PHIPA DECISION 180

Complaint HI19-00042

[A pharmacy]

May 5, 2022

Summary: The office of the Information and Privacy Commissioner/Ontario (IPC or this office) received a complaint under the Personal Health Information and Protection Act (the Act) against a pharmacy. The complaint related to the unauthorized collection of personal health information. Specifically, pharmacy staff attempted to collect the complainant’s health card number in order to fill her prescription. This was the second incident of this nature reported to this office.

This Decision finds that the pharmacy did not collect the complainant’s health card number, and therefore, did not contravene the Act. However, the Decision also finds that the pharmacy staff lacked education and training around the collection of health cards under the Act and failed to properly communicate the pharmacy’s policy to this complainant that the production of her health card was voluntary.

In response to this complaint, the pharmacy has taken a number of steps including training its staff and revising its information practices around health cards and health card numbers. In light of the actions taken by the pharmacy, I have decided no formal review of this matter will be conducted under Part VI of PHIPA.

Statutes Considered: Personal Health Information Protection Act, 2004, S.O. 2004, c. 3 

BACKGROUND:

[1] The office of the Information and Privacy Commissioner/Ontario (IPC or this office) received a complaint under Personal Health Information and Protection Act (PHIPA or the Act) against a pharmacy. Specifically, the complainant advised that pharmacy staff attempted to collect her health card number in order to fill her prescription. This was the second incident of this nature that the complainant reported to this office.

[2] According to the complainant, the pharmacy requested that she provide her health card number so that it could be entered into their system. However, upon expressing an objection to providing it, the pharmacy ultimately filled the prescription without having collected the information. In 2018, this office dealt with a similar complaint that was closed after the pharmacy provided information that satisfied the IPC that the matter had been addressed. After receiving this second complaint, the IPC opened this file and attempted to gather additional information from the pharmacy about this practice. The Analyst assigned to the file was not satisfied with the responses received from the pharmacy. As a result, this matter was transferred to the investigation stage of the IPC’s PHIPA complaint process and I was assigned as the investigator.

[3] During my investigation, I wrote to the pharmacy and asked a number of questions regarding the incident outlined above, and the pharmacy’s practices. The pharmacy provided detailed information about relevant policies and practices in place at the time of the incident. These materials include: privacy policies; a Code of Business Conduct policy; training materials; new patient setup and in-person pickup policies; and documentation related to Pharmacy Workflow Assessment, which ensures efficient workflow processes to help manage workload and mitigate dispensing errors.

[4] According to the information the pharmacy provided when a customer first attends to fill a prescription or to request a service, a patient profile is created in the pharmacy’s management software. The pharmacy explained that this initial step is critical and necessary to fulfill the Ontario College of Pharmacists’ requirement for pharmacists to document and record their activities, decisions and actions as they relate to the provision of care.

[5] The pharmacy also explained that for publicly funded services, it must collect the customer’s health card number in order to determine eligibility and submit on-line claims to the Ministry of Health’s (the Ministry) Health Network System. Additionally, when processing a prescription for a controlled substance under the province’s Narcotics Monitoring Program, the pharmacy explained that the pharmacy must submit the health card number along with other data elements as prescribed by the Ministry, regardless of how the prescription is paid and/or reimbursed (e.g., publicly funded drug programs, private insurance, or cash payments).

[6] The pharmacy advised that it uses a “quick scan” [1] functionality in order to expedite the service as many customers come to the pharmacy to have their prescription filled during their breaks and are sensitive to the wait time. Additionally, the pharmacy indicated that the cultural diversity of the customer base often necessitates careful verification of the spelling of names to prevent errors or misidentification and to ensure file accuracy.

[7] The pharmacy submits that many Ontarians routinely receive publicly funded prescriptions and/or services through a number of government-sponsored programs and that pharmacies must manage constant changes in coverage status for individuals, as they move in and out of programs, depending on the Ministry’s eligibility criteria. In addition, the pharmacy advised that public funding can often co-exist with private drug coverage or cash payment. The pharmacy also indicated that it is common for a customer to come in seeking one service (e.g., prescription filling) and for the pharmacist to determine during the consultation that they need another, publicly funded service.

[8] As discussed in more detail below, during this investigation the pharmacy recognized that the pharmacy staff should have advised the complainant that providing her health card was voluntary.

