PHIPA DECISION 181

Complaint HA19-00243

Alexandra Marine and General Hospital

May 16, 2022

Summary: The complainant made an access and correction request to Alexandra Marine and General Hospital (the hospital) under the Personal Health Information Protection Act (the Act). Upon receipt of his records of personal health information, the complainant requested corrections of the information in them. He also believed that further records exist that are responsive to his access request, raising the issue of reasonable search. In this decision, the adjudicator finds that the exception to the duty to correct at section 55(9)(b) (good faith professional opinion or observation) applies. The hospital’s decision to not make the requested corrections is upheld. With respect to the hospital’s search for responsive records, the adjudicator upholds the hospital’s search with one exception and orders the hospital to conduct a further search for a particular mental health assessment and issue a new decision letter to the complainant with respect to the results of the search.

Statutes Considered: Personal Health Information Protection Act, 2004, S.O. 2004, c. 3  Personal Health Information Protection Act, 2004,  S.O. 2004, c. 3, sections 53 , 54 , 55(8)  and 55(9) (b).

Decisions Considered: PHIPA Decisions 18 and 37.

BACKGROUND:

[1] This PHIPA decision disposes of the issues raised as a result of access and correction requests made to the Alexandra Marine and General Hospital (the hospital) under the Personal Health Information Protection Act (the Act). The access request was for the following information:

• All documentation related to the requester’s involuntary psychiatric hospitalization (Form 1) during a specified time period,
• All documentation of a Psychological Assessment of the requester on a specified date,
• All overt and covert audio and video surveillance (all fields of vison) of the hospital’s exterior, atrium, lobby, Emergency Room, and observation pod (all fields of vision) on a specified date,
• All overt and covert audio and video surveillance (all fields of vision) of the 3rd Floor (Psychiatric general unit beds) during a specified time period,
• The name and location of the security contractor personnel with authorization to operate and access audio and video surveillance, manage and destroy audio and video images remotely or on-site (procedures for secure disposal of video surveillance),
• A copy of any notice regarding the use of video or audio surveillance,
• The hospital’s policy for review of audio and video surveillance,
• The process followed for unauthorized disclosure of video surveillance or of any personal information, or failure to properly destroy information or surveillance,
• Any sanctions for hospital or organizations’ employees and contractors for failing to adhere to hospital policies,
• The name of the individual accountable for privacy compliance and who can answer questions about surveillance,
• Any anonymized or de-identified data sold to or shared with Telus Health or other electronic medical records companies relating to the requester,
• Any referrals to Psychology, Social Work, Physiotherapy, a Nurse Practitioner, a General Practitioner, the hospital’s Pharmacy, or external pharmacies relating to the requester,
• Any disclosures to a private insurer relating to the requester,
• Any disclosures to a community general practitioner relating to a requester,
• Any disclosures to the Ontario Provincial Police of personal information related to the health or mental health diagnosis, address, or other personal information of the requester. Name, badge number and reason for disclosure(s). Copy of any court order, warrant, or summons relating to the requester,
• Any disclosures to the Royal Canadian Mountain Police relating to the requester. Name, badge number and reason for disclosure, copy of any court order, warrant or summons relating to the complainant,
• Any public interest disclosures under paragraph 8(2)(m) of the Privacy Act relating to the requester,
• Any disclosures to Ontario Public Health Surveillance relating to the requester,
• Any disclosures and adverse drug reaction reporting to Health Canada Post-Market Surveillance (Canada Vigilance) relating to the requester,
• Copy of the OHIP billing summary relating to the requester,
• Copy of a signed consent form by the requester,
• Copy of an unsigned indemnity waiver identifying hospital doctors and staff,
• Copy of a signed indemnity document relating to the requester,
• Security guard uncorrected notes from a private security contractor regarding behaviour or information relating to the identity of the requester,
• Nurses charts (uncorrected) with electronic notations “abusive”, “aggressive” etc., relating to the requester,
• The location and security status of the commercial storage provider of electronic medical records,
• Any personally identifiable data, anonymized or de-identified shared with the Risk-driven Tracking Database (RTD), Ministry of Community Safety and Correctional Services (MCSCS) relating to the requester. Situation table of other “hub” agencies, practitioners within or outside of the circle of care (GP, Psychiatrist, Psychologist, Social workers, health care workers, provincial government, and federal government),
• Results of a privacy audit documenting complying with all requests or reasons for not complying with FIPPA, PHIPA, PIPEDA, and other College and regulatory obligations relating to the requester. Sanctions for potential privacy breaches by hospital staff or contractors,
• Verification and documentation of destruction of health information, physical or electronic, and
• Verification of implementation of “lock boxes” and “masking” relating to the requester.

