PHIPA DECISION 213

Complaint HC18-7

Sinai Health System

June 29, 2023

Summary: This complaint concerns allegations that the respondent Sinai Health System (the hospital) and an affected person (a doctor who had privileges at the hospital at the relevant times) used and disclosed the complainant’s personal health information in violation of her withdrawal of consent following her allegations of sexual assault by the doctor, and her request that the doctor no longer be involved in her health care. The incidents at issue involve the hospital’s and doctor’s disclosures of the complainant’s personal health information to the doctor’s lawyer and to the College of Physicians and Surgeons of Ontario, for purposes related to proceedings involving the doctor arising from allegations about his conduct. They also include the doctor’s uses and a disclosure of her personal health information for health care purposes.

In this decision, the adjudicator finds that the hospital’s and doctor’s disclosures to the doctor’s lawyer and to the College, made for the purposes of existing or reasonably contemplated proceedings involving the doctor, were authorized by PHIPA to be made without consent.

However, the adjudicator finds that other uses and one disclosure of the complainant’s personal health information, made for health care purposes, were made in violation of PHIPA. In the circumstances, the complainant’s report of sexual assault and her request that the doctor no longer be involved in her health care was an express withdrawal of her consent to the doctor’s use and disclosure of her personal health information for health care purposes. Her statements also amounted to an express instruction against these uses and disclosure of her personal health information for health care purposes without her consent. By failing to recognize and implement the complainant’s express withdrawal of consent to, and her express instruction against, these uses and disclosure, the hospital allowed the doctor to continue to use and disclose the complainant’s personal health information for health care purposes contrary to her wishes, and in violation of PHIPA.

During the course of the complaint, the hospital acknowledged and implemented the complainant’s withdrawal of consent with respect to her personal health information. To address the broader issues raised by the complaint, the adjudicator orders the hospital to amend its information practices to clarify an individual’s right to withhold or withdraw consent to the collection, use, and disclosure of her personal health information, and to make express instructions with respect to the uses and disclosures of that information for certain purposes without consent. These amendments should make clear that an individual will not always employ specific terminology in PHIPA to communicate a withholding or withdrawal of consent or an express instruction with respect to her personal health information.

Statutes Considered: Personal Health Information Protection Act, 2004 , SO 2004, c 3, Sch A  (as amended), sections 2 (definitions); 6(2); 12(1) and (2); 17; 20(1) and (2); 29; 37(1)(a) and (h); 37(2); 38(1)(a); 41(1)(a); 41(1)(d)(i) and (ii); 41(2); 43(1)(b); and 50(1)(e).

Decisions Considered: PHIPA Decision 144; PHIPA Decision 168; PHIPA Decision 192.

Cases Considered: The Estate of Richard Martin v. Health Professions Appeal and Review Board, 2023 ONSC 2993.

OVERVIEW:

[1] This decision addresses a complaint about the use and disclosure of a complainant’s personal health information by Sinai Health System (the hospital) and by an affected person who was, at the relevant times, a physician with privileges at the hospital (the doctor).[1]

[2] The complainant states that the doctor sexually assaulted her during an examination in 2016.

[3] In her complaint to the Information and Privacy Commissioner of Ontario (IPC), the complainant alleged that the hospital contravened the Personal Health Information Protection Act, 2004 (PHIPA) by allowing the doctor to continue to use and disclose her personal health information for health care purposes even after she reported the sexual assault to the hospital and told the hospital that she no longer wanted the doctor involved in her health care. She also took issue with the hospital’s and the doctor’s disclosures of her personal health information to the doctor’s lawyer and to the College of Physicians and Surgeons of Ontario in the course of that regulatory body’s investigation of the doctor.

[4] In this decision, I find that the hospital’s and doctor’s disclosures of the complainant’s personal health information to the doctor’s lawyer and to the College of Physicians and Surgeons of Ontario, made for purposes relating to existing or reasonably contemplated proceedings involving the doctor, were authorized to be made without consent in PHIPA .

[5] However, I find that other uses and one disclosure of the complainant’s personal health information for health care purposes contravened PHIPA . In the circumstances, I find that the complainant’s statements to the hospital communicated an express withdrawal of her consent to the hospital’s sharing her personal health information with the doctor for health care purposes, and to the doctor’s subsequent use and disclosure of that information for those purposes. As a result, these actions were not authorized to be made on the basis of consent. The complainant’s statements also amounted to an express instruction against the doctor’s use and disclosure of her personal health information for health care purposes without consent; because of this express instruction, there was no authority in PHIPA  for these actions without consent.

[6] I further find that the hospital enabled these unauthorized uses and disclosure by failing to recognize and implement the complainant’s wishes with respect to her personal health information. In fact, as I discuss below, the hospital entirely misunderstood the complainant’s statements by treating them as an express consent to the doctor’s continued use and disclosure of her personal health information for health care purposes—this was the opposite of the complainant’s wishes, and her express statements to that effect.

[7] During the course of the complaint, the hospital recognized and implemented the complainant’s withdrawal of consent, by applying a “lock box” to her electronic health record. The hospital also acknowledged shortcomings in its response to the complainant’s lock box request. In addition to making the above findings, and to address the broader issues raised by this complaint, I order the hospital to amend its information practices to clarify the right of a patient to withhold or withdraw her consent and to make express instructions with respect to her personal health information. This should include specific guidance to hospital agents that these rights are not dependent on a patient’s employing specific terminology in PHIPA .

