PHIPA DECISION 167

Complaint HC18-62

A public hospital

December 14, 2021

Summary: The complainant, a patient of a regional cancer centre within a public hospital, filed a complaint against the hospital about a cancer symptoms survey he completed at the cancer centre. He complained that the hospital collected his personal health information through the survey and then disclosed it to Cancer Care Ontario, without a valid consent. He also complained about the hospital’s privacy practices and privacy training in respect of how hospital staff registered him for his appointment and how a hospital volunteer assisted him with the survey, and regarding the placement of the survey kiosks. Finally, the complainant asked that his survey responses be removed from his health records with the hospital.

The hospital responded that it had the complainant’s implied consent to collect and use his personal health information in the survey, in accordance with the requirements of the Personal Health Information Protection Act, 2004. The hospital also responded that the Act permitted the hospital to use the services of Cancer Care Ontario (in its capacity as a health information network provider) to collect the complainant’s personal health information through the survey and use it, and to disclose personal health information to Cancer Care Ontario (in its capacity as a prescribed entity). In addition, the hospital confirmed that it provided additional training to its staff and volunteers, added language to the survey to highlight that it was voluntary, and determined that the privacy screen software it used for the kiosks was adequate. Finally, the hospital acknowledged the complainant’s concerns about the validity of his consent and advised him that while it could not remove his survey responses from his health records, it could take steps to preclude the use of his survey responses going forward.

The adjudicator determines that the hospital has responded adequately to the complaint and there are no reasonable grounds to conduct a review. As a result, she declines to conduct a review and she dismisses the complaint.

Statutes Considered: Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, sections 2 (definitions of “collect,” “disclose,” and “use”), 3(1)4i, 10(1), 10(3), 10(4), 12(1), 20(2), 29(a), 37(1)(a), 45(1), 45(3), 45(5), 57(2)(c), 57(3) and 57(4); and O Reg 329/04, sections 6(2), 6(4) and 18(1).

BACKGROUND:

[1] This decision determines that a public hospital [1] (the hospital) responded adequately to the complainant’s concerns about its collection, use and disclosure of his personal health information in his answers to a cancer symptoms survey (the survey), provided by Cancer Care Ontario (CCO), [2] which he completed at the hospital’s regional cancer centre (the cancer centre). It also determines that there are no reasonable grounds to conduct a review of the complaint under the Personal Health Information Protection Act, 2004 (the Act). A separate complaint about CCO, in relation to the same events, is the subject of a related decision, PHIPA Decision 166.

[2] CCO is the Ontario government’s principal cancer advisor, with a mission to improve the cancer system. [3] CCO’s purposes include collecting and analyzing data about cancer services, and monitoring and measuring the performance of the cancer system. CCO equips health professionals, organizations and policymakers with up-to-date cancer knowledge and tools to prevent cancer and deliver high-quality patient care.

[3] The survey, “Your Symptoms Matter – Prostate Cancer Assessment Tool,” is part of CCO’s Expanded Prostate Cancer Index Composite survey, [4] found on the Interactive Symptom Assessment and Collection (ISAAC) tool at the cancer centre. ISAAC is an e-tool, available on touchscreen kiosks at regional cancer centres, and developed and hosted by CCO as part of its initiative to promote a set of accessible and standardized symptoms assessment and management tools based on patients’ self-reporting of their symptoms.

[4] In the complainant’s related complaint against CCO, CCO provided information about the ISAAC tool. I refer to CCO’s representations in this decision because the two complaints concern the same transactions and CCO’s explanation of its role is relevant in this complaint. CCO advised that that there are two ISAAC databases on which the survey answers are stored, the ISAAC Production Database (the production database), and the ISAAC Replication Database (the replication database). CCO explained that it has two distinct roles in relation to the personal health information found in the ISAAC databases: that of a health information network provider (HINP) in respect of the production database and that of a prescribed entity in respect of the replication database. As a HINP, CCO provides the production database to the hospital and the regional cancer centres for their use. As a prescribed entity, CCO collects information from the replication database to plan, manage and improve cancer services in the province. I discuss the two databases and CCO’s two roles more fully, below.