[2] The requester also indicated that he wanted corrections made to his records of personal health information.

[3] In further correspondence with the hospital, the requester asked for the date, time, reasons for disclosure, name, and badge number of the Ontario Provincial Police Officers on admission and discharge.

[4] In response, the hospital provided the requester with a copy of his hospital file. The hospital did not provide a decision in response to the complainant’s correction request until later, as described below.

[5] The requester, now the complainant, filed a complaint to the Information and Privacy Commissioner of Ontario (the IPC) regarding the hospital’s decision.

[6] During the mediation of the complaint, the complainant stated that he did not receive a decision in response to the majority of his request, and had only received a copy of his hospital file. He also stated that he had requested that records of his personal health information be corrected, in particular regarding the characterization of his actions during his hospital admission.

[7] The mediator followed up with the hospital, which provided a supplemental access decision on to the request. The decision addressed the separate portions of the complainant’s request, and an additional responsive record was provided to the complainant.

[8] Also during mediation, the complainant identified four areas of his request for which he believes additional records responsive to his request exist at the hospital. These areas are the following:

• Video surveillance footage,
• Violence and risk assessment,
• Information regarding the police, and
• Policies and audit records.

Video surveillance footage

[9] The complainant stated that he wanted to pursue access to video surveillance footage of his stay in the hospital. The hospital stated that it deletes video surveillance footage after 30 days, and did not have copies of the surveillance video from the relevant time frame. The complainant stated that he was not satisfied with the hospital’s response to his request for this video footage.

Violence and risk assessment

[10] After reviewing the decision, the complainant stated that he believes that an additional violence and risk assessment relating to him exists. The mediator conveyed this to the hospital. The hospital stated that it did not have an additional violence and risk assessment, beyond the one previously provided to the complainant. The hospital provided the complainant with a second copy of this violence and risk assessment. The complainant stated that he believes additional violence and risk assessment records exist.

Information regarding the police

[11] The complainant states that he believes the OPP provided information about him to the hospital during his admission from the OPP officers who accompanied him at that time. He also states that he believes the hospital provided the OPP with his personal health information at the time of his discharge.

[12] The hospital confirmed that it did not collect that information or disclose any information to the OPP. The complainant stated that he was not satisfied with that response, as he believes additional records responsive to this portion of his request exist at the hospital.

Audit and policies

[13] During the mediation of the complaint, the complainant stated that he had not been provided with the audit of his personal health information that he had previously requested. The mediator conveyed this to the hospital, which provided the complainant with a copy of the audit requested.

[14] The complainant also stated that he had not been provided with policies relating to the use of restraints, violence and risk assessments, and video surveillance. The hospital subsequently provided the complainant with the Restraint Use Policy, the Restraint Use – Decision Making Model Form, the Restraint Use – Alternative Interventions Form, the Video Surveillance Policy; and the Violence in the Workplace policy – Flagging Patients.

[15] Regarding the complainant’s request for correction to his records of personal health information, the complainant provided the mediator with a clarification of his correction request, as well as a Statement of Disagreement. In particular, the complainant identified corrections he requested to be made to 11 pages of his records of personal health information. The requested corrections largely consist of striking out both remarks and actions ascribed to the complainant by hospital staff. The complainant also requested that a personal identifier, diagnosis, and some other terms be struck out. The mediator provided these requested corrections to the hospital.

[16] The hospital subsequently provided the complainant with a decision in response to the complainant’s clarified correction request. The hospital denied the correction request in full, stating as follows:

AMGH has conducted a review of your chart again and the comments and corrections you seek to have corrected/stricken. The review of your EHR has been deemed to be correct and accurate and consists of professional opinions that were made in good faith during your admission to the hospital.

AMGH cannot make changes to the EMR by nursing staff as per the College of Nurses of Ontario Practice Standard. Observations made by nurses have been deemed to be correct and accurate and were made in good faith.

[17] The hospital also confirmed that it had added the complainant’s Statement of Disagreement to his hospital file.

[18] At the conclusion of mediation, the complainant confirmed that he wanted to proceed to adjudication on the first three search matters, namely video surveillance footage, violence and risk assessment, and information regarding the police. The complainant also confirmed that the denial of his correction request is an issue in this complaint.