BACKGROUND:

[8] The complainant was a patient of the hospital’s pain management centre, where she was treated by the doctor. The complainant alleges that she was sexually assaulted by the doctor during an examination in 2016.[2]

[9] In January 2017, the complainant reported the sexual assault, as well as other concerns about her care, to the hospital’s privacy and risk coordinator. The complainant says that at that time, she withdrew her consent for the doctor to be involved in her health care. The complainant later received an email from the privacy and risk coordinator, confirming their meeting in January and advising her that the complaint was under investigation.

[10] In February 2017, the complainant also contacted the hospital’s human rights and health equity specialist with her concerns about the doctor. In an email to the equity specialist, the complainant asked that the results of certain tests be forwarded to her family doctor, and that the hospital do the same with future tests, because the complainant no longer felt comfortable under the doctor’s care. The complainant says that in additional emails she sent to the equity specialist, and at a meeting with the equity specialist later that same month, she reiterated her request not to be treated by the doctor or to have him involved in the coordination of her care.

[11] The complainant alleges that despite these requests, the hospital inappropriately continued to share her personal health information with the doctor. In the complainant’s view, she explicitly revoked her consent to the doctor’s involvement in her health care and with her personal health information when she first reported the sexual assault to the hospital’s privacy and risk coordinator in January 2017. She alleges that any use and disclosure of her personal health information contrary to her request after that date occurred without authority and in violation of PHIPA .

[12] The complainant raised these concerns with the IPC in January and February 2018, resulting in the IPC’s opening the present complaint file against the hospital. Relevant to this review, the complainant alleged that the following events (occurring after her January 2017 report to the hospital of sexual assault by the doctor and her request that the doctor no longer be involved in her health care) are instances in which the hospital failed to comply with and enforce her withdrawal of consent in respect of her personal health information:

• That the doctor accessed the complainant’s electronic health record on three specified dates in January, March, and July 2017 (as identified by the hospital’s audit of the complainant’s health record);
• That the doctor made three specialist and diagnostic referrals in January and February 2017;
• That the hospital provided the doctor’s lawyer with the complainant’s records of personal health information in February 2017;
• That the doctor sent a fax to his lawyer in March 2017 containing a consultation note (dated February 2017) prepared by the complainant’s new physician;
• That the doctor sent the complainant’s family doctor a consultation note in March 2017 regarding the status of the complainant’s care;
• That the hospital continued to copy the doctor on emails between hospital agents in March and April 2017 regarding the complainant’s specialist and diagnostic referrals;
• That the doctor sent the complainant a letter in July 2017 communicating the cancellation of an upcoming appointment; and
• That the hospital sent the complainant’s records of personal health information to the College of Physicians and Surgeons of Ontario in September 2017.

[13] During the IPC complaint process, the hospital provided explanations for some of the above incidents. As I explain further below, the hospital states that it did not initially understand the complainant’s January 2017 report of sexual assault and request to be treated by another health care provider as a withdrawal of consent in respect of her personal health information. As a result, at the time of the incidents at issue, the hospital had not restricted the doctor’s access to the complainant’s health records.

[14] The complainant maintains that the hospital ought to have understood her statements as her withdrawal of consent to the doctor’s accessing her health records.

[15] The complaint could not be resolved through mediation, and was transferred to the adjudication stage of the IPC process, where an IPC adjudicator may conduct a review under section 57(3) of PHIPA . An IPC adjudicator began her review of this matter by sending a Notice of Review to the respondent hospital on December 2, 2020. The hospital provided representations in response.[3]

[16] On the same date in December 2020, the IPC adjudicator notified the doctor of the complaint. The doctor is an affected person in this complaint because he is affected by the subject-matter of the IPC’s review into the actions of the respondent hospital, which is the primary focus of the review. Because the actions of the doctor are central to several of the incidents under review, the IPC provided the doctor with an opportunity to make representations in the review, in accordance with section 60(18) of PHIPA .[4]

[17] In response to the Notice of the Review, the doctor (represented by legal counsel) wrote to the IPC to request that the IPC disclose to him a number of documents, including records of the complainant’s personal health information, in order to participate in the review.

[18] During the adjudication stage, this complaint was reassigned to me as the new adjudicator. On November 16, 2022, I issued PHIPA Decision 192 to address the doctor’s disclosure request. In PHIPA Decision 192, I partially granted the doctor’s request. I disclosed to him certain documents that are relevant and proportionate, in the circumstances of this complaint, to satisfy the procedural fairness rights of the doctor as an affected person in the review. I declined to disclose to the doctor other documents and portions of documents, which I concluded are not relevant to the issues to be decided in the review, and the disclosure of which is not required for the purposes of procedural fairness to the doctor.

[19] After the release of PHIPA Decision 192 and the disclosure described in the decision, the doctor made representations in the review. I then provided the complainant with complete copies of the representations of the hospital and the doctor, and I invited her representations on the facts and issues in the complaint and on the positions taken by the other parties to the review. The complainant ultimately did not make representations in the review. However, she asked that I consider the materials she had provided to the IPC at earlier stages of the complaint process.

