Health Information and Privacy
Decision Information
The Office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) about an alleged unauthorized use of patients’ personal health information by three doctors of a public hospital. This decision finds that the use of the personal health information by two of the three doctors to be in accordance with the Act. According to the audit information provided by the hospital, the third doctor did not access the patients’ personal health information.
Decision Content
PHIPA DECISION 179
Complaint HI20-00006
A Public Hospital
April 26, 2022
Summary: The Office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) about an alleged unauthorized use of patients’ personal health information by three doctors of a public hospital. This decision finds that the use of the personal health information by two of the three doctors to be in accordance with the Act. According to the audit information provided by the hospital, the third doctor did not access the patients’ personal health information.
Statutes Considered: Personal Health Information Protection Act, 2004, S.O. 2004, c. 3;, section 1(a), 18, 19(a), 20, 29, 37(a) & (d)
INTRODUCTION:
[1] Under the Personal Health Information Protection Act, 2004 (the Act or PHIPA), the Office of the Information and Privacy Commissioner of Ontario (the IPC) received a complaint regarding an alleged unauthorized use of personal health information of three patients (the patients) by three doctors of a public hospital (the hospital).
[2] The source of the complaint is a doctor who has a separate practice and is also a staff member of the hospital. For the purposes of this decision and for ease of reading, I will be referring to the source of the complaint as the complainant. The patients have not contacted the IPC regarding any concerns about the collection or use of their personal health information by the hospital.
[3] According to the complainant, through his separate practice, he sent three of his patients to the hospital for cardiac testing, the results of which were sent back to him, as the patients’ cardiologist, for interpretation, diagnostic review, and treatment planning purposes.
[4] Some time later, the Chief of Staff of the hospital sent the complainant an email requesting personal health information about the patients. The complainant explained that he provided information about the patients to the Chief of Staff, however, subsequently, he had concerns under the Act about the Chief of Staff’s use of the patients’ personal health information as well as the use by two additional doctors.
[5] The complainant’s position is that the patients were not patients of the hospital and the use of their personal health information by the three hospital doctors was unauthorized under the Act as those doctors were not involved in the care of the patients when the personal health information was used.
[6] During the Intake Stage of this file, the complainant provided this office with additional information about his allegation, which were shared with the hospital. In response to the allegations, the hospital completed an audit of the health records of the patients and confirmed that the Chief of Staff and another doctor (the second doctor) had accessed the health records of the patients in the hospital’s electronic medical record (EMR).
[7] The hospital also advised that the audit confirmed that the third doctor did not access the health records of the patients.
[8] According to the hospital, the Chief of Staff had the authority to use the personal health information of the patients pursuant to section 37(1)(d) and the second doctor had the authority to use the personal health information of the patients pursuant to section 37(1)(a).
[9] The matter moved to the Investigation Stage of the IPC’s PHIPA complaint process and I was assigned as the Investigator. As part of my investigation, I requested and received written representations from the hospital.
[10] In this decision, I find that the use of the personal health information by the Chief of Staff and the second doctor are permitted under the Act.
[11] I also conclude that no review is warranted under the Act.
BACKGROUND:
[12] As noted above, the complainant is a staff member at the hospital and he is also a member of the hospital’s Transcatheter Aortic Valve Implantation (TAVI) Team. According to the hospital, patients are referred to the TAVI team to determine whether they are appropriate candidates for a TAVI procedure. The TAVI Team is made up of TAVI cardiac surgeons, the Chief of Cardiology, cardiologists, Manager of the Cardiac Catheterization Lab, a nurse, an echo-cardiographer, and an interventional radiologist. This group works together to provide treatment and care to all prospective TAVI patients.
[13] Once a patient is referred to the TAVI Team, the group reviews patients’ testing and medical information. If the team feels that a patient is an appropriate candidate for a TAVI procedure, the TAVI team will then order a TAVI computed topography (CT) and other tests as required. The hospital advised that a TAVI CT is a specialized test that is costly and time consuming and should only be considered and ordered when there is a high likelihood that a patient will be a candidate for the TAVI procedure. It is the hospital’s position that if a patient was not being considered for a TAVI procedure there would be no need to complete a TAVI CT.