[5] At the outset, it is important to note that the words “collect,” “disclose” and “use” are defined terms under the Act. Section 2 of the Act contains the respective definitions, which apply in this decision, and states:

“collect”, in relation to personal health information, means to gather, acquire, receive or obtain the information by any means from any source, and “collection” has a corresponding meaning;

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning;

“use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to view, handle or otherwise deal with the information, subject to subsection 6(1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning.

The complaint

[6] The complainant, a patient of the cancer centre at the hospital, filed a complaint with the Information and Privacy Commissioner of Ontario (the IPC) under the Act against the hospital about his attendance for an appointment at the cancer centre and his completion of the survey. He complained about the hospital’s privacy practices and privacy training, and he alleged that the hospital collected his personal health information in an unauthorized manner because it did not first obtain his “informed” consent. Specifically, he complained that:

• the hospital reception staff called out to him to register for his appointment simultaneously with another patient, and he could clearly hear the questions and responses concerning the other patient’s health status and treatment as he stood beside that patient at the reception counter.
• after registering with the reception staff for his appointment, he was directed to a kiosk and told that he had to complete the survey before being seen by a physician; the reception staff did not tell him that the survey was voluntary and that he could have declined to complete it.

• the survey was presented on a large screen that faced the waiting room area, and although he was told there was privacy software on the screen, he believes that it was ineffective because his daughter was able to read the survey answers of other patients from the waiting area.
• the questions in the survey were very personal, asking about topics such as orgasms, erections, and bowel habits, and there were dozens of other patients and their families within visual range of the kiosk.
• a hospital volunteer stood over his shoulder and read his answers while he completed the survey and did not inform him that the survey was voluntary.
• the survey contained no information to indicate that it was voluntary, even though his health care provider later told him that he could have declined to respond.

[7] During the mediation stage of the complaint, the complainant advised that when he attended the hospital more than a year after filing his complaint, the reception staff again failed to tell him that the survey was optional and the screens continued to be facing the crowded waiting area. He asserted that the hospital did not address his concerns that it should advise patients that completion of the survey is voluntary and should ensure that the survey responses entered by patients are not visible on the kiosk screens. He also maintained that patients should be asked for their consent before the hospital collects their personal health information and shares it with CCO, and that there should be proper notification regarding the information that is being collected and how it is to be used. The complainant also noted that the physician who was treating him at the hospital told him that the physician did not use the information from the survey responses for his care. Finally, the complainant asked that the hospital remove his survey responses from his hospital health record.

The hospital’s response

[8] The hospital, a health information custodian under the Act, [5] explained that CCO is responsible for the survey questions and touchscreen kiosks pursuant to an agreement with it that outlines the parameters of the survey on the ISAAC tool. The hospital advised that, in relation to the survey, CCO acts as both a HINP and a prescribed entity. The hospital stated that when patients fill out the survey at a kiosk, the survey responses are automatically sent to CCO’s production and replication databases, and are also automatically copied to the electronic patient health record at the cancer centre where the survey is completed (and the patient is being treated).

The hospital’s collection of personal health information, via the survey, from the complainant (using CCO’s services as a HINP) and its use of that personal health information

[9] The hospital asserted that it collects personal health information directly from patients, using CCO’s services as a HINP, as it is authorized to do by section 29(a) of the Act, which provides for collection with consent. [6] As a HINP, CCO provides services to enable the cancer centre and the other regional cancer centres (the ISAAC sites) to use electronic means to handle personal health information, including to collect, use and disclose that information. The hospital stated that CCO is a HINP pursuant to section 6(2) of Ontario Regulation 329/04 [7] of the Act in providing the ISAAC tool and the production database to the ISAAC sites. It further advised that each ISAAC site, including the hospital, is the health information custodian of the personal health information maintained in the ISAAC production database at each ISAAC site.

