PHIPA DECISION 263

File HR20-00459

A community health centre

October 31, 2024

Summary: This matter arises from a community health centre’s report to the IPC about the publication of a magazine article describing the experiences of an unnamed child involved in the child welfare system. The centre identified the child as a recipient of its services, and the article’s author as the partner of a centre employee who provided health care services to the child. The centre asserts that through her involvement in the article, the employee breached the child’s privacy, in violation of the Personal Health Information Protection Act, 2004  (PHIPA ).

In this decision, the adjudicator finds that the employee breached PHIPA  through the improper use of the child’s personal health information in the custody or control of the centre, for purposes unrelated to her duties as an agent of the centre. The resulting magazine article does not contain identifying information of the child that qualifies as “personal health information” within the meaning of PHIPA ; as a result, its publication was not a disclosure of personal health information to the broader public. In the circumstances, which include the employee’s departure from the centre, the adjudicator declines to make any orders. However, she recommends some changes to the centre’s information practices to address some gaps, including around its agents’ publication of client information.

Statutes Considered: Personal Health Information Protection Act, 2004 , SO 2004, c 3, Sch A, sections 2  (definitions), 3(1), 4, 10, 12(1), 17, 29, 37, and 58(1).

Decisions Considered: PHIPA Decisions 17 and 82; Orders MO-2337 and PO-2892.

OVERVIEW:

[1] This decision concerns the publication of a magazine article that is critical of the child welfare system. To highlight problems in the system, the article refers anecdotally to the experiences of a child involved in the system, as relayed by an unnamed person who provided health care services to the child. The article contains general details about the child and the child’s home life, including the child’s approximate and developmental ages, the involvement of a children’s aid society in the child’s life, and the child’s family situation. The article does not name the child or provide specific details about the child’s ethnicity, diagnoses, or particular services the child receives.

[2] The article came to the attention of a non-profit centre that serves clients with certain needs.[1] The article does not refer to the centre at all. However, the centre says that the unnamed child is a client to whom it provides health care services, and that the person described in the article was its employee. The author of the article is the partner of the employee. Based on these connections, the centre believes that publication of the article was a breach of the Personal Health Information Protection Act, 2004 (PHIPA) by the employee.

[3] The centre reported its concerns to the Office of the Information and Privacy Commissioner of Ontario (IPC), which opened the present file to address the matter. After gathering some information from the centre, the employee, and the article’s author, the IPC decided to conduct a review of this matter under section 58(1) of PHIPA. Section 58(1) permits the IPC to conduct a review of any matter, on its own initiative, where it has reasonable grounds to believe that a person has contravened or is about to contravene a provision of PHIPA or its regulations.

[4] During the review, the IPC sought and received representations from the parties on a number of issues, including whether the article contains “personal health information” within the meaning of that term in PHIPA, and whether the centre has in place reasonable measures to protect personal health information in its custody or control. In addition to their representations on the issues, the employee and the author raised various concerns that are outside the scope of this review and the powers of the IPC to remedy.[2] While I have considered the parties’ representations in their entirety, I set out below only those submissions that are relevant to my determinations under PHIPA.

[5] In the discussion that follows, I explain why I find the magazine article in question does not contain “personal health information” within the meaning of PHIPA; as a result