PHIPA DECISION 239

Complaint PA22-00028

Brant Community Healthcare System

March 8, 2024

Summary: The complainant made a request under the Freedom of Information and Protection of Privacy Act (FIPPA) for clinical records, patient relations records, and quality review records arising from her experience at the Brant Community Healthcare System (the hospital). The hospital identified and released a number of records, but the complainant believed there ought to be more. She filed an appeal under FIPPA in respect of the hospital’s search for records and the completeness of the records released to her. In this decision, the adjudicator finds that the Personal Health Information Protection Act, 2004  (PHIPA ), which also applies the hospital, is the relevant statute governing the issues raised by the complainant. The adjudicator finds that the hospital conducted a reasonable search for records in accordance with its obligations under PHIPA , which are analogous to those applicable to the hospital under FIPPA. As there is no reasonable basis to believe that additional searches would yield responsive records, the adjudicator dismisses the complaint without issuing an order.

Statutes Considered: Personal Health Information Protection Act, 2004,  SO 2004, c 3, Sch A  (as amended), sections 53 and 54.

BACKGROUND:

[1] The complainant, a patient of Brant Community Healthcare System (the hospital), made a complaint to the hospital about the care she received. She later made an access request to the hospital for the following records about her:[1]

• All outside clinical records;
• All patient relations records (including full investigation [named doctor]); and
• All quality reviews.

[1] The records she seeks cover a specified time period over 2020 and 2021.

[2] The hospital issued an initial decision granting full access to a number of records. Its decision was accompanied by an index of records and copies of the records identified by the hospital.

[3] The complainant was not satisfied with the completeness of the records released to her. The hospital and the complainant had further discussions, following which the hospital sent the complainant a letter addendum to its access decision.

[4] In this letter, the hospital responded to certain concerns raised by the complainant. I will address these concerns in detail further below. In summary, the hospital acknowledged that its initial search had failed to identify certain records sought by the complainant, and it provided an explanation for the oversight, as well as copies of those records. The hospital also advised that after the discovery of the additional records, it had directed its information technology department to conduct a “system-wide sweep of all emails,” and it released to the complainant additional records, including emails, located as a result of this sweep.

[5] The complainant remained dissatisfied with the hospital’s searches and the records she received. For example, the complainant asserted that one of the records (a signed consent form) is not the same form she had signed at the hospital. The complainant had other questions for the hospital, to which the hospital responded. The hospital also released additional records.

[6] The complainant was dissatisfied with the hospital’s responses and raised her concerns with the Office of the Information and Privacy Commissioner of Ontario (IPC). As the issues raised by the complainant could not be resolved through mediation, the file proceeded to the adjudication stage of the IPC process. I conducted a review of the matter under PHIPA , during which the parties exchanged representations on the issues in accordance with the IPC’s Code of Procedure for Matters under the Personal Health Information Protection Act, 2004.

[7] In this decision, I find that the relevant statute governing this matter is PHIPA , and that the hospital has conducted a reasonable search in satisfaction of its obligations under that statute. I note these obligations on the hospital under PHIPA  are analogous to those imposed on the hospital under FIPPA, which also applies to the hospital. In the result, I dismiss the complaint without issuing any order.

DISCUSSION:

Preliminary issue regarding the application of PHIPA, or FIPPA, or both

[8] The hospital is both an “institution” within the meaning of FIPPA [2] and a “health information custodian” within the meaning of PHIPA .[3] As a result, in certain circumstances, the hospital is subject to both FIPPA and PHIPA . This means that when the hospital receives a request for access to information, it must decide whether FIPPA, or PHIPA , or both, apply to the request.

[9] This matter proceeded as an appeal to the IPC of decisions issued by the hospital under FIPPA. The hospital appears to have responded to the complainant under FIPPA because the complainant’s initial request for records was made on a hospital form for access requests under FIPPA. After considering the relevant circumstances, including the nature of the request and the records the complainant seeks, I formed the preliminary view that PHIPA  is the applicable statute.

[10] PHIPA  grants an individual a right of access to records of her “personal health information” that are in the custody or under the control of a health information custodian, subject to limited exceptions (PHIPA , Part V). “Personal health information” is defined in PHIPA  to mean certain identifying information about an individual, including, among other things, information relating to the individual’s physical or mental health, and to the providing of health care to the individual.[4]

[11] In PHIPA Decision 17, the IPC adopted a broad interpretation of the phrase “personal health information” as it appears in PHIPA . The IPC has applied this broad interpretation in subsequent decisions and orders.[5] In PHIPA Decision 17, the IPC also noted that it is the substance of the request, and not the form, that is relevant in determining the applicable statute. Here, the fact the complainant submitted her access request to the hospital on a FIPPA form does not determine which statute governs her request.