[10] In response to the complainant’s concern about consent, the hospital submitted that a patient consents to the collection of personal health information through the survey because the patient directly provides the responses and the collection is for the purpose of providing health care. The hospital stated that it is the patient’s choice whether to complete the survey.

[11] The hospital explained that patients’ completion of the survey is encouraged but not mandatory. Patients are told about the survey during orientation and about the availability of volunteers, who are agents of the hospital, to assist them with the survey. Volunteers are directed to tell patients that the survey is not mandatory. The hospital further explained that when patients return to the hospital for follow-up appointments, they are to complete the survey upon arrival; at that time, patients can again choose not to complete the survey. The hospital advised that patients can also ask for a paper copy of the survey if they do not wish to complete the survey at the kiosk.

[12] The hospital informed the IPC that the survey instructions page includes language to inform patients that they may skip questions they do not wish to answer and they may choose what information they provide. The hospital advised that CCO was planning to take steps to address the messaging to patients on the instruction page of the survey regarding its voluntary nature. The hospital stated that it is unable to post any additional signage regarding consent in the area where the kiosks are located due to the significant signage that already exists there. It explained that there is a concern that posting additional information could compromise the existing communication to patients.

[13] The hospital stated that it uses the personal health information it collects through the survey to assist its medical team to provide health care, in accordance with section 37(1)(a) of the Act; [8] its physicians use the survey and read their patients’ survey responses to fine-tune their treatment based on the symptoms that each patient is actually experiencing. Regarding the complainant’s comment that one of his physicians did not use the survey for his care, the hospital stated that anyone on the care team may use the responses for care. It added that it confirmed with one of the complainant’s physicians that she looks at the results of the survey and that she asks the questions included in the survey during a patient’s appointment so that she can discuss the responses directly with the patient. The hospital explained that it expects its physicians and care teams to use the survey for the purposes of care; while some physicians may not use the survey as desired by the hospital’s leadership, its physicians and care teams have access to the survey.

The hospital’s disclosure of personal health information to CCO and the collection of that personal health information by CCO in CCO’s capacity as a prescribed entity

[14] The hospital submitted that its disclosure of personal health information to CCO and CCO’s collection of that information as a prescribed entity, without the consent of the individual to whom the personal health information relates, are authorized under the section 45 of the Act. The hospital explained that in accordance with section 45(1) of the Act it discloses personal health information to CCO, in CCO’s capacity as a prescribed entity, and CCO, in turn, collects that personal health information as a prescribed entity in accordance with section 45(5) of the Act. The hospital added that when CCO, in its role as a prescribed entity, collects personal health information from the survey data in ISAAC, CCO stores that personal health information in the ISAAC replication database, which is the database CCO uses for its own purposes. Sections 45(1) and 45(5) of the Act are set out below, in paragraph 39 of this decision.

Visibility of the survey screen

[15] Regarding the complainant’s concerns that members of the public could view the personal health information on the kiosk screens, the hospital advised that its privacy consultant and other members of hospital staff tested the ability of bystanders to view the screen of a patient completing the survey. It reported that no hospital staff were able to duplicate the complainant’s daughter’s experience. The hospital advised that the screens contain embedded privacy screen software and, unless someone is looking right over a patient’s shoulder, the information on the screen is not visible. The hospital stated that it determined that the privacy screen software is adequate.

[16] The hospital also noted that it has limited space for the kiosks provided by CCO; the kiosks tend to be in high traffic volume areas because that is where the hospital has space and patients with mobility issues can better access them.

The complainant’s concerns about the hospital’s registration procedures

[17] Regarding the complainant’s concerns that he was registered at the same time as another patient, the hospital advised that its practice is to not register patients simultaneously. It added that it asked all staff not to register patients simultaneously and had its leadership send a message specifically instructing staff not to take more than one person up to the registration area at a time.