[19] The complaint then moved to the adjudication stage of the complaints process, where an adjudicator may conduct a review. I sought and received representations from both the hospital and the complainant, which were shared amongst them. In its reply representations, the hospital noted that the complainant had identified four areas in which he took issue with the hospital’s search, including the three identified above, as well as audits and policies.

[20] In this complaint, there is no dispute that the hospital is a health information custodian as defined in section 3(1) of the Act and that the complainant’s hospital file, which he seeks to be corrected, contains his personal health information as defined in section 4(1) of the Act.

[21] For the reasons that follow, I find that the exception to the duty to correct at section 55(9) (b) (good faith professional opinion or observation) applies, and therefore there is no duty to correct under section 55(8) . The hospital’s decision to not make the requested corrections is upheld. Concerning the hospital’s search for records responsive to the access request, I uphold the hospital’s search with one exception and order the hospital to search for a record regarding a particular mental health assessment of the complainant.

RECORDS:

[22] The corrections requested by the complainant are at pages 1, 2, 8, 9, 12, 13, 15, 16, 17, 28, and 33 of his hospital records of personal health information. With respect to the issue of reasonable search, the complainant believes that further records exist relating to video surveillance footage, violence and risk assessment, information regarding the police and audit information.

ISSUES:

1. Does the hospital have a duty to make the requested corrections under section 55(8) ? Does the exception to the duty to correct at section 55(9) (b) apply to any of the information in the records?
2. Did the hospital conduct a reasonable search for records?

DISCUSSION:

Issue A: Does the hospital have a duty to make the requested corrections under section 55(8)? Does the exception to the duty to correct at section 55(9)(b) apply to any of the information in the records?

[23] The purposes of the Act are set out in section 1, and include the right, at paragraph (c):

to provide individuals with a right to require the correction or amendment of personal health information about themselves, subject to limited and specific exceptions set out in [the Act.]

[24] Section 55(8) of the Act provides for a right of correction to records of an individual’s own personal health information in some circumstances. It states:

The health information custodian shall grant a request for a correction under [section 55(1) of the Act] if the individual demonstrates, to the satisfaction of the custodian, that the record is incomplete or inaccurate for the purposes for which the custodian uses the information and gives the custodian the information necessary to enable the custodian to correct the record.

[25] Section 55(9) of the Act sets out exceptions to the duty to correct records. This section reads:

Despite subsection (8), a health information custodian is not required to correct a record of personal health information if,

(b) it consists of a professional opinion or observation that a custodian has made in good faith about the individual.

[26] Read together, these provisions set out the criteria pursuant to which an individual is entitled to a correction of a record of his or her own personal health information. The purpose of section 55 of the Act is to impose a duty on health information custodians to correct a record of an individual’s personal health information where the record is inaccurate or incomplete for the purposes for which the custodian uses the information, subject to the limited and specific exceptions set out in section 55(9) of the Act.

[27] Section 55(10) states that upon granting a request for a correction, the health information custodian shall make the requested correction by recording the correct information in the record and striking out the incorrect information in a manner that does not obliterate the record. There is no right in the Act to have the incorrect information in a record removed, replaced, or amended in such a manner that the incorrect information is completely obliterated—it must remain legible.

[28] Therefore, even if the IPC were to order that information in a record be corrected, the order can only require a custodian to strike out the incorrect information in such a way that the original entry remains legible.

The Section 55(9)(b) Exception

[29] The purpose of section 55(9) (b) is to preserve “professional opinions or observations,” accurate or otherwise, that have been made in good faith. This purpose is based on sound policy considerations, including the need for documentation that may explain treatments provided or events that followed a particular observation or diagnosis. This approach is consistent with the approach taken to similar provisions in other jurisdictions.

[30] Where a “professional opinion or observation” is involved, section 55(8)  does not give a right to request a correction that amounts to a substitution or change to the custodian’s “professional opinion or observation,” unless it can be established that the professional opinions or observations were not made in good faith. Moreover, a request for correction or amendment should not be used to attempt to appeal decisions or professional opinions or observations with which a complainant disagrees, and cannot be a substitution of opinion, such as the complainant’s view of a medical condition or diagnosis.

[31] Where the custodian claims that section 55(9) (b) applies, the custodian bears the burden of proving that the personal health information at issue consists of a “professional opinion or observation” about the individual.