[12] It was my view that the additional records sought by the complainant would contain identifying information about her relating to her physical or mental health, and to the providing of health care to her, within the meaning of paragraphs (a) and (b) of the definition of personal health information at section 4(1)  of PHIPA . They would also be likely to contain additional identifying information about her that may not fall within the enumerated categories in section 4(1), but that nonetheless qualifies as her personal health information because of the context in which the information appears.[6] I thus shared with the parties my preliminary view that the applicable statute for assessing the reasonableness of the hospital’s search is PHIPA , not FIPPA.

[13] The hospital did not dispute my preliminary view. The complainant expressed a concern that proceeding under PHIPA  could limit her rights in respect of the records at issue. As I will describe in more detail below, the relevant obligations on the hospital in this matter are similar under both statutes.

[14] I confirm here that the applicable statute governing this matter is PHIPA . The remaining issue before me is the reasonableness of the hospital’s search for records. Under the next heading, I will explain why I find the hospital has fulfilled its obligations to conduct a reasonable search under PHIPA .

Did the hospital conduct a reasonable search for records responsive to the complainant’s request?

[15] The IPC has addressed the issue of reasonable search under both PHIPA and FIPPA. In particular, in PHIPA Decisions 17 and 18, the IPC observed that the principles established in reasonable search orders issued under FIPPA and its municipal counterpart[7] provide guidance in determining whether a health information custodian has conducted a reasonable search under PHIPA .

[16] In either case, if the IPC is satisfied that the search carried out was reasonable in the circumstances, it will uphold the decision. If it is not satisfied, it may order further searches.

[17] In this case, the complainant claims that additional records exist beyond those identified by the hospital. The issue to be decided, therefore, is whether the hospital conducted a reasonable search for records under the applicable statute. Neither section 53 of PHIPA  nor section 24 of FIPPA requires the hospital to prove with absolute certainty that further records do not exist. However, the hospital must provide sufficient evidence to show that it has made a reasonable effort to identify and locate responsive records in its custody or under its control.[8] To be responsive, a record must be "reasonably related" to the request.[9] A reasonable search is one in which an experienced employee knowledgeable in the subject matter of the request expends a reasonable effort to locate records that are reasonably related to the request.[10]

[18] This complaint proceeded to the adjudication stage after the parties failed to reach a resolution on three broad areas of concern raised by the complainant. I will address each of these in turn.

Concerns about the hospital’s search for emails and related records

[19] At the conclusion of the mediation stage, the complainant remained dissatisfied with the hospital’s search for email records. She says the hospital’s identification of additional records after conducting additional searches is evidence of deficiencies in the hospital’s searches. She also asserts that some email records she received are incomplete (i.e., are missing some parts of email chains).

[20] During the mediation stage of the IPC process, and again in its representations made at the review stage, the hospital provided an explanation for its discovery of additional records after its initial search failed to yield them.

[21] The hospital states that after the complainant identified several records that it ought to have located (but did not locate) during its initial search, the hospital learned that its patient relations database had been upgraded in early 2021. Hospital staff had failed to search the retired database for responsive records that may have been archived. Following a search of the retired database, hospital staff located additional documents and emails, which it released to the complainant.

[22] After the discovery of these additional records, the hospital directed its IT department to conduct a “full sweep” of all hospital databases and network folders. The hospital explains that while this is not a standard search procedure, the hospital felt it was warranted in this case. The sweep entailed a search of the hospital’s server for all documents containing the following key words:

• The complainant’s full name and the term “complaint”;
• The complainant’s name in the Chief of Staff’s emails;
• The complainant’s name in records of the patient relations department;
• The complainant’s name in the named doctor’s emails; and
• The doctor’s name and/or email address in the Chief of Staff’s emails. (The hospital explained that this last search was conducted to locate any emails between the doctor and the Chief of Staff that may not have contained the complainant’s name but that may have addressed her complaint.)

[23] This “system-wide sweep” produced additional records. The hospital explained that many of the records contain the same email thread, with new comments or responses. The hospital provided these records to the complainant.

[24] In addition, after the complainant noted that she had been a recipient on some emails from the hospital containing the term “[complainant’s initials] Case File,” the hospital conducted another sweep of its system using that search term. The hospital located emails using this search term, but notes that these emails post-date the complainant’s access request (and are therefore not within the scope of the request). The hospital nonetheless provided these additional emails to the complainant.

[25] In its representations made during the review stage, the hospital also provided evidence to show that the hospital maintains records dating from 2007, and has not destroyed any records that would be responsive to the complainant’s access request. This evidence comes in the form of emails from the hospital’s patient relations database manager, confirming relevant dates around the database upgrade, and identifying that only one responsive record was located in the archived database.