[20] I then shared with the hospital a complete copy of the doctor’s representations. At this stage, I informed both the hospital and the doctor that the complainant had not made representations in response to a Notice of Review and the complete representations of the hospital and the doctor. I also informed all the parties that at the complainant’s request, I would consider the materials she had provided to the IPC at earlier stages of the complaint process.[5] The hospital declined to make further representations in response to the representations of the doctor. I concluded that I did not require further representations from the parties to decide the issues in this review.

[21] In this decision, I find that some disclosures of the complainant’s personal health information made in relation to proceedings were authorized to be made without consent under PHIPA .

[22] However, I find that other uses and one disclosure of her personal health information, made for health care purposes, were made in violation of the complainant’s express withdrawal of consent to such actions, and therefore contravened PHIPA . Alternatively, these uses and disclosure for health care purposes were not permitted to be made without consent, because the complainant had made an express instruction against these activities. The hospital later recognized and implemented the complainant’s withdrawal of consent. However, to address broader gaps identified by this complaint, I order the hospital to amend its information practices to clarify a patient’s right to withhold or withdraw consent or to make express instructions with respect to her personal health information.

DISCUSSION:

[23] One of the purposes of PHIPA  is to protect the confidentiality of personal health information and the privacy of the individuals to whom the information relates. PHIPA  achieves this purpose by, among other things, requiring that all collections, uses, and disclosures of personal health information be made with the appropriate consent, or otherwise be authorized by PHIPA . PHIPA  also imposes duties on health information custodians to take reasonable steps to protect personal health information in their custody or control.

[24] In this complaint, there is no dispute, and I find, that the hospital is a “health information custodian”[6] with respect to the information at issue in the review, and that at the relevant times, the doctor was an “agent”[7] of the hospital, within the meaning of those terms in PHIPA . There is also no dispute that the incidents at issue in this review involve the complainant’s “personal health information” as defined in PHIPA .[8]

[25] As a result, PHIPA ’s rules concerning the collection, use, and disclosure of personal health information apply to the incidents under review in this complaint. Some of these incidents involve actions by the hospital, while others involve actions by the doctor in his capacity as an agent of the hospital.

[26] In the discussion that follows, I will consider the complainant’s allegations about unauthorized uses and disclosures of her personal health information in two parts.

[27] First, I will consider the allegations about the hospital’s and the doctor’s disclosures of her personal health information to outside parties (the doctor’s lawyer and the College of Physicians and Surgeons of Ontario), which the hospital and doctor say were authorized to be made without consent. As will be seen below, I find that these disclosures complied with PHIPA .

[28] Then I will consider the allegations about certain uses and a disclosure of the complainant’s personal health information by the hospital and by the doctor, which the hospital and the doctor say were made for health care purposes based on their understanding of the complainant’s consent. In fact, I find that the complainant had expressly withdrawn her consent to these actions, so they were not authorized to be made based on consent. I also find these actions were not authorized to be made without consent, in view of the express instruction made by the complainant. I conclude that these latter actions did not comply with PHIPA .

THE USES AND DISCLOSURES IN RELATION TO PROCEEDINGS

[29] Under this heading, I will consider the following incidents at issue in the review:

• That the hospital provided the doctor’s lawyer with the complainant’s records of personal health information in February 2017;
• That the doctor sent a fax to his lawyer in March 2017 containing a consultation note (dated February 2017) prepared by the complainant’s new physician; and
• That the hospital sent the complainant’s records of personal health information to the College of Physicians and Surgeons of Ontario in September 2017.

[30] These incidents involve “disclosures”[9] of the complainant’s personal health information by the hospital or by the doctor, as agent of the hospital.

[31] As noted above, section 29 of PHIPA  requires that all collections, uses, and disclosures of personal health information be made with consent, or otherwise be authorized to be made without consent by PHIPA . Sections 38-48 and 50 of PHIPA  set out circumstances in which a health information custodian is permitted or required to disclose personal health information without consent. The hospital claims that the disclosures listed above were authorized to be made without consent.[10]

[32] The hospital relies on section 41(1)(a) of PHIPA  as the authority for its disclosures of the complainant’s personal health information to the doctor’s lawyer and to the College of Physicians and Surgeons of Ontario. Section 41(1)(a) states:

A health information custodian may disclose personal health information about an individual […] subject to the requirements and restrictions, if any, that are prescribed,[[11]] for the purpose of a proceeding or contemplated proceeding in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding[.]

[33] The hospital and the doctor cite the same section of PHIPA  as the authority for the doctor’s disclosure of the complainant’s personal health information to his lawyer in March 2017. Also relevant in respect of the doctor’s disclosure to his lawyer are sections 37(1)(h) and 37(2), which permit an agent of a custodian to use personal health information without consent for the purpose of certain proceedings or contemplated proceedings; and section 41(2), which permits the agent to disclose that same information to his professional advisor to obtain advice or representation.[12] The hospital states that the doctor’s disclosure was consistent with its policy on permitted disclosures of personal health information, and with its expectations of its agents.

[34] The hospital explains that on the relevant dates, there were multiple actual or contemplated proceedings involving the doctor, owing to the serious allegations made against him by the complainant and others.