[18] In respect of volunteer training, the hospital advised that it received the surveys with volunteer training materials from CCO intended to provide all required information to the volunteers assisting patients with the surveys. It stated that it provided this training, as designed by CCO, to its volunteers. The training included instructing volunteers to assess whether a patient needs assistance and to provide patients with privacy at the survey kiosks after explaining the process; volunteers are told not to view the survey screen while they stand close to the patient and to offer clarification about how to complete the questions, if necessary. The hospital confirmed that its volunteers are not supposed to view patients’ survey responses and that the complainant’s experience was inconsistent with its volunteer training and expectations.

[19] The hospital confirmed that, on two occasions, its privacy consultant discussed with the volunteer coordinators the privacy issues the complainant raised. It confirmed that it also retrained its volunteers on patient privacy in respect of the survey. The hospital stated that it also provided targeted follow-up with the volunteers who were scheduled on the incident date specified in the complaint. It stated that it also retrained its volunteers using the privacy components provided in the CCO training materials.

[20] The hospital advised that it was unable to identify and speak with the specific volunteer who assisted the complainant. Because it could not identify the specific volunteer, it provided the reminders and communications about privacy to all its volunteers. The hospital added that its volunteers also sign annual confidentiality agreements.

The complainant’s request to remove the survey from his health record

[21] In response to the complainant’s request that the hospital remove his completed survey from his patient health record, the hospital stated that it is not able or required to comply. The hospital asserted that the survey is a record of personal health information pursuant to the Act, and it is legally prohibited from deleting a health record. The hospital explained that because the complainant’s personal health information in the completed survey has been used, the record must stand to prove that there was information upon which a decision was made. The hospital attempted to find alternatives to “removing” the information and advised the complainant of two options that would result in his survey’s not being viewable or usable going forward; however, the complainant was not satisfied with the proposed options and maintained his request that his survey responses be removed from his health record.

Information provided by CCO in the related complaint

[22] In the related complaint, addressed in PHIPA Decision 166, CCO confirmed that it provided initial training to the regional leads at the cancer centre that included a privacy component and specifically instructed staff and volunteers not to stand next to the patient completing the survey. CCO also confirmed that additional training on sexual health was provided by an expert from Princess Margaret Cancer Centre via webinar. Following this initial training, regional leads at the cancer centre were responsible for training additional staff at the hospital, including new staff, those who missed the initial sessions, and volunteers.

[23] CCO also confirmed that it amended its instruction page for the survey to notify individuals that their participation in the survey is voluntary. The amended instruction page now states:

Welcome to Your Symptoms Matter – Prostate Cancer Assessment Tool. This tool helps you to rate your symptoms so that your health care providers understand how you are feeling now and can look back over time to see how things may have changed. Any responses you choose to provide will help your healthcare team work with you to personalize your treatment plan to manage your symptoms and side-effects. You will be asked 17 questions with four or five answers to choose from. Some questions contain sensitive information, including questions about your sexual function, urinary patterns, and bowel function. Choose the answer that best describes how you are feeling. You may skip any question by pressing the ‘continue’ button on the right hand corner of the screen. A family member or caregiver may also help you fill out this tool, but the answers chosen should show how you feel. At the end of the questionnaire, look at your answers to make sure they are accurate and press ‘Submit’.

Please ask your health care team if you have any questions or concerns.

[24] Finally, CCO advised that it removed the complainant’s name and survey responses from both the ISAAC production and replication databases, at the request of and on behalf of the hospital.

Mediation of the complaint

[25] The IPC attempted to mediate the complaint; however, a mediated resolution was not possible. [9] At the request of the complainant, the complaint was moved to the adjudication stage in which an adjudicator may conduct a review.