[26] In response to the hospital’s evidence, the complainant says the emails from the database manager do not identify her by her full name, so questions how the database manager would have known to search for records about her.

[27] The evidence from the database manager was provided to support the hospital’s assertion that no responsive records have been destroyed, and that its searches covered records after 2007. (As noted above, the complainant’s access request covers a specified period over 2020 and 2021.) I accept the hospital’s evidence that responsive records would not have been destroyed, and in this regard I do not find relevant the complainant’s observation that this evidence does not refer to her by her full name.

[28] The complainant also submits that the search criteria applied by the hospital was too limiting. For instance, she says that combining her name with other search criteria was too restrictive. She also notes again that she was the recipient of a hospital email in which she is not referred to by name, but rather by her initials and the term “case file;” she alleges that the hospital deliberately failed to search using her initials with that term.

[29] These claims have been answered by the hospital, which provided a list of the search terms used and the types of records searched. These searches included searches of the complainant’s name only and were not limited to searches of her name in connection with other terms. In addition, the hospital conducted a search using the complainant’s initials and the term “case file” after this phrasing was brought to its attention.

[30] The hospital also searched records exchanged between relevant parties who may have responsive records (namely, the doctor and the Chief of Staff), without limiting this search to records identifying the complainant by name. I find that the locations searched by the hospital (e.g., records of the patient relations department) are those where responsive records could reasonably be expected to exist. I thus find no merit in the complainant’s arguments about deficiencies in the hospital’s searches because of the search terms used or locations searched.

[31] Beyond these arguments, the complainant raises other concerns that are not directly relevant to the issue before me, which is the reasonableness of the hospital’s search for responsive records. It is thus unnecessary to canvass them here.

[32] I am satisfied from the evidence before me that the hospital clarified with the complainant the scope of her access request, and conducted searches based on a reasonable understanding of her request. I am also satisfied that these searches reflect reasonable efforts expended by relevant hospital staff to address the access request. When the complainant identified records missing from the hospital’s initial search, the hospital responded by conducting further searches, including the full IT sweep described above. These were reasonable steps in the circumstances to identify and locate records reasonably related to the complainant’s request. In fact, these further searches resulted in the identification of additional records, which the hospital provided to the complainant.

[33] I have considered the complainant’s submissions and I am not persuaded they establish deficiencies in the hospital’s most recent searches that ought to be remedied by an order for further searches. As I am satisfied the hospital has demonstrated reasonable efforts to identify and locate responsive records, I uphold its search.

Concerns about the health care complaint form and the consent form released to the complainant

[34] The complainant also raised specific concerns about two records she received from the hospital following its searches: a complaint form documenting her original health care complaint to the hospital; and a consent form documenting her consent to a health care procedure she underwent at the hospital. In the context of her complaint to the IPC, I understand these concerns to form a basis for her belief that further records exist.

[35] The health care complaint form was completed by a member of the hospital’s patient relations department, and documents the staff member’s telephone conversation with the complainant. The complainant asserts that the copy of the complaint form she received from the hospital (in response to her access request) does not reflect the level of detail she provided in that conversation. She also asserts that there ought to exist additional records relating to the investigation of her health care complaint, given its seriousness and the assurances she received from the staff member that her complaint would be thoroughly documented and investigated.

[36] The hospital maintains that it provided the complainant with a copy of the complaint form completed by the staff member, and that there are no further records beyond those already released to the complainant. The hospital explains that the complaint form is not a verbatim record of the telephone conversation between the staff member and the complainant.

[37] With respect to the consent form, the complainant maintains that the consent form she received from the hospital in response to her access request is not the same form she was presented with at the hospital on the day of her health care procedure. She says that the form she received from the hospital includes matters that did not appear on the consent form she actually signed, and that her signature on the form she received appears, to her, to have been fraudulently copied over from an entirely different document.

[38] The hospital states that consent forms are scanned, and that only these scanned electronic copies are maintained. The original (i.e., paper) consent forms are kept offsite for three months, then destroyed. The hospital states that while the complainant’s original consent form has accordingly been destroyed, the electronic copy she received is a true copy of the consent form she signed, and has not been altered.

[39] The complainant is not satisfied with this explanation, and questions whether the offsite location retained the original consent form for a longer period and permitted access to it.

[40] I have considered the complainant’s submissions, and I am not satisfied they establish a reasonable basis to believe the specific records she describes must exist. I understand the complainant to be challenging the authenticity of the complaint form and the consent form she received from the hospital, based on her expectations and recollection of their content. However, I find reasonable the hospital’s explanations for any differences between the complainant’s expectations and the contents of the records she received. I see no reasonable basis to believe that an order for further searches would yield the specific records she seeks, and I accordingly decline to make such an order.

