribed requirements for HINPs in the course of providing services to enable a health information custodian to use electronic means to collect, use, disclose, retain or dispose of personal health information.

[6] The issue of the validity of the complainant’s consent for the hospital’s collection of his personal health information through the survey is addressed in PHIPA Decision 167.

[7] This documentation can be found by using the hyperlink below and selecting Ontario Health (formerly Cancer Care Ontario (CCO)” under the heading “Prescribed Entities under PHIPA.” https://www.ipc.on.ca/decisions/three-year-reviews-and-approvals/three-year-reviews-and-approvals-documentation/

 You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.