[32] However, as explained below, once the custodian has established that the information qualifies as a “professional opinion or observation,” the onus is on the individual seeking a correction to establish that the “professional opinion or observation” was not made in good faith. Therefore, if the exception applies, it does not matter whether or not the individual has met the onus in section 55(8)  because even if the complainant satisfies this office that the information is incorrect or inaccurate under section 55(8) , a finding that the exception in section 55(9) (b) applies will resolve the complaint.

[33] Section 55(9) (b) also involves a two-part analysis. The first question is whether the personal health information in the record is a “professional opinion or observation.” The second question is whether the “professional opinion or observation” was made “in good faith.”

Does any personal health information in the records qualify as a “professional opinion or observation”?

[34] In order for section 55(9) (b) to apply, the personal health information in the records must qualify as either a “professional opinion” or a “professional observation.” Only those observations and opinions that require a health information custodian or an agent to exercise or apply special knowledge, skills, qualifications, judgment or experience relevant to their profession should be defined as “professional observations” or “professional opinions” within the meaning of section 55(9)(b) of the Act.

For any personal health information in the records qualifying as a “professional opinion or observation,” was the professional opinion or observation made “in good faith?”

[35] Court decisions have stated that a finding that someone has not acted in good faith can be based on evidence of malice or intent to harm another individual, as well as serious carelessness or recklessness. The courts have also stated that persons are assumed to act in good faith unless proven otherwise. Therefore, the burden of proof rests on the individual who seeks to establish that a person has acted in the absence of good faith to rebut the presumption of good faith. [1]

[36] Accordingly, in the context of section 55(9)(b) of the Act, the burden rests on the individual seeking the correction to establish that the health information custodian did not make the professional opinion or observation in good faith.

Representations

[37] The hospital submits that the records do not require correction under the Act, as they consist of professional opinions or observations made in good faith at the time the complainant was seen, falling within the exception in section 55(9) . The hospital goes on to argue that all nursing staff are members of the College of Nurses of Ontario (the CNO) and that all medical staff are members of the College of Physicians and Surgeons of Ontario (the CPSO). In addition, the hospital submits that the staff exercised and applied special knowledge, skills, qualifications, judgement and experience relevant to their profession, as demonstrated by their annual registration with their regulatory colleges.

[38] The complainant submits that the hospital has not met its “high” burden of proof that the exception in section 55(9)  applies, as it has not provided any background materials, documentation, policies, statutory provisions, by-laws or case authorities that support its representations that the observations or opinions were made in good faith. The complainant further submits that the hospital has not provided sworn affidavits, in particular from those staff members who the complainant alleges made observations in bad faith. In addition, the complainant argues that the hospital has not provided evidence of the annual certification and proof of credentials of the involved staff who are “allegedly” members of the CNO and the CPSO.

[39] The complainant then sets out the particular corrections he wishes to be made to his records of personal health information and also argues that the entire record should be de-identified, that is, the records should remove any information that would identify an individual, including him.

[40] The complainant also argues that despite remarks made in his records of personal health information by nurses that he was allegedly threatening hospital staff, the hospital did not have concerns about disclosing the names of the staff to him and did not claim the exemption in section 52(1)(e)(i) of the Act (risk of harm to an individual) to withhold the names of the staff members in his hospital record. As a result, the complainant concludes that the “offensive notations” in the nursing notes (referred to above) must have been made in bad faith. Further, the complainant submits that in two psychological assessments conducted by a physician, there were no concerns about safety or the complainant’s conduct. The complainant concludes that given that the professional opinions or observations of this physician starkly contrasted with the nursing notes, the nurses acted in bad faith when making their notations in the complainant’s hospital file.

[41] In addition, the complainant submits that the hospital’s policy on disclosing patient information to law enforcement states that patient information may be disclosed to law enforcement only in accordance with the law, for example, the Act, the Public Hospitals Act and the Mental Health Act. The complainant’s position is that if he had been a threat to safety, he would have been involuntarily hospitalized following the expiration of the Form 1, would have been chemically and physically restrained, and his alleged threat to safety would have been reported to law enforcement. The complainant goes on to state:

If the notations contained within the Nurses Notes were made in “good faith,” which they more certainly were not, it remains profoundly unclear why the patient was not restrained; why evidence in the form of video surveillance was not secured for legal or law enforcement purposes; why the patient was voluntarily discharged after 72 hours; why the notations of conversations with the Privacy Officer, Supervisor or Admin-On-Call are not reflected in the electronic medical record; why disclosures were not made to law enforcement or others.