[14] TAVI CT’s are completed at the hospital by agents of the hospital and at the time of the accesses at issue in this matter, the patients had attended the hospital and received a TAVI CT.
PRELIMINARY ISSUES:
[15] There is no dispute that the hospital is a “health information custodian” within the meaning of section 3(1) of the Act and the three doctors named in the complaint are agents of the hospital pursuant to the definition in section 2 of the Act.
[16] Further, the hospital does not dispute that the information at issue is personal health information within the meaning of section 4(1) of the Act and that the accesses in question are “uses” of personal health information within the meaning of the Act.
[17] Given that the hospital’s audit found that the third doctor did not access the health record of the patients, this decision will not address the complaint regarding that doctor as I accept the findings of the hospital’s audit.
[18] As noted below, this decision is focused solely on the hospital’s collection and use of the patients’ personal health information pursuant to the Act. Any other matters related to the complaint are outside the scope of the IPC’s jurisdiction and no opinion will be offered.
ISSUES:
[19] This decision addresses the following issues:
- Was the hospital’s collection of the patients’ personal health information in accordance with the Act?
- Was the hospital’s use of the patients’ personal health information authorized under the Act?
- Is a review warranted under Part VI of the Act?
DISCUSSION:
Issue 1: Was the hospital’s collection of the patients’ personal health information in accordance with the Act?
[20] One of the concerns raised by the complainant was that the patients were not patients of the hospital. The Act does not provide specific guidelines to distinguish whether a particular individual is a patient of a health information custodian. The Act establishes rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care.
[1]
Thus, in order to address the complainant’s concern, I need to determine whether the health information custodian had the authority to collect and use the records of personal health information at issue in this complaint.
[21] One of the ways in which the Act achieves its purpose of protecting the confidentiality of personal health information while facilitating the effective provision of care is by requiring that collections, uses and disclosures of personal health information occur with the consent of the individual to whom the information relates, except in limited cases.
[2]
The Act also contains provisions relating to individuals providing express or implied consent to the collection, use or disclosure of their personal health information and, in certain circumstances, health information custodians can assume an individuals’ implied consent to the collection, use or disclosure of their personal health information for health care purposes.
[3]
[22] Section 29(a) of the Act addresses the requirement for consent for the collection of personal information and states the following:
A health information custodian shall not collect, use or disclose personal health information about an individual unless,
(a) it has the individual’s consent under this Act and the collection, use or disclosure, as the case may be, to the best of the custodian’s knowledge, is necessary for a lawful purpose; or
[23] Section 18(2) states the following:
Implied consent
(2) Subject to subsection (3), a consent to the collection, use or disclosure of personal health information about an individual may be express or implied.
[24] Section 20(2) states the following:
Implied consent
(2) A health information custodian described in paragraph 1, 2 or 4 of the definition of “health information custodian” in subsection 3 (1), that receives personal health information about an individual from the individual, the individual’s substitute decision-maker or another health information custodian for the purpose of providing health care or assisting in the provision of health care to the individual, is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information for the purposes of providing health care or assisting in providing health care to the individual, unless the custodian that receives the information is aware that the individual has expressly withheld or withdrawn the consent.
[25] The hospital advised that the patients attended the hospital to have their TAVI CT completed. The personal health information of the patients was collected directly from the patients when they attended the hospital. Further, the hospital advised that it has no record or knowledge of the patients withdrawing their consent for the collection of their personal health information.
[26] As indicated above, the personal health information at issue in this matter was collected directly from each patient during the course of providing health care to them. The records of personal health information related to the TAVI CT would have been created by agents of the hospital as a result of providing health care to these patients. The records were maintained in the hospital’s EMR and the hospital had custody and control of the information.
[27] I find that the hospital is the custodian of the patient records of personal health information at issue, had the authority to collect the information and has the responsibility as the custodian to protect this personal health information.
Issue 2: Was the hospital’s use of the patients’ personal health information authorized under the Act?