Preliminary assessment that no review is warranted

[26] As the adjudicator in this matter, I considered all of the information in the complaint file. My preliminary assessment was that the complaint did not warrant a review under the Act, for the reasons set out below. I advised the complainant of my preliminary assessment and my reasons, and I invited him to provide representations in response if he disagreed with my preliminary assessment. I advised the complainant that, before making my final decision, I would consider any representations he provided to explain why his complaint should proceed to the review stage of the complaint process. The complainant did not provide representations.

[27] For the reasons that follow, I decline to conduct a review in this complaint because the hospital has responded adequately to the complaint and there are no reasonable grounds to conduct a review.

DISCUSSION:

Should the complaint proceed to a review under the Act?

[28] The only issue in this decision is whether I should conduct a review of the complaint under the Act. Sections 57(3) and 57(4) of the Act give me the authority to decide whether to conduct a review of this complaint. These sections state, in part:

(3) If the Commissioner does not take an action described in clause (1)(b) or (c) or if the Commissioner takes an action described in one of those clauses but no settlement is effected within the time period specified, the Commissioner may review the subject-matter of a complaint made under this Act if satisfied that there are reasonable grounds to do so.

(4) The Commissioner may decide not to review the subject-matter of the complaint for whatever reason the Commissioner considers proper, including if satisfied that,

(a) the person about which the complaint is made has responded adequately to the complaint[.]

[29] Having considered the circumstances of this complaint and the applicable legislative provisions, I am satisfied that the hospital’s reliance on the complainant’s implied consent and on section 45 of the Act, and the information it provided about its patient registration procedures, survey kiosk placement and visibility, and its inability to remove the survey responses, comprise an adequate response to the complainant’s concerns in this complaint. I am also satisfied that there are no reasonable grounds to review the subject-matter of the complaint.

[30] The legislative provisions that I discuss, below, confirm that the hospital acted within its statutory authority, as a health information custodian under the Act, in using the services of CCO as a HINP to collect the complainant’s personal health information for the hospital’s use, and in disclosing that same information to CCO in CCO’s capacity as a prescribed entity for CCO’s purposes.

The hospital is authorized to collect and use personal health information through the survey using CCO’s services as a HINP

[31] Sections 10(3) and 10(4) of the Act and section 6 of Regulation 329/04 address the hospital’s use of and CCO’s provision of electronic means (CCO’s survey kiosks) to collect, use, modify, disclose, retain or dispose of personal health information. In its capacity as a HINP, CCO functions as an IT service provider and it does not “collect,” “use,” or “disclose” the survey data entered by patients and stored in the production database for the hospital’s own purposes. CCO provides the survey kiosks to the cancer centre of the hospital and runs them as a function of its role as a HINP, in accordance with section 10(4) of the Act and section 6 of Regulation 329/04 of the Act, to enable the hospital to, among other things, collect patients’ personal health information. Sections 10(3) and 10(4) of the Act read:

10(3) A health information custodian that uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any.

(4) A person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any.

[32] Sections 6(1) and 6(3) of Regulation 329/04 of the Act set out prescribed requirements, which are not at issue in this complaint. [10] However, sections 6(2) and 6(4) of Regulation 329/04 of the Act are relevant and they apply to this complaint. Section 6(2) defines a HINP, while section 6(4) confirms that a health information custodian (the hospital in this complaint) that uses services supplied by a person in section 10(4) of the Act (CCO in this complaint) shall not be considered to be “disclosing” the information within the meaning of section 2 of the Act, as long as the person complies with certain requirements. These sections read:

6(2) In subsection (3),

“health information network provider” or “provider” means a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.

6(4) A health information custodian who uses goods or services supplied by a person referred to in subsection 10(4) of the Act, other than a person who is an agent of the custodian, for the purpose of using electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall not be considered in so doing to make the information available or to release it to that person for the purposes of the definition of “disclose” in section 2 of the Act if,

(a) the person complies with subsections (1) and (3), to the extent that either is applicable, in supplying services; and

(b) in the case of a person supplying goods to the health information custodian, the custodian does not, in returning the goods to the person, enable the person to access the personal health information except where subsection (1) applies and is complied with.