. . . The Adjudicator is on some level being asked to deny every iota of common sense that the Nurses Notes were made in “bad faith” in favour of the explanation that every single healthcare practitioner that the Appellant [the complainant] came in contact with failed to fulfill their serious obligations . . .

There is a more simple and straightforward explanation: the threats attributed to the Appellant [the complainant] did not take place and the notations were made in “bad faith.”

[42] Lastly, the complainant goes on to raise the issue of a deemed refusal, which was previously resolved at the intake stage of the complaints process. [2] Therefore, it is not necessary for me to address this issue.

Analysis and findings

[43] As previously stated, section 55(9) (b) involves a two-part analysis. The first question is whether the personal health information in the record is a “professional opinion or observation.” The second question is whether the “professional opinion or observation” was made “in good faith.” The burden rests on the individual seeking the correction to establish that the health information custodian did not make the professional opinion or observation in good faith. [3]

[44] I have carefully considered the representations of the complainant and the hospital, as well as studied the portions of the records for which the complainant has made the request for correction. I find that these portions of personal health information consist of the professional opinions or the professional observations of the medical and nursing staff, who are regulated health professionals. While the complainant’s position is that the medical and nursing staff are only “allegedly” registered with their respective regulatory colleges such as the CPSO and the CNO, I am satisfied with the hospital’s affidavit that these staff members are, in fact, registered with their respective regulatory colleges. I also find that these professional opinions and observations were made as a result of these regulated health professional’s assessment and observation of the complainant, which was conducted in person by them, and that they involved the exercise or application of special knowledge, skills, qualifications, judgment or experience relevant to their profession as regulated health professions. These professional opinions and observations include a medical diagnosis, as well as documentation of the complainant’s conduct while he was an in-patient at the hospital. In my view, the complainant’s request to correct this information seeks to substitute or rewrite the nurses’ and physician’s professional opinions or observations contained in the complainant’s hospital records of personal health information.

[45] Turning to whether the professional opinions and observations were made in good faith, as previously noted, in PHIPA Decision 37, Adjudicator Jennifer James found that the burden rests on the individual seeking the correction to establish that the health information custodian did not make the professional opinion or observation in good faith. Based on my consideration of the information before me, I find that it does not rebut the presumption of good faith in the circumstances of this complaint. In arriving at this decision, I took into account the contents of the records which describe the circumstances of the complainant’s time as an in-patient in the hospital, along with the absence of evidence from the complainant suggesting that the hospital acted in bad faith in writing the content of his records of personal health information. While the relationship between the complainant and the medical and nursing staff may or may not have entailed disagreements and difficulties, I find that there is no evidence of malice, intent to harm, serious carelessness or recklessness on the part of the hospital in writing the content of the complainant’s records of personal health information. In addition, in response to the complainant’s argument that the observations and opinions of the physicians differed from those of the nurses, I find that it stands to reason that different observations might be made at different times. Therefore, because the complainant has not met his onus to show that the hospital’s professional opinions or observations were made in “bad faith,” I find that the exception at section 55(9) (b) applies in the circumstances of this complaint. Accordingly, I find that the hospital does not have a duty to correct the records under section 55(8) . I also note that the hospital has scanned the complainant’s statement of disagreement to his records of personal health information, as required by sections 55(11), (12) and (13).

Issue B: Did the hospital conduct a reasonable search for records?

[46] The issue of whether a health information custodian conducted a reasonable search for records under the Act has been guided by the issue of whether an institution under the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act has conducted a reasonable search for responsive records. As the provisions relating to search in all three acts are substantially similar, the principles regarding reasonable search outlined in orders issued under the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act are both relevant and informative.

[47] Where a requester claims that additional records exist beyond those identified by the custodian, the issue to be decided is whether the custodian has conducted a reasonable search for records as required by sections 53 and 54 of the Act. If I am satisfied that the search carried out was reasonable in the circumstances, I will uphold the custodian’s decision. If I am not satisfied, I may order further searches.