[28] The Act provides for situations in which a health information custodian may collect, use, and disclose personal health information without consent of the patient. In the context of this complaint, subsection 37(1)(a) and (d), which describe certain permitted uses without consent, are relevant.
[29] Section 37(1) of the Act states:
A health information custodian may use personal health information about an individual,
(a) for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose, but not if the information was collected with the consent of the individual or under clause 36 (1) (b) and the individual expressly instructs otherwise;
…
(d) for the purpose of risk management, error management or for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian;
Use by the Chief of Staff:
[30] The hospital advised that based on its audit, the Chief of Staff accessed the health records of all three patients. The position of the hospital is that the Chief of Staff’s use of the patients’ personal health information was a permitted use under section 37(1)(d) of the Act, and as such, the consent of a patient is not required when a health information custodian uses personal health information for risk management, to improve or maintain the quality of care, or to improve or maintain the quality of related programs and services of the custodian.
[31] The hospital advised that prior to the Chief of Staff’s access, the Chief of Staff was reviewing the quality of care provided to the patients and his subsequent access was related to this review. During this investigation, the hospital provided additional information regarding the Chief of Staff’s quality of care review, the details of which I will not be detailing in this decision in order to protect the patients’ privacy.
[32] The hospital’s position is that the Chief of Staff is accountable for the quality of care provided for all patients registered at the hospital, inclusive of both out-patient and in-patient care. To support this position, the hospital submits that the Chief of Staff’s job description states that he is accountable to the Board of Directors on issues regarding quality of care provided to patients, medical diagnoses, and the treatment provided to patients. The Chief of Staff is also required to ensure that the quality of care provided to patients by credentialed professional staff at the hospital is in accordance with the policies, procedures and processes of the hospital.
[33] The hospital referred to the hospital’s Credential Professional Staff By-Law section 18.2 titled “Duties of the Chief of Staff” which states the following, in part:
The Chief of staff shall be responsible to the Board of the Hospital through the Chair for the Professional Staff organization of the Hospital. The Chief of Staff shall:
…
v) be responsible to the Board for the supervision and quality of all the Professional Staff diagnosis, care and treatment given to patients within the hospital according to the policies established by the Board;
…
vii) through, and with the Department Chiefs, advise MAC and the Board of the Hospital, and the President and Chief Executive Officer of the Hospital with respect to the quality of medical diagnosis, care and treatment provided to the patients of the Hospital.
[34] The hospital explained that when the Chief of Staff had questions about a quality of care issue, it was his role as Chief of Staff to investigate and determine if clinical standards were being met and that the standard processes in place were being adhered to. As a result, the Chief of Staff requested information about patients who had a TAVI CT and were not presented at TAVI rounds. It is the position of the hospital that testing and procedures completed on patients presenting to the hospital establish a duty of care for the hospital and that the Chief of Staff is required to ensure that the hospital maintains a quality of care for all of its patients.
[35] Based on the above information, I find that the hospital has established that the accesses by the Chief of Staff were a permitted use pursuant to section 37(1)(d) of the Act. The Chief of Staff’s accesses were to investigate concerns about the quality of care and treatment provided to the patients. These types of accesses would be consistent with the responsibilities and role of the Chief of Staff. I find that the accesses of the patients’ personal health information by the Chief of Staff qualify as a use for the purpose of maintaining the quality of care, and quality of services provided by the hospital and the Chief of Staff has this authority as per his defined role with the hospital.
Use by the Second Doctor:
[36] The hospital advised that the second doctor had the authority to use the personal health information of the patients pursuant to section 37(1)(a).
[37] Section 37(1)(a) refers to the fact that an individual patient could withdraw their consent for the use of their personal information. As noted above, the hospital advised that it has no record of the patients withdrawing their consent for the use of their personal health information. In order to use the patients’ personal health information, the hospital relies on the implied consent of the individuals for the purpose of providing health care or assisting in the provision of health care to the individual. The hospital advised that this position is consistent with section 20(2).
[38] As previously noted, section 20(2) states that a health information custodian that receives personal health information about an individual from the individual for the purpose of providing health care or assisting in the provision of health care to the individual is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information for the purposes of providing health care or assisting in providing health care to the individual, unless the custodian that received the information is aware that the individual expressly withheld or withdrew their consent.