[33] Taken together, sections 10(3) and 10(4) of the Act and sections 6(2) and 6(4) of Regulation 329/04 confirm: that the hospital’s engaging CCO, as a HINP, in order to collect the complainant’s personal health information for the purposes of the survey is permissible; and that, in using CCO’s HINP services (the ISAAC tool and production database) to collect, use, modify, disclose, retain or dispose of personal health information through the survey, the hospital “shall not be considered in so doing to make the information available or to release it to that person for the purposes of the definition of “disclose” in section 2 of the Act.”

The hospital has responded adequately to the complainant’s concerns about the validity of his consent to collect and use his personal health information

[34] Regarding the complainant’s assertion that the hospital requires his consent to collect and use his personal health information, the hospital’s position appears to be that for the purposes of section 29(a) of the Act, it had the complainant’s implied consent. The hospital believed that its staff and/or volunteers advised the complainant that the survey was voluntary, in accordance with the training it provided to its staff and volunteers, and that the complainant provided his personal health information in the form of survey responses voluntarily.

[35] Section 29(a) of the Act, relied on by the hospital and reproduced above, requires consent for a health information custodian’s collection and use of personal health information. Section 20(2) of the Act sets out the assumed implied consent rule for hospitals, which are health information custodians under the defintion of that term in paragraph 4 of section 3(1) of the Act. Section 20(2) reads:

20(2) A health information custodian described in paragraph 1, 2 or 4 of the definition of “health information custodian” in subsection 3(1), that receives personal health information about an individual from the individual, the individual’s substitute decision-maker or another health information custodian for the purpose of providing health care or assisting in the provision of health care to the individual, is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information for the purposes of providing health care or assisting in providing health care to the individual, unless the custodian that receives the information is aware that the individual has expressly withheld or withdrawn the consent.

[36] Applying section 20(2) of the Act to the facts in this complaint, I find that it was reasonable for the hospital to believe that it had a valid consent from the complainant at the time of its collection and use of his personal health information through the survey. The hospital provided the CCO training to its staff and volunteers that directed them to tell patients about the voluntary nature of the survey, and it reasonably believed that its staff and volunteers were acting in accordance with that training and its expectations. In addition, the language of the survey instruction page provided sufficient information to the complainant that his personal health information was being collected and used for health care purposes; specifically, to assist his health care providers understand his symptoms in order to personalize his treatment plan. The complainant attended the hospital to obtain health care and the survey was used to assist the hospital in providing that health care to him. Accordingly, it was reasonable for the hospital to assume that it had the complainant’s implied consent to collect and use the personal health information he provided in the survey when he voluntarily provided that personal health information during his attendance. As a hospital directly providing health care, the hospital was entitled under section 20(2) of the Act to assume the complainant’s implied consent to collect and use his personal health information in the survey.

[37] Moreover, the hospital has acknowledged the complainant’s concerns about the validity of that consent, and it recognizes that it does not have his consent for any further use of his personal health information in the survey responses. The hospital has offered two options to the complainant to prevent his personal health information in the survey from being used further and the complainant has declined both options. Finally, the hospital’s explanation, that it cannot delete or destroy the complainant’s personal health information that it has already collected and used for health care purposes, is reasonable and consistent with the Act. In these circumstances, I am satisfied that the hospital has responded adequately to the complainant’s concerns about the validity of his consent.