[9] In response to this complaint, the pharmacy amended its patient setup policy and provided training to its staff to ensure customers are advised of the reason for collecting their health card number and that it is optional.

SCOPE OF THE BREACH:

First Incident:

[10] In 2018, the IPC received a complaint under the Act, related to an inappropriate collection of personal health information by the pharmacy. The complainant advised that she attended the pharmacy to have a prescription filled and expressed concern that the clerk at the pharmacy requested that she produce her health card in order to fill her prescription. The complainant was advised that the pharmacy required this information for their system.

[11] The complainant explained that when she objected to the collection of her heath card number, the clerk advised her that her prescription could not be filled unless this information was collected. The complainant subsequently approached the pharmacist on duty to express her concern. The pharmacist also explained that they needed to collect the information details on her health card for their system, but ultimately filled the prescription without having collected the information.

[12] The complainant submitted a complaint to the IPC and a file was opened to deal with the matter.

[13] In response to the complaint, this office contacted the pharmacy and requested information regarding the incident. In its response, the pharmacy apologized to the patient, and stated that it was not pharmacy policy to require patients to provide their OHIP card, unless they are receiving publicly funded services. The pharmacy noted that the complainant’s concerns could have been avoided if pharmacy staff had more clearly communicated to her that providing her health card was voluntary.

[14] Additionally, the pharmacy explained that when a customer attends one of their locations for the first time, they are required under provincial pharmacy regulations to record certain defined data and keep it on file for a mandated period. This information includes first name, middle name, surname, full mailing address, and date of birth.

[15] The pharmacy also explained that they have developed a “quick scan” profile setup to record the required customer information in a discreet and efficient manner. This data collection is automated through scanning the customer’s driver’s license or health card. If a customer voluntarily produces their health card to be scanned, then the pharmacy will collect their health card number in addition to the personal information listed above. However, the pharmacy advised that the “quick scan” is intended to be entirely voluntary, as the process requires that the customer produce their health card or driver’s license. The pharmacy further explained that pharmacy staff are also able to collect the required information and enter it into the system manually.

[16] The pharmacy advised this office that it took the following remedial steps to ensure that a similar incident was unlikely to occur in the future:

• The pharmacy manager coached all pharmacy staff on the appropriate way to explain the “quick patient profile” functionality to customers;
• A reminder was sent to staff at all pharmacy locations in Ontario via weekly e-bulletin specifically advising staff:
• How the bar scan process works;
• What data elements are being captured;
• How to interact with customers when asking to initiate a quick profile setup through use of health card or driver’s license, including that it is voluntary to provide this information; and
• How to interact with customers that do not want their health card of driver’s license scanned.

[17] The complainant was satisfied with the pharmacy’s response and the file was closed.

Second Incident:

[18] On November 3, 2019, the IPC received a second complaint from the same complainant. The complainant advised that this second incident had taken place at a different location of the same pharmacy. The complainant explained that she was again asked by a pharmacy technician to provide her health card in order to receive her prescription. She refused to produce her health card and asked the pharmacy technician why her health card was needed. The pharmacy technician explained that “it was needed so it could be entered into the system” and doing so “makes it easier”. The complainant stated that she refused to provide her health card to the pharmacy assistant on duty and attempted to inform them that her health card number was not needed as her prescriptions are not funded through government programs. The pharmacy assistant advised that her health card number was a “form of identification”.

[19] As previously indicated, as a result of this second incident an investigation file was opened and assigned to me as the investigator.

PRELIMINARY ISSUES:

[20] There is no dispute that the pharmacy is a “health information custodian” and that the employees are “agents” of the pharmacy under the Act. There is also no dispute that a health card number information at issue is a record of “personal health information” under the Act.

[21] Based on the information set out above, as a preliminary matter, I find that:

• the pharmacy is a “health information custodian” under paragraph 4 of section 3(1) of the Act,
• the employees are “agents” of the pharmacy, within the meaning of section 2 of the Act, and
• the information at issue is “personal health information” under section 4(1)(f) of the Act.

ISSUES:

[22] In this Decision, the following issues will be discussed:

1. Did the pharmacy collect the complainant’s health card number? If so, was the collection authorized under the Act?
2. Did the pharmacy respond adequately to this complaint?
3. Is a review warranted under Part VI of the Act?