[35] With respect to the hospital’s and the doctor’s February 2017 and March 2017 disclosures to the doctor’s lawyer, the hospital explains that by that date it had already advised the doctor that it would be investigating the allegations made against him, with potential consequences for his hospital privileges following a review under the Public Hospitals Act .[13] Additionally, the hospital reports, by that date the complainant had informed the hospital of her intention to file a complaint with the College of Physicians and Surgeons of Ontario, which complaint would be expected to lead to a College investigation. The hospital reports that in fact a College investigation did later occur, as did a hospital review that ultimately led to the permanent revocation of the doctor’s hospital privileges. It notes that a College proceeding qualifies as a “proceeding” within the meaning of that term in sections 2 and 41(1)(a) of PHIPA .[14] The hospital also notes that the disclosed records concerned the doctor’s care to the complainant, and/or to the care later provided to her relating to the doctor’s diagnoses and referrals, and were thus directly related to the matters at issue in those proceedings.

[36] With respect to the hospital’s September 2017 disclosure to the College, the hospital relies, in addition to section 41(1)(a), on sections 41(1)(d)(i) and (ii), and section 43(1)(b), which further address disclosures for specific proceedings. These sections of PHIPA  state:

41 (1) A health information custodian may disclose personal health information about an individual […]

(d) for the purpose of complying with,

(i) a summons, order or similar requirement issued in a proceeding by a person having jurisdiction to compel the production of information, or

(ii) a procedural rule that relates to the production of information in a proceeding.

43 (1) (b) A health information custodian may disclose personal health information about an individual […] to a College within the meaning of the Regulated Health Professions Act, 1991 for the purpose of the administration or enforcement of the Drug and Pharmacies Regulation Act, the Regulated Health Professions Act, 1991 or an Act named in Schedule 1 to that Act[.]

[37] The hospital states that its disclosure to the College was made in response to the College’s demand to the hospital arising from the College’s investigation of the doctor under the Regulated Health Professions Act, 1991 (RHPA).[15] In such a case, the hospital says, the disclosure was not only authorized under PHIPA , it was mandatory at law.

[38] As noted above, the complainant did not make representations at the review stage in response to the hospital’s and doctor’s representations on this issue. However, at her request, I have considered the detailed submissions she made at the early resolution stage of the complaint process. In these submissions, the complainant notes that some of the incidents at issue in the complaint, including the disclosures described above, predate her eventual complaint to the College. She adds that while the College contacted her in fall 2017, this was in relation to a misconduct allegation the College had received from a different patient of the doctor. The complainant thus asserts that College proceedings relating to her specific allegations were not in existence or even contemplated on the date of these disclosures.

[39] Although I have considered the complainant’s submission, I conclude that the two disclosures by the hospital were authorized to be made without consent under section 41(1)(a) of PHIPA , and, in respect of the hospital’s disclosure to the College, additionally authorized by section 43(1)(b) of PHIPA . I also find that the doctor’s disclosure to his lawyer was authorized to be made without consent under sections 37(1)(h), 37(2), and 41(2) of PHIPA .

[40] I accept that at the time of these disclosures, the hospital had already initiated or reasonably contemplated proceedings involving the doctor based on the serious nature of the complainant’s allegations against him. The doctor provides support for the hospital’s position, reporting that he received a letter from the hospital, dated late January 2017, notifying him of the complainant’s allegation against him and of the hospital’s investigation into this matter. This letter also advises the doctor of the complainant’s statement to the hospital that she intended to file a complaint to the College about this matter. I am persuaded that at the time of the hospital’s February 2017 disclosure and the doctor’s March 2017 disclosure to the doctor’s lawyer, the hospital had already begun its investigation of the doctor, and that both parties reasonably contemplated future College proceedings involving the doctor.[16]

[41] Based on the information before me, I also accept the hospital’s statement that its September 2017 disclosure to the College was made in response to a College demand for records arising from an actual College investigation occurring at that time. The complainant acknowledges that by the fall of 2017, the College was conducting audits of the files of other patients of the doctor, based on its receipt of a misconduct allegation (made by another individual) against the doctor. There is no claim before me and no evidence to suggest that these disclosures resulted in the release of more personal health information than was reasonably necessary for the purpose of the disclosures, or otherwise contravened section 30 of PHIPA .

[42] Finally, I have considered the complainant’s submission that even if the hospital’s disclosure to the College was authorized to be made under PHIPA , the hospital failed to provide her with notice of the disclosure, and her right to complain to the IPC about the disclosure, pursuant to section 12(2) of PHIPA . This section states:

Subject to subsection (4) and to the exceptions and additional requirements, if any, that are prescribed, if personal health information about an individual that is in the custody or control of a health information custodian is stolen or lost or if it is used or disclosed without authority, the health information custodian shall,

(a) notify the individual at the first reasonable opportunity of the theft or loss or of the unauthorized use or disclosure; and

(b) include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI.

[43] The duty to notify in section 12(2) of PHIPA  applies only where personal health information in the custody or control of a custodian is “stolen or lost,” or “used or disclosed without authority.” Because I have found that the disclosures were authorized to be made without consent under PHIPA , the duty to notify in section 12(2) does not apply.