[48] The Act does not require the custodian to prove with absolute certainty that further records do not exist. However, the custodian must provide sufficient evidence to show that it has made a reasonable effort to identify and locate responsive records. [4] To be responsive, a record must be "reasonably related" to the request. [5]

[49] A reasonable search is one in which an experienced employee knowledgeable in the subject matter of the request expends a reasonable effort to locate records which are reasonably related to the request. [6] A further search will be ordered if the custodian does not provide sufficient evidence to demonstrate that it has made a reasonable effort to identify and locate all of the responsive records within its custody or control. [7]

[50] Although a requester will rarely be in a position to indicate precisely which records the custodian has not identified, the requester still must provide a reasonable basis for concluding that such records exist. [8] A requester’s lack of diligence in pursuing a request by not responding to requests from the institution for clarification may result in a finding that all steps taken by the custodian to respond to the request were reasonable. [9]

Representations

[51] The hospital submits that it conducted a reasonable search for records and that the complainant has not provided a reasonable basis for his assertion that additional records exist. The hospital provided evidence regarding its search by way of its initial representations and an affidavit sworn by the President and CEO, VP Corporate Services and Chief Information Officer at the hospital in its reply representations.

[52] The hospital advises that after receiving the access request, the Manager of Health Records/Privacy Officer (the manager) contacted the complainant to clarify ten of the items listed in his access request. After a 15-minute conversation between the manager and the complainant, the complainant called the manager back and told him not to call him back. As a result, the hospital proceeded to process the request with the information that was available to it.

[53] The hospital submits that upon receipt of the access request, a Health Records Analyst (the analyst) conducted a “careful” search of the complainant’s records of personal health information and identified the following documents, which were disclosed to the complainant:

• Admission formulation,
• Admission record,
• Discharge summary,
• History report,
• Patient data, transfer of accountability, discharge assessment and infection control,
• Risk screen, triage assessment,
• Patient’s plan of care,
• List of patient notes,
• Complainant’s electronic medical record,
• The hospital’s use of restraints policy, and
• The hospital’s video surveillance policies.

[54] The hospital submits that no issues were discovered during the search and that all records were complete and accurate.

[55] With respect to video surveillance, the hospital submits that video surveillance did exist but that its policy is that video surveillance is automatically re-written after 30 days if no request is made to retain the recordings. The complainant’s access request was made more than four months after his hospitalization and, therefore, the video surveillance had been written over.

[56] In addition, the hospital advises that there are records at the office of the complainant’s family physician, as well as the Centre for Addiction and Mental Health (CAMH), and that it did not conduct a search for these records as it is not the custodian of these records.

[57] As noted above, the complainant takes issue with the reasonableness of the hospital’s search for: video surveillance footage, violence and risk assessment, information regarding the police, and audits and policies. The complainant submits that the hospital did not conduct a reasonable search for records responsive to his request, and that it has not provided any background materials, documentation, policies, statutory provisions, by-laws, case authorities or sworn affidavits that support its representations. Further, the complainant argues that the hospital has not provided any details of any searches carried out, including who conducted the searches, what places were searched, who was contacted in the course of the search, what type of files were searched, and what were the results of the searches. In addition, the complainant’s position is that the hospital has not provided details of when records were destroyed, including information about record maintenance policies and practices such as evidence of retention schedules.

[58] For example, the complainant argues that the hospital is attempting to establish that he showed a lack of diligence in pursuing his request due to his unwillingness or inability to communicate by telephone in a single day with the “nameless” manager of health records. In fact, the complainant submits, he has been diligent and available by email at all times to both the previous and current manager of health records, and throughout mediation was available to the hospital by way of a continuous dialogue guided by the IPC’s mediator.

[59] In addition, the complainant submits that he believes there is a mental health assessment that was conducted at the hospital on a particular date two months after his discharge and notes that in his records of personal health information, there is a notation that he was referred to a health care practitioner who conducted this mental health assessment. The complainant advises that he was assessed by this health care practitioner at her office, which is not located in the hospital and did receive a record of her assessment directly from her. However, the complainant argues that a prior mental health assessment had been conducted at the hospital by this same health care practitioner post-discharge, and the hospital did not search for this record either at the hospital or at the office of the health care practitioner. The complainant provided excerpts from the audit that was conducted on his hospital record, which indicate that his records of personal health information were accessed on a particular date (two months after his discharge), and that the title of the audit entry is “Mental Health Assessment.”

[60] With respect to video surveillance, the complainant’s position is that the hospital has not complied with its video surveillance policy, as it has not provided affidavit evidence about whether any copies of the video surveillance still exist.

[61] Turning to the issue of information regarding the police, the complainant submits that the hospital could have attempted to obtain the names and badge numbers of the OPP officers who brought him to the hospital from his family physician or from the OPP themselves.