RESULTS OF THE INVESTIGATION:

Issue 1: Did the pharmacy collect the complainant’s health card number? If so, was the collection authorized under the Act?

[23] One of the purposes of the Act is to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care. One of the ways in which the Act achieves this purpose is by requiring that collection, use and disclosure of personal health information occur with the consent of the individual to whom the information relates, except in limited cases.

[24] The Act contains provisions relating to individuals providing express or implied consent to the collection, use or disclosure of their personal health information. In certain circumstances, health information custodians can assume an individual’s implied consent to the collection, use or disclosure of their personal health information for health care purposes.

[25] A “health number” is a subcategory of “personal health information” and is defined in section 2 of the Act as:

the number, the version code or both of them assigned to an insured person within the meaning of the Health Insurance Act by the General Manager within the meaning of that Act.

[26] With respect to the collection, section 2 of the Act provides a definition as follows:

“collect”, in relation to personal health information, means to gather, acquire, receive or obtain the information by any means from any source, and “collection” has a corresponding meaning;

[27] With respect to the collection of health card numbers under the Act, the IPC’s guidance document, “Health Cards & Health Numbers” [2] , states the following:

It is important to note that there is a difference between asking individuals to voluntarily provide their health cards or health numbers and requiring individuals to produce their health cards. There is nothing in PHIPA that prevents a person or organization, including municipal and provincial government agencies, employers, insurance companies, retailers, health clubs and private individuals from asking individuals to provide their health cards or health numbers, as long as it is made clear that the provision of health cards and health numbers is voluntary and that their health number will only be collected and used for purposes related to the provision of provincially funded health resources or for other purposes authorized by PHIPA.

[28] During this investigation, the pharmacy advised that staff can create a new patient profile by using its “quick scan” method by scanning a health card or driver’s license. However, the pharmacy explained that staff are also able to enter the required information into the system manually.

[29] The pharmacy has a policy regarding the collection of health card number from customers, namely, “Prescription Intake SOP 9.01 New Patient Setup” (the policy). I note that the policy states the following:

Note: production of a provincial health card is voluntary, except if the patient will be provided provincially funded health resources, such as drug coverage through a provincial payor, a flu shot or medication review.

[30] In the circumstances of this complaint, the pharmacy acknowledged that the complainant’s prescriptions were not funded through government programs and therefore their health card number was not required. In its submissions to the IPC, the pharmacy submitted that it recognizes the complainant’s right not to disclose their health card number and determined that staff should have both clearly identified the purpose for the collection of health card number at the time and told the complainant that the production of her health card was voluntary.

Discussion:

[31] In response to the second incident, the pharmacy investigated and determined that the pharmacy assistant on duty acknowledged providing service to someone who had expressed concerns with the request for her health card. However, the pharmacy assistant recalled that the matter was quickly dropped, as the health card number was not needed for insurance coverage of the prescription. Instead, the pharmacy assistant moved the conversation forward to create a patient profile by asking for relevant information (first name, last name, address, date of birth, allergy screening and ascertainment of insurance coverage) and entered this manually into the pharmacy software.

[32] The pharmacy confirmed that the pharmacy assistant did not receive nor document the health card number in the patient profile. However, the pharmacy acknowledged that the pharmacy assistant did not explain to the complainant that providing the health card was voluntary. Additionally, the pharmacy learned that this pharmacy assistant did not understand the sensitivity around the request for a health card and was not aware that there would be any concerns related to the request for a health card. The pharmacy’s investigation into this matter also revealed that this pharmacy assistant did not receive any specific instructions or training from the pharmacy manager on how to explain a request for the health card to the patient, even though he had worked at this pharmacy for almost a year.

[33] At the end of its investigation, the pharmacy acknowledged that there was a knowledge gap for some staff regarding the appropriate handling of health card numbers. The pharmacy submitted that it recognizes the complainant’s right to not disclose health card information and is apologetic for the lack of clarity from its staff.

Conclusion

[34] As a health information custodian, I note that the Act does not prevent the pharmacy from asking a customer to produce their health card voluntarily. In both incidences, the pharmacy confirmed that the complainant’s prescriptions were not funded through government programs and therefore their health card was not required. In both incidences, the pharmacy confirmed that the complainant’s prescriptions were filled and that their health card number was neither collected nor retained. In addition, in her complaint to the IPC, the complainant also noted that she did not provide her health card number to the pharmacy during either incident.