[44] I thus find no violation of PHIPA  in respect of the disclosures made by the hospital and the doctor without consent in relation to proceedings.

THE USES (AND DISCLOSURE) MADE BASED ON A CLAIM OF CONSENT

[45] Under this heading, I will consider whether there was consent for certain uses (and a further disclosure) of the complainant’s personal health information for health care purposes. The claim of consent applies to the following incidents at issue in the review:

• That the doctor accessed the complainant’s electronic health record on three specified dates in January, March, and July 2017 (as identified by the hospital’s audit of the complainant’s health record);
• That the doctor made three specialist and diagnostic referrals made by the doctor in January and February 2017;[17]
• That the hospital continued to copy the doctor on emails between hospital agents in March and April 2017 regarding the complainant’s specialist and diagnostic referrals; and
• That the doctor sent the complainant a letter in July 2017 communicating the cancellation of an upcoming appointment.

[46] These incidents involve “uses”[18] of the complainant’s personal information by the hospital and the doctor. They involve the hospital’s sharing of or the doctor’s dealing with the complainant’s personal health information in the doctor’s capacity as an agent of the hospital.[19]

[47] Under this heading, I will also consider the following incident, which consists of both a “use” and a “disclosure” of personal health information:

• That the doctor sent the complainant’s family doctor a consultation note in March 2017 regarding the status of the complainant’s care.

[48] This additional incident includes, as an element, the doctor’s disclosure of the complainant’s personal health information to the complainant’s family doctor, a third party who is neither the custodian in this complaint (i.e., the hospital) nor an agent of the custodian. The hospital and the doctor submit that the disclosure was authorized to be made under PHIPA  for health care purposes.[20] However, this disclosure by the doctor was possible only because, at the relevant date, the hospital continued to allow the doctor to access (and thus to “use”) the complainant’s personal health information for health care purposes.

[49] All of these incidents raise the key issue of whether the hospital complied with PHIPA  when it continued to allow the doctor to use the complainant’s personal health information for health care purposes after the complainant had made a sexual assault allegation against the doctor and asked that he no longer be involved in her care. The hospital and the doctor submit that all these incidents were authorized under PHIPA  because of the hospital’s understanding, at the relevant times, that it had the complainant’s consent to sharing her personal health information with the doctor for health care purposes, and the doctor’s subsequent use and disclosure of that information for those purposes. Alternatively, the hospital proposes that these actions were permitted to be made without consent for health care purposes.

[50] I will address these issues by first setting out the relevant provisions of PHIPA  that address the use and disclosure of personal health information for health care purposes, including on the basis of consent. I will then consider how these provisions apply in the circumstances of this complaint.

Consent and the withdrawal of consent under PHIPA

[51] As noted above, section 29 of PHIPA  requires that all collections, uses, and disclosures of personal health information be made with consent, unless these actions are otherwise authorized to be made without consent by PHIPA . Consent under PHIPA  may be express or implied. PHIPA  permits custodians to rely on implied consent for the collection, use, or disclosure of personal health information for most purposes, provided the conditions for a valid consent are met.[21] The conditions for a valid consent, whether express or implied, are set out in section 18 of PHIPA .

[52] A health information custodian who has obtained an individual’s consent to collect, use, or disclose the individual’s personal health information is generally entitled to assume that the consent fulfils the requirements of PHIPA and that the individual has not withdrawn the consent, unless it is not reasonable to assume so [section 20(1)]. Certain types of health information custodians can also assume an individual’s implied consent for the collection, use, or disclosure of the individual’s personal health information for health care purposes, provided specific conditions are met [section 20(2)]. These collections, uses, and disclosures based on assumed implied consent are sometimes described as occurring within the individual’s “circle of care.”[22] Section 20(2) of PHIPA  makes clear that a custodian can rely on assumed implied consent only where the custodian is not aware that the individual has expressly withheld or withdrawn consent.[23] Section 19 of PHIPA  explicitly sets out the right of an individual to withdraw or to place conditions on her consent to the collection, use, or disclosure of her personal health information.[24]

[53] In addition to sections 19 and 20(2), additional sections of PHIPA  contemplate the right of an individual to provide express instructions to custodians not to use [section 37(1)(a)] or to disclose [sections 38(1)(a) and 50(1)(e)] the individual’s personal health information for health care purposes without consent.[25] This bundle of rights is often referred to as the “lock box” provisions in PHIPA .

[54] Among other things, PHIPA  requires a custodian to take reasonable steps to protect personal health information in the custodian’s custody or control against unauthorized use or disclosure [section 12(1)], and to have in place and to comply with information practices that meet the requirements of PHIPA and its regulations [sections 10(1) and (2)].

[55] A custodian must also take reasonable steps to ensure that its agents are aware of and understand their obligations under PHIPA and under the custodian’s information practices (sections 12(1), 15(3)(b), and 17). The custodian remains responsible for any handling of personal health information by its agents, who act on the custodian’s behalf [sections 17(1) and 17(3)(b)]. An agent’s handling of personal health information on the custodian’s behalf must comply with PHIPA , and with the custodian’s information practices, including any conditions or restrictions imposed by the custodian [sections 17(1.1), 17(2), and (4)].