[39] In its process of investigating the allegations, the hospital completed an audit on its EMR of the accesses of the second doctor to the patients’ personal health records. The audit revealed that the doctor accessed the personal health records of all the patients and the chart of one of the patients on a second occasion.
[40] Based on section 37(1)(a), agents of the hospital may use personal health information about an individual for the purpose for which the information was collected with the consent of the individual.
[41] It is the position of the hospital that the second doctor is an agent of the hospital, as defined in section 2 of the Act, and that his accesses of the patients’ personal health record was for the purpose for which the information was collected, the provision of health care to the patients.
[42] The hospital advised that all the patients attended the hospital for a TAVI CT. The hospital explained that TAVI CT’s are completed by the hospital and patients are referred for a TAVI CT when it is highly likely that they will require the TAVI procedure. As noted earlier, the hospital advised that the general practice is that patients are referred to the TAVI Team and that the patients’ testing and medical information are reviewed by members of the team. If the team believes that the patient is an appropriate candidate for a TAVI procedure, the TAVI team will then order a TAVI CT. The TAVI team discusses all patients that are potential candidates for a TAVI procedure and have had a TAVI CT.
[43] The hospital explained that in this case, once it was determined that the patients had not been presented at TAVI rounds, but had a TAVI CT, it was the duty of the hospital to assess the patients to determine whether any immediate care was necessary and if the patients required the TAVI procedure.
[44] At the time of the second doctor’s access, the second doctor was a co-lead on the TAVI Team as well as a TAVI operator (someone who is trained to perform the TAVI procedure). The hospital advised that the role of the co-lead is to facilitate, lead discussions and decide on the appropriateness of a patient for a TAVI CT, TAVI procedure and any additional testing as necessary. The hospital’s position is that the review of the patient’s health record by the second doctor aligns with the processes in place by the TAVI Team to provide patient care to potential TAVI patients. The hospital advised that it is the responsibility of the members of the TAVI team to complete reviews of patients who have received TAVI CT’s at the hospital to see if a risk exists and if operation is required. Thus, the hospital argues that the access by the second doctor was appropriate and necessary in his role on the TAVI Team.
[45] In addition to the above, the hospital explained that a TAVI cardiologist, such as the second doctor, may also access a patient’s record in preparation for or in response to TAVI rounds. The hospital’s position is that the second doctor’s accesses also align with the practice of members of the TAVI Team reviewing patients in preparation of TAVI rounds.
[46] After considering the above information, I find that it is reasonable for the hospital to rely on implied consent for use of the patients’ personal health information. The patients attended the hospital and provided their personal health information directly to hospital agents. The personal health information of the patients was then used to assist with providing health care and there is no evidence that the patients withdrew their consent.
[47] I also find that it is reasonable to conclude that as a co-lead of the TAVI Team, it would be necessary for the second doctor to have accessed the personal health information of the patients to assess whether further intervention was required by the TAVI Team and to prepare for TAVI rounds. Thus, I find that the use of personal information by the second doctor is permitted pursuant to section 37(1)(a) of the Act.
Issue 3: Is a review warranted under Part VI of the Act?
[48] Section 58(1) of the Act sets out the Commissioner’s discretionary authority to conduct a review as follows:
The Commissioner may, on his or her own initiative, conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of this Act or its regulations and that the subject-matter of the review relates to the contravention.
[49] In light of my findings that the hospital had the authority to collect the personal health information from the patients, that it is reasonable for the hospital to rely on implied consent for the collection and use of the patients’ personal health information and that the hospital’s agents had the authority to use the personal health information pursuant to 37(1)(a) & (d), and in accordance with my delegated authority to determine whether a review is conducted under section 58(1), I find that a review under Part VI of the Act is not warranted.
DECISION:
For the foregoing reasons, no review of this matter will be conducted under Part VI of the Act.
| Original Signed by:
|
|
April 26, 2022
|
| Alanna Maloney
|
|
|
| PHIPA Investigator
|
|
|