The hospital is authorized to disclose personal health information from the survey to CCO (as a prescribed entity) and CCO is authorized (as a prescribed entity) to collect that personal health information

[38] Regarding the complaint that the hospital provided the complainant’s personal health information to CCO as a prescribed entity, section 18(1) of Regulation 329/04 of the Act confirms that CCO, which became part of Ontario Health on December 2, 2019 when the Connecting Care Act, 2019 took effect, is a prescribed entity. It states:

18(1) Each of the following entities, including any registries maintained within the entity, is a prescribed entity for the purposes of subsection 45 (1) of the Act:

…

5. Ontario Health.

[39] Section 45(1) of the Act permits disclosure of personal health information by a health information custodian (the hospital) to a prescribed entity (CCO) for the planning and management of the provincial health system, without the consent of the patient to whom the personal health information relates, if the prescribed entity meets the requirements under section 45(3). Section 45(5) of the Act authorizes a prescribed entity to collect personal health information from a health information custodian. These sections state:

45(1) A health information custodian may disclose to a prescribed entity personal health information for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services, if the entity meets the requirements under subsection (3).

(3) A health information custodian may disclose personal health information to a prescribed entity under subsection (1) if,

(a) the entity has in place practices and procedures to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information; and

(b) the Commissioner has approved the practices and procedures, if the custodian makes the disclosure on or after the first anniversary of the day this section comes into force.

(5) An entity that is not a health information custodian is authorized to collect the personal health information that a health information custodian may disclose to the entity under subsection (1).

[40] Regarding the requirement in section 45(3)(b), I note that CCO has had the required prescribed entity approval of the Commissioner at all relevant times. All of CCO’s prescribed entity three-year reviews and approvals documentation is available on the IPC’s website. [11]

[41] Applying sections 45(1), 45(3) and 45(5) of the Act to this complaint, the hospital acted within its statutory authority in disclosing the complainant’s personal health information in his survey response to CCO as a prescribed entity, which, in turn, was authorized by section 45(5) to collect that personal health information as a prescribed entity. Since these sections of the Act do not require patient consent, the complainant’s concerns about his lack of consent to this disclosure to and collection by a prescribed entity, are misplaced.

The hospital has responded adequately to the complaint about the placement and visibility of the survey kiosks, and its registration procedures

[42] Section 10 addresses a health information custodian’s duties to have and follow appropriate information practices, while section 12 addresses its duty to ensure the security of personal health information in its custory or control. These sections are relevant to the complaint that the hospital did not adequately protect the confidentiality of the complainant’s personal health information when its reception staff registered him at the same time as another patient and when its volunteer stood over his shoulder as he completed the survey, and because of its placement of the survey kiosks. Sections 10 and 12 read, in part:

10(1) A health information custodian that has custody or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations.

(2) A health information custodian shall comply with its information practices.

12(1) A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

[43] The hospital acknowledged the complainant’s concerns about its reception staff’s registering him at the same time as another patient. It advised that his experience was not consistent with its practice of registering one patient at a time and its direction to reception staff to register one patient at a time. The hospital also confirmed that it has reminded its staff of the expectation that patients be registered one at a time.

[44] The hospital also considered the complainant’s concerns about its placement of the survey kiosks in a busy, high traffic area and about the survey screens being visible to others. The hospital had its privacy consultant and certain staff investigate the efficacy of its privacy screen software, and it confirmed that the information on the screens was not visible unless they stood directly in front of the screens. The hospital determined that the privacy screen software is adequate. It also stated that its placement of the screens is based on limited available space and accessibility concerns for patients with mobility issues.

[45] I am satisfied that, by reminding its staff of its registration procedures, confirming that the privacy screen software on the survey kiosks is satisfactory, and providing a reasonable explanation for its placement of the survey kiosks, the hospital responded adequately to the complainant’s corresponding concerns.

Conclusion

[46] In light of the foregoing, I find that the hospital responded adequately to the complaint. I further find that there are no reasonable grounds to conduct a review because no purpose would be served by conducting a review of issues that have been addressed. I exercise my authority under sections 57(3)  and 57(4)  to decline to conduct a review of this complaint. I issue this decision in satisfaction of the notice requirement in section 57(5) of the Act.

NO REVIEW:

For the foregoing reasons, no review of this matter will be conducted under Part VI of the Act.

Original Signed by:		December 14, 2021
Stella Ball
Adjudicator