[56] In this complaint, the hospital asserts that the incidents at issue under this heading involved uses (and one disclosure) of the complainant’s personal health information based on consent, in accordance with the hospital’s understanding of the complainant’s wishes at the time of the incidents. The doctor provides concurring submissions in which he explains that he understood from the hospital that he could rely on the complainant’s consent for his uses and disclosure made for health care purposes. In the alternative, the hospital submits that the incidents involved permitted uses without consent for health care purposes under section 37(1)(a) of PHIPA ; one of the incidents also involves a disclosure, which PHIPA  permits without consent for health care purposes, in some circumstances, under section 38(1)(a) or 50(1)(e). As noted above, however, these sections of PHIPA  permitting uses and disclosures without consent in some circumstances are subject to any applicable express instructions made by the individual to whom the personal health information relates.

[57] In the discussion that follows, I find that the complainant’s statements to the hospital communicated an express withdrawal of consent to, and an express instruction against, the uses and disclosure of her personal health information for health care purposes that occurred in this case. These unauthorized uses and disclosure were the result of the hospital’s failure to recognize and implement the complainant’s wishes with respect to her personal health information. In this way, the hospital failed in its duty to take reasonable steps to protect personal health information in its custody or control.

Did the uses and disclosure of the complainant’s personal health information for health care purposes comply with PHIPA?

Did the hospital take reasonable steps to protect personal health information in its custody or control against unauthorized use or disclosure?

[58] The incidents at issue in this review occurred after the January 2017 meeting at which the complainant made a sexual assault allegation against the doctor and requested that the doctor no longer be involved in her health care. This initial report was followed by the complainant’s separate report the next month to the hospital’s human rights and health equity specialist, and additional emails and meetings in which the complainant reiterated her concerns. It is the complainant’s position that when she reported the sexual assault and requested the transfer of her care to another health care provider, she also withdrew her consent to any further accesses to her personal health information by the doctor.

[59] The hospital explains that it did not interpret the complainant’s January and February 2017 statements in this way. In the hospital’s account of the January 2017 meeting with the privacy and risk coordinator, the complainant made sexual assault allegations against the doctor, expressly stated her wish to be referred to another health care provider, and expressly stated her wish that the hospital honour the doctor’s referrals. The hospital observes that the privacy and risk coordinator’s memo of this meeting indicates that the complainant did not, at any time during that meeting, explicitly ask the hospital to “lock” the doctor’s access to her personal health information. Instead, the hospital says, it interpreted the complainant’s request regarding the doctor’s referrals “to include express consent to facilitate the referrals.” In the hospital’s view, this entailed the doctor’s continued access to records of the complainant’s personal health information for this purpose.

[60] The hospital explains that at the relevant time, specialist appointments could be obtained only through a physician referral and diagnostic tests required a physician order. Since the doctor had recommended (and in some cases had initiated) the referrals, the hospital provided specific direction to the doctor to complete processing these referrals, in accordance with the hospital’s standard practice and in the belief that the doctor’s involvement would be the most effective way to complete the referrals in a timely manner. The doctor supports the hospital’s account of events. He reports that the hospital did not at any time advise him that he was not to access the complainant’s records of personal health information. In fact, the doctor says, the hospital explicitly directed him to complete the referrals, which he took as confirmation of his authority to access the complainant’s health records, based on her consent, for this purpose.

[61] With respect to the March and April 2017 emails on which the doctor was copied, the hospital explains that as part of its standard process for referrals, the referring physician was automatically copied on emails relating to and flowing directly from those referrals.

[62] Lastly, with respect to the doctor’s July 2017 letter to the complainant, the hospital submits that the doctor’s use of the complainant’s personal health information was in line with the usual practice and professional standards for terminating a physician-patient relationship. The doctor supports the hospital’s position, and adds that despite his awareness of the concerns raised by the complainant about the care he had provided to her, he had an obligation, as the complainant’s most responsible physician, to ensure the continuity of her care; this included properly communicating to her that their care relationship had ended.[26] Further, the doctor provided evidence that the hospital explicitly directed that this letter come from him, and not from other another hospital agent. The doctor asserts that the hospital’s direction to him is contrary to any claim that he ought to have known about the complainant’s withdrawal of consent.

[63] The hospital, supported by the doctor, thus submits that the following incidents were uses authorized to be made for health care purposes, either on the basis of assumed implied consent [section 20(2)] or a valid express consent from the complainant [section 20(1)], or without requiring consent under section 37(1)(a):

• That the doctor accessed the complainant’s electronic health record on three specified dates in January, March, and July 2017;[27]
• That the doctor made three specialist and diagnostic referrals in January and February 2017;
• That the hospital continued to copy the doctor on emails in March and April 2017 regarding the complainant’s specialist and diagnostic referrals; and
• That the doctor sent the complainant a letter in July 2017 communicating the cancellation of an upcoming appointment.

[64] These same claims apply to the additional incident I identified above:

• That the doctor sent the complainant’s family doctor a consultation note in March 2017 regarding the status of the complainant’s care.