[35] In the circumstances of this complaint, I find that the pharmacy did not collect the complainant’s health card number and therefore did not contravene the Act.

Issue 2: Did the pharmacy respond adequately to this complaint?

Information Practices and Policies:

[36] The Act requires that health information custodians have in place, and comply with, information practices, including administrative, technical and physical safeguards, and practices with respect to personal health information in their custody and/or control.

[37] Section 10(1) of the Act states:

A health information custodian that has custody or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations.

[38] Section 10(2) of the Act states:

A health information custodian shall comply with its information practices.

[39] Section 2 of the Act defines information practices as follows:

“information practices”, in relation to a health information custodian, means the policy of the custodian for actions in relation to personal health information, including,

(a) when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information, and

(b) the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information;

[40] As mentioned earlier, during the investigation of this matter, the pharmacy provided several of their policies and procedures to this office.

[41] As part of my investigation, I reviewed these documents. The information provided included those policies and procedures in force at the time of this incident, as well as current material. From my review, the policy most relevant to this matter is titled “Patient Intake SOP 9.01 New Patient Setup” (as mentioned above), which provides guidance to employees when setting up a new patient as part of their intake process.

[42] Based on my review, I note that this policy outlines the steps needed for setting up patient profiles in the pharmacy’s system and indicates that the production of a heath card is voluntary and should only be required if absolutely necessary.

[43] In the circumstances of this complaint, the pharmacy confirmed that the health card number of the complainant was neither collected nor retained. The pharmacy also acknowledged that staff should have explained to the complainant that providing her health card was voluntary.

Privacy Training and Education:

[44] In PHIPA Order HO-013, this office discussed the importance of training and stated the following in part:

A comprehensive privacy training program is an essential tool to combat the risk of uses and disclosures of personal health information by agents in contravention of the Act, including agents who are “curious” or who are motivated by their own interests, such as financial gain.

...

Comprehensive and frequent privacy training is essential to the development and maintenance of a culture of privacy within any organization.

[45] The pharmacy advised that all staff are required to complete privacy training that provides employees with rationale, context and steps necessary to ensure the proper management and protection of patients’ personal information.

[46] The pharmacy’s internal learning management software maintains a record of the privacy training completed by all pharmacy personnel. Completion is monitored by the pharmacy manager, as part of their duties, and by the pharmacy’s Executive Leadership team.

[47] The pharmacy explained that all new employees sign a Code of Business Conduct, which includes confidentiality and privacy obligations as a condition of engagement. Security and privacy policies are reviewed and signed upon employment, and are also reviewed annually as part of ongoing privacy training.

Remediation:

[48] In view of this second occurrence of a similar nature at a different location, the pharmacy determined that training around the topic of patient profile creation needed to be more “active, prescriptive and closely tracked than had been previously done”.

[49] As a part of its investigation, the pharmacy spoke to the pharmacy assistant and the pharmacist on duty about this matter. At the conclusion of their interviews, the pharmacy advised that both employees were provided some coaching on how to identify, address and manage patient-expressed privacy concerns.

[50] The pharmacy manager was also provided one-on-one telephone coaching by the Regulatory Affairs staff on the following elements:

• reminder of the purpose of “quick scan” functionality;
• reminder that the “quick scan” process is voluntary;
• clarification on which data elements are captured and why the functionality is voluntary; and
• role play on how to provide customers a choice on which method they provide to create a new patient profile.

[51] The pharmacy manager was also requested to train her staff pharmacist and pharmacy assistants on the same element.

[52] In response to this complaint, the pharmacy required all pharmacy managers to train all pharmacy staff on the precise language to use when creating patient profiles and requesting health card numbers. The pharmacy managers were required to advise their staff that the production of a provincial health card is entirely voluntary when obtaining services from the pharmacy, unless the patient is provided by a provincially funded health resource. The pharmacy also confirmed that all of the pharmacy managers had completed an attestation that the training had occurred.