[62] Concerning the violence and risk assessment, the complainant raises some privacy issues regarding how patients are identified as being high risk for violence, as well as the implementation of a “lockbox” he had requested. [10] He also reiterates that a mental health assessment was conducted at the hospital on a specified date two months after his discharge and that a record should exist which captures the results of this assessment. Further, the complainant argues that if he allegedly threatened to kill the hospital’s nursing staff, it is reasonable to conclude that the complainant would have been discussed before the Board of Directors, and with the executive leadership and legal counsel, resulting in further records relating to him.

[63] In reply, the hospital’s CEO swore an affidavit submitting that, based on his corporate history and responsibilities, he has extensive knowledge of the hospital’s records and systems and where such records are held. He also submits that the Privacy Officer is responsible for coordinating requests received under the Act, which includes identifying and working with individuals within the organization who are knowledgeable about the subject matter of the request to ensure that a reasonable search is conducted for records related to the request, such as health records and information technology staff.

[64] As previously stated, the hospital submits that after the access request was received, the manager contacted the complainant to seek clarification on ten items listed in the request. The analyst then conducted a search for records responsive to the request, a number of which would be contained in the complainant’s electronic records of personal health information, if they existed. For example, copies of any consent forms, indemnities, waivers, referrals to health professionals or pharmacies, court orders, warrants or summons are all documents that the hospital would retain as part of the complainant’s records of personal health information, as required by legislation governing public hospitals. In addition, where consent forms, warrants, orders or summons are received in hard copy, they are scanned and added to the patient’s electronic health record.

[65] Further, the hospital submits that the CEO searched the hospital’s document management system and identified certain policies that were responsive to the request which were provided to the complainant, including its Use of Restraints and Video Surveillance policies.

[66] The hospital also submits that during the mediation of the complaint, it conducted a number of other searches and provided a supplementary decision to the complainant, disclosing further policies to him. The supplementary decision also addressed all of the other items listed in the request. For example, the hospital does not post signage that video surveillance is in use, the security contractor does not have access to video surveillance, nor are they responsible for managing and destroying it, the hospital does not sell personal health information nor does it disclose it to a private insurer, and the hospital did not disclose the complainant’s personal health information to the agencies listed in the access request, including law enforcement agencies. The hospital also confirmed that a lockbox had been implemented with respect to the complainant’s records of personal health information.

[67] As previously stated, at the conclusion of mediation, the complainant identified four areas of records that he believes should exist at the hospital, namely video surveillance, violence and risk assessment, information regarding the police and audits and policies.

[68] With respect to video surveillance, the hospital reiterates that it is stored on a secure hard drive and is automatically re-written over every 30 days, unless there is an access request or there is a request for legal purposes. In this case, the complainant’s access request was made after the 30-day period. The CEO checked with the hospital’s information technology department upon receipt of the access request, but the footage of the video surveillance had been overwritten in accordance with the hospital’s video surveillance policy. In addition, the hospital submits that it does not maintain records of video surveillance destruction because the process of overwriting is done automatically.

[69] Turning to the violence and risk assessment, the hospital submits that it conducted a second search during mediation and located only one violence and risk assessment, which had already been disclosed to the complainant. It disclosed this assessment to the complainant a second time.

[70] Concerning information regarding the police, the hospital submits that it does not routinely collect information from the OPP about patients without their consent. However, if information is conveyed during the transfer of custody of an individual detained under the Mental Health Act that is relevant to the patient’s care, this information would be documented in the individual’s records of personal health information, including the names and badge numbers of OPP officers. The hospital submits that the complainant has been provided with a complete copy of his records of personal health information. In addition, as previously stated, the hospital advised the complainant that it did not disclose personal information about him to the OPP.

[71] Regarding audits and policies, the hospital argues that during mediation, the complainant requested a copy of the audit of his personal health information. The CEO asked the Manager of information technology to prepare the audit for the CEO’s review, who then reviewed the audit to ensure that there were no emissions and to confirm that there had been no unauthorized access to the complainant’s hospital record. The hospital then provided the complainant with a copy of the audit, including a definition list setting out various acronyms used in the audit report.

[72] The hospital further submits that the CEO did not access the complainant’s records of personal health information, but engaged and authorized health records staff to access the complainant’s records as part of the searches that were conducted. The hospital goes on to argue that the other individuals identified in the privacy audit were individuals who accessed the complainant’s records for non-health care related purposes, for example, accounts receivable accessed the records to address billing issues. With respect to general policies requested by the complainant, as previously stated, the CEO conducted the search for these records, located relevant ones, and disclosed them to the complainant.