[65] As noted above, this additional incident includes, as an element, a further disclosure of personal health information by the doctor to the complainant’s family doctor. Both the hospital and the doctor submit that this further disclosure was authorized to be made under PHIPA  for health care purposes. In making this claim, I understand the hospital and the doctor to be relying on consent as the authority for these actions, or on sections of PHIPA  that permit the disclosure of personal health information without consent for health care purposes in some circumstances [section 38(1)(a) or 50(1)(e)].

The uses and disclosure of personal health information for health care purposes were made in violation of the complainant’s express withdrawal of consent and/or her express instruction against these actions

The hospital failed to take reasonable steps to protect personal health information in its custody or control against unauthorized use and disclosure

[66] For the reasons that follow, I find that the uses and disclosure of the complainant’s personal health information for health care purposes were not authorized on the basis of consent, or permitted to be made without consent under PHIPA .

[67] First, I find that the complainant expressly withdrew her consent to the hospital’s sharing her personal health information with the doctor when she met with the hospital’s privacy and risk coordinator in January 2017. At this meeting, the complainant made serious allegations of misconduct against the doctor and asked that the doctor no longer be involved in her health care. In these circumstances, the hospital could no longer assume the complainant’s implied consent to share her personal health information with the doctor for health care purposes. I also reject the hospital’s further claim that the complainant’s request that the hospital honour the doctor’s referrals amounted to an “express consent” to its continued sharing of her personal health information with the doctor for health care purposes. The hospital has not explained how it reconciled this interpretation of her statement with the complainant’s explicit request that the doctor no longer be involved in her health care, nor how this “consent” met the requirements of a valid consent under section 18.

[68] For the same reasons, in the context of the complainant’s serious allegations against the doctor and her explicit request that he no longer be involved in her health care, I find the complainant’s statements amounted to an express instruction against these uses and disclosure for health care purposes without consent. Given this, even if the uses and disclosure had fulfilled the other requirements of sections 37(1)(a) and 38(1)(a) or 50(1)(e) of PHIPA , they would not be permitted to be made without consent under those sections of PHIPA .

[69] I further find that these unauthorized uses and disclosure were the result of the hospital’s failure to recognize and to implement the complainant’s withdrawal of consent and her express instruction against such uses and disclosure.

[70] The hospital says that through this complaint, it has come to understand that the complainant wished to withdraw her consent to the hospital’s sharing of her personal health information with the doctor for health care purposes, and that she intended this withdrawal to take effect from her January 2017 report to the hospital. However, it is the hospital’s position that it reasonably understood the complainant’s statements at that time to mean it had her continued consent to share her information with the doctor for health care purposes, and specifically for the purpose of facilitating the referrals involving the doctor. Based on its understanding, the hospital made no changes to the doctor’s ability to access the complainant’s personal health information at the relevant times. The hospital also acknowledges that it specifically directed the doctor to continue processing the referrals for the complainant, and that its automated system continued to copy the doctor on emails relating to those referrals. In addition, the hospital does not deny that it directed the doctor to communicate with the complainant about the termination of their physician-patient relationship.

[71] The hospital’s actions led the doctor to believe that although the complainant had made serious allegations against him, she did not object to his continued access to her health records for authorized purposes. The hospital says, and I accept, that the doctor acted in accordance with the hospital’s policies governing its agents’ handling of personal health information, which are contained in the hospital’s broader privacy policy (a copy of which the hospital provided to the IPC during the review).

[72] I find the situation before me to be similar to the one considered in PHIPA Decision 144. In that decision, the adjudicator found that the respondent custodian had failed to take reasonable steps to implement a patient’s lock box request and that, as a result, certain agents of the custodian unknowingly used the patient’s personal health information without consent (and without other authority in PHIPA ). Because of this, the agents’ uses of the patient’s information contravened PHIPA . However, the adjudicator concluded that the agents’ unauthorized actions were attributable to systemic failures in the custodian’s information practices, and could not be considered deliberate violations of the patient’s privacy by the agents.

[73] For similar reasons, in this case, I find that although the doctor’s uses and disclosure of the complainant’s personal health information for health care purposes contravened PHIPA , these actions are attributable to the hospital’s interpretation of and direction to him about the complainant’s consent.

[74] In coming to this conclusion, I have considered the complainant’s submissions, made at earlier stages of the complaint process, in which she argues that the doctor was in a conflict of interest and acting contrary to his fiduciary obligations when he continued to access her personal health information after the alleged assault. I found above that the doctor’s uses and disclosure of the complainant’s personal health information for health care purposes were not authorized by PHIPA . However, it is also my finding that these actions were based on the doctor’s understanding from the hospital that the complainant had not expressly withheld or withdrawn her consent to or made an express instruction prohibiting these activities. In fact, the evidence is that the hospital directed the doctor to continue accessing her personal health information for health care purposes.

[75] In response to the complaint, the hospital focuses on the fact the complainant never explicitly asked the hospital to “lock” her records of personal health information. I find it unreasonable for the hospital to expect a patient to know and to employ the specific terminology of PHIPA  in order to make a lock box request. The hospital’s focus on the wording of the request ignores the totality of the circumstances in which the request was made. I also find unreasonable the hospital’s interpretation of the complainant’s statements as an “express consent” to the doctor’s continued access to her personal health information. The hospital appears to have acted on the faulty assumption that the complainant would understand that the most efficient method of processing the referrals would entail the doctor’s continued access to her personal health information. At a minimum, if there were any ambiguity about the complainant’s position, the hospital should have sought clarification from her to address the apparent contradiction (as the hospital understood it) between her wish that the doctor no longer be involved in her health care and her request that the hospital honour the doctor’s referrals.