[53] With respect to its practices regarding setting up patient profiles, the pharmacy revised its approach such that manual profile creation would become the default starting point, followed by an explanation of the alternative “quick scan” method. The pharmacy also revised its patient setup policy to ensure that staff provide the customer with the reason for the collection of health card number and that it is only collected with the customer’s consent.

[54] The pharmacy implemented the new policy in January 2021 and advised that:

• The procedural change was communicated at the operational district field leaders’ teleconference meeting on January 18th, 2021 with a discussion on “train the trainer”;
• The revised policy was issued to all Ontario pharmacies on January 19, 2021;
• The operational district field leaders conducted district by district training at their weekly team meetings and confirmed the completion of the training sessions;
• Operational district field leaders are monitoring the compliance of the new procedure through their regular operational audits;
• Nexxsys On-line Help modules for New Patient Folder Setup and Quick Patient Setup have been modified to reflect the revised procedure and rationale;
• The HR on-boarding Pharmacy Workflow assessment checklist has been revised;
• In store signage has been posted to inform customers and patients what types of personal information may be collected by the pharmacy team and why; and
• In store pharmacy staff now have a visual reminder of the new patient profile setup.

Analysis:

[55] The pharmacy has information practices in place in accordance with sections 10(1) and 10(2) of the Act. However, as is demonstrated in this matter, the pharmacy staff lacked education and training in identifying situations in which health card information is not required, and in clearly communicating to customers that production of their provincial health card is voluntary.

[56] The pharmacy acknowledged this deficiency in training and has since put in place measures to educate and train its staff with respect to their communication with the customers around health cards. Going forward, the pharmacy stated that customers will be provided a reason for collection of their health card number and that it will only be collected with their consent.

Conclusion

[57] In response to this complaint, the pharmacy investigated the matter, identified a gap in its staff’s knowledge regarding the collection of health card numbers, and took remedial steps to address it. This included revising its patient setup policy, training staff, and providing relevant communications and reminders. In consideration of these steps, I am satisfied the pharmacy has responded adequately to this complaint.

Issue 3: Is a review warranted under Part VI of the Act?

[58] Section 58(1) of the Act sets out the Commissioner’s discretionary authority to conduct a review as follows:

The Commissioner may, on his or her own initiative, conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of this Act or its regulations and that the subject-matter of the review relates to the contravention.

[59] In this Decision, I have found that the pharmacy did not collect the complainant’s health card number in contravention of the Act. The pharmacy has information practices in accordance with the Act and provided a copy of its patient setup policy to the IPC, which clearly indicates that the production of health card is voluntary. However, I did find that the pharmacy’s staff did not communicate this policy properly and did not make it clear to the complainant that the collection of her health card was voluntary. In light of this, I must still decide whether a review of this matter is warranted.

[60] In response to this investigation, I find that the pharmacy has taken steps to address this matter, and has trained its staff on the importance of health card numbers and the requirements for collection of such information under the Act. With respect to its practices regarding setting up patient profiles, the pharmacy also revised its approach to default to creating a profile manually, followed by an explanation of the alternative “quick scan” method. The pharmacy also revised its patient setup policy to ensure that going forward, customers are provided a reason for the collection of their health card number, and that such information is only collected with their consent.

[61] In light of the steps taken by the pharmacy to address this matter, I conclude that a review is not warranted.

DECISION:

Section 58(1) of the Act states the following:

Commissioner’s self-initiated review

58 (1) The Commissioner may, on his or her own initiative, conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of this Act or its regulations and that the subject-matter of the review relates to the contravention

In accordance with my delegated authority to determine whether a formal review should be conducted under section 58(1) of the Act and for the reasons set out above, I find that a formal review under Part VI of the Act is not warranted.

Original Signed by:		May 5, 2022
Soha Khan
PHIPA Investigator

POSTSCRIPT:

Subsequent to this matter being reported to the IPC, the Act was amended to add section 34(6), which states the following:

Collection, use and disclosure, non-provincially funded health resource

Subject to the additional requirements, if any, that are prescribed, a health information custodian that is providing health care to a person may collect, use or disclose the person’s health number with the consent of the person for the purpose of accurately identifying the person’s records of personal health information, verifying their identity or linking their records of personal health information, even where the health information custodian is not providing a provincially funded health resource.

Since the issues in this complaint predate the amendment noted above, I have not considered its application.