[73] In sur-reply, the complainant submits that there is a power imbalance between a legally represented hospital and an unrepresented individual with a permanent disability (the complainant) in a review such as the present one. As a result, he is concerned that there are systemic factors that bias this review towards the hospital. The complainant also submits that during the review of this complaint, while he was given two extensions in which to submit his representations, he was given no other accommodation or guidance as to providing those representations.

[74] Concerning the searches that were conducted by hospital staff, the complainant argues that the hospital has not provided any documentation about the “certifications” held by these staff members and that the only individual who provided a sworn affidavit was the hospital’s CEO, not the staff who actually conducted the searches for his records of personal health information.

[75] The complainant goes on to raise the issue of his lockbox and his belief that staff accessed his records of personal health information following the implementation of the lockbox.

Analysis and findings

[76] The IPC has extensively canvassed the issue of reasonable search in orders issued under the Freedom of Information and Protection of Privacy Act and its municipal counterpart. It has also addressed the issue of reasonable search under the Act in, for example, PHIPA Decision 18, in which Adjudicator Catherine Corban found that the provisions concerning reasonable search in response to an access request in the public sector access statutes are substantially similar to those contained in the Act. Adopting and applying the approach taken by Adjudicator Corban, the principles outlined in orders of this office addressing reasonable search under those statutes are instructive to my review of this issue under the Act.

[77] Having carefully reviewed all of the evidence before me, including both parties’ complete representations, I am satisfied that the searches conducted for records responsive to the complainant’s request by the hospital during the request stage and subsequently during the mediation of the complaint were reasonable and are in compliance with its obligations under the Act, with one exception.

[78] I find that the hospital has provided sufficient evidence to demonstrate that it made a reasonable effort to identify all responsive records within its custody and control. Based on the information before me, I accept the hospital’s argument that it interpreted the access request broadly, and that it provided the complainant with a complete copy of his records of personal health information, general policies, an audit of his records and answers to specific components of the access request.

[79] Under the Freedom of Information and Protection of Privacy Act and its municipal counterpart, although a requester will rarely be in a position to indicate precisely which records the health information custodian has not identified, the requester still must provide a reasonable basis for concluding that such records exist. [11] In PHIPA Decision 18, Adjudicator Corban found that this requirement was equally applicable in determining whether a health information custodian conducted a reasonable search under the Act. I agree with and adopt this approach, and in the circumstances of this complaint, I find that the complainant has not provided a reasonable basis to conclude that additional records relating to him and the hospital exist, again noting one exception.

[80] In the complainant’s representations, he provided excerpts from the audit that was conducted of his hospital record. One entry indicates that his records of personal health information were accessed on a particular date (two months after his discharge), with the audit entry stating “Mental Health Assessment.” In my view, this audit entry establishes that the complainant has provided a reasonable basis for believing that a second mental health assessment may have been conducted at the hospital approximately two months after his discharge, and there may be a record reflecting that.

[81] For these reasons, I am satisfied that, for the most part, the hospital has discharged its onus and has demonstrated that it has conducted a reasonable search in compliance with its obligations under the Act. However, with respect to the possible second mental health assessment as identified by the entry in the audit report, I conclude that the complainant has provided a reasonable basis for determining that a mental health assessment record may exist. As a result, I will order the hospital to conduct a further search for a possible record relating to a second mental health assessment of the complainant which may have taken place at the hospital approximately two months after his discharge from the hospital.

[82] I note that the complainant raised the issue of staff accessing his records of personal health information after the hospital implemented a lockbox at his request. This issue was not identified in the original complaint to the IPC, or at any time during the complaints process. Therefore, I will not address the lockbox issue in this review. The complainant may choose to make a separate complaint about that issue to the IPC.

[83] Finally, the complainant raised issues about accommodation and systemic bias of the IPC towards health information custodians. First, I note that the only accommodations the complainant requested during the review of this complaint were related to extensions of time in which to submit his representations. Those requests were granted. Second, the complainant has provided no evidence of any systemic bias on the part of the IPC and, accordingly, I will not address this issue further.

ORDER:

For the foregoing reasons, under section 61(1)(c) of the Act, I order the hospital to conduct a further search for a second mental health assessment of the complainant, and to issue a new decision letter to the complainant within 30 days of the date of this PHIPA decision, describing the steps taken in this search and the results of the search.

Original Signed by:		May 16, 2022
Cathy Hamilton
Adjudicator