[76] There is no claim in this case that the hospital could not have implemented the complainant’s withdrawal of consent or her express instructions in an effective manner if it had properly understood the complainant’s wishes at the relevant time. Once it understood the nature of her complaint to the IPC, the hospital placed a consent directive in the complainant’s electronic health record to implement her withdrawal of consent. The hospital also confirmed that the doctor’s access to her health record had in any event been terminated before that date, with the suspension of the doctor’s hospital privileges in July 2017.[28]

[77] Instead, the issues in this complaint arise from the hospital’s failure to have in place an effective practice to clarify, document, and implement a patient’s withholding or withdrawal of consent, or instructions with respect to her personal health information, in situations where the patient does not employ the specific terminology of PHIPA , or the patient’s intention is otherwise not immediately obvious to the hospital.

[78] I noted above that the hospital has an obligation under PHIPA  not to collect, use, or disclose an individual’s personal health information for health care purposes contrary to the individual’s withholding or withdrawal of consent, unless these actions are otherwise authorized under PHIPA . In responding to an individual’s withholding or withdrawal of consent or an express instruction with respect to her personal health information, the hospital must take steps that are reasonable in the circumstances. This includes ensuring that its agents understand and comply with any such limitations on the individual’s personal health information.

[79] During the review, the hospital provided the IPC with a copy of its privacy policy in effect at the time of the incidents at issue. The policy informs hospital agents of their duties once a patient requests “restricted access to their PHI,” through a “consent directive” or “lockbox.” These duties include providing an informational brochure and referring the patient to the hospital’s privacy office. However, the policy does not provide direction to agents about when and how it may be appropriate to proactively inform patients about their rights to withhold or withdraw their consent or to make express instructions with respect to their personal health information. It also fails to address situations like this one, where a patient makes serious allegations against a hospital agent and expressly withdraws consent to the agent’s involvement in her health care, but does not explicitly state that she wishes to “restrict access to PHI,” or employ the terms “consent directive” or “lockbox” in communicating her wishes to the hospital.

[80] In my view, this complaint illustrates one such situation in which the patient’s intentions are clear, and amount to an express withdrawal of consent to (or express instruction against) certain uses and disclosures of her personal health information. The hospital agents who met with the complainant did not understand and did not implement the complainant’s wishes with respect to her personal health information, perhaps in part because she did not employ the specific terminology set out in the hospital’s privacy policy on this topic. Given the nature of the complainant’s concerns, it would have been appropriate in this circumstance for the hospital to actively ascertain the complainant’s wishes with respect to her personal health information vis-à-vis the doctor, and to document those wishes. The hospital’s failure to do so in this case was a violation of its obligations under section 12(1) of PHIPA  to take reasonable steps to protect personal health information in its custody or control against unauthorized uses and disclosures. In fact, this failure resulted in the unauthorized uses and disclosure described above.

[81] During the review, the hospital acknowledged shortcomings in its handling of the complainant’s lock box request, based on its misunderstanding of her wishes with respect to the doctor’s involvement with her personal health information. For instance, the hospital says, had it understood the complainant’s wishes at the time, it could have reconfigured its standard referral process so as to exclude the doctor from the emails on which he was automatically copied as the referring physician. The hospital also reports that its processes for receiving and responding to patient concerns and complaints has evolved since the time of the incidents, and “currently involves robust efforts to communicate with patients about the processes that the hospital may use to address the concerns specified and to proactively identify and mitigate any potential issues.”

[82] It is unclear to me whether this updated process includes a direction to hospital agents that patients do not need to employ particular terminology in order to withhold or withdraw their consent or to make express instructions with respect to their personal health information. To address the circumstances giving rise to this complaint, I will order the hospital to amend its information practices, including its privacy policy and training for its agents, to make this explicit. These updates should include examples in its policy and training of situations where it may be appropriate for hospital agents to proactively inquire about a patient’s intentions with respect to her personal health information. This complaint is one clear example of where this should have been done, and should be done in future.

[83] For all the above reasons, I find that the hospital did not comply with its obligations under PHIPA , including its duty under section 12(1) to take reasonable steps to protect personal health information in its custody or control. In failing to understand, implement, and enforce the complainant’s express withdrawal of consent, the hospital enabled a number of uses and a disclosure of her personal health information in violation of her withdrawal of consent, and in violation of PHIPA .

ORDER:

For the reasons set out above, I make the following order:

1. I order the hospital to amend its information practices, including its privacy policy and its training for agents, to clarify an individual’s rights to withhold or withdraw consent to the collection, use, and disclosure of the individual’s personal health information, and to make express instructions with respect to certain uses and disclosures of her personal health information without consent. This should include clarification to hospital agents that an individual need not always employ specific terminology in PHIPA  to exercise these rights. It should include examples of situations in which it is appropriate for hospital agents to proactively inquire about an individual’s intentions with respect to her personal health information and to facilitate the honouring of such intentions.

Original Signed By:		June 29, 2023
Jenny Ryu
Adjudicator