Concerns about severances to the doctor’s letter released to the complainant

[41] Lastly, the complainant alleges that there have been unacknowledged severances to a record she received, which is a letter written by the doctor named in her access request. In the context of her complaint to the IPC, I understand these concerns to form a basis for her belief that further records exist.

[42] The complainant’s evidence is that the entry in the hospital’s index of records corresponding to this letter does not specify “No Redactions Applied” (unlike entries for some other records). She also refers to an email she received in which the doctor states (in reference to a draft version of the letter): “I’ve deleted the bit about her subsequent visits with me.” In the complainant’s view, this statement indicates that the hospital deleted (i.e., applied severances to) the version of the letter she received in response her access request. She further asserts that the hospital failed to provide her with the final version of this letter, and other draft versions of the letter.

[43] During the mediation stage, the hospital explained that the reference in the email to a deletion in the doctor’s letter is a reference to the doctor’s editing process for the letter, and not to any severances applied by the hospital to the record the hospital located and released to the complainant in response to her access request. The hospital asserts that it did not withhold any portion of this letter (or of any of the records it released to the complainant) in response to her access request.

[44] Regarding draft versions of the letter, I do not understand it to be in dispute that the hospital conducted additional searches during the IPC process, and released to the complainant two draft versions of the letter that it located through these searches. At that time, the hospital explained that it had not previously released these versions to the complainant because it had mistakenly believed them to be identical to the version of the letter it had already released to her.

[45] The hospital did not locate a final version of the doctor’s letter in its record- holdings, including in its patient relations and risk departments. The hospital followed up with the doctor, who says he does not have a copy of the final version of the letter in his own record-holdings.[11]

[46] The complainant did not directly address this aspect of her complaint during the review, but I understand her to be relying on arguments made at earlier stages of the IPC process. I have thus considered her previous statements in support of a claim that there must exist additional records (namely, a more complete—i.e., unsevered—copy of the doctor’s letter, as well as additional versions of that letter) that the hospital has not identified and located through its various searches to date.

[47] I am not persuaded that the complainant’s arguments establish a reasonable basis to believe that the additional records she describes exist.

[48] I find credible the hospital’s explanation for the reference (in an email) to a deletion to the doctor’s letter. In the face of the hospital’s explicit denial that it has made any severances to the letter at issue, I see no reasonable basis for the complainant’s proposed interpretation of the email and of the entry in the hospital’s index of records. On the latter point, I note that the hospital’s index does not consistently specify “No Redactions Applied” for each of the listed records, despite the hospital’s having clearly asserted throughout this process that it has not applied any severances to any records released to the complainant.

[49] Lastly, in my correspondence to the parties, I observed that the hospital suggested that the complainant make an access request under PHIPA  directly to the doctor for any responsive records that may be in the doctor’s own record-holdings. I noted, however, that the hospital remains responsible under PHIPA  for any responsive records the doctor may hold in his capacity as an “agent” of the hospital within the meaning of PHIPA . This distinction is relevant because the hospital (the respondent in this matter) is not responsible under PHIPA  to search records in the custody or under the control of the doctor as a health information custodian in his own right—for example, records held by the doctor as a private practice physician, independent of his hospital duties.[12] I asked the hospital to provide in its representations details of its searches in respect of responsive records held by the doctor as a hospital agent.

[50] The hospital confirmed that it had taken into account in its searches relevant records of the doctor in his capacity as a hospital agent. This is consistent with the searches reported by the hospital, which include searches of the doctor’s emails (within the hospital’s email system) and searches of emails exchanged between the doctor and the hospital’s Chief of Staff (within the hospital’s email system). Based on this evidence, I am satisfied the hospital conducted appropriate searches of its record-holdings for responsive records, including those of the doctor in his capacity as an agent of the hospital. I see no fault in the hospital’s suggestion that the complainant follow up directly with the doctor to seek any records of interest to her that may be contained in the doctor’s own record-holdings, in his separate capacity as a health information custodian.

[51] I wish to acknowledge here the complainant’s concerns relating to the separate health care complaint she filed with the hospital about her experience as a patient of the hospital. These include an allegation that certain records she seeks do not exist because hospital staff intentionally failed to create them. To the extent these allegations relate to the issues before me under PHIPA , I have considered them in arriving at my decision. Allegations about the quality of care the complainant received at the hospital are not for determination by the IPC, and I have not addressed them here.

NO ORDER:

For the foregoing reasons, I find the hospital has conducted a reasonable search in satisfaction of its obligations under PHIPA . I dismiss the complaint.

Original Signed by:		March 8, 2024
Jenny Ryu
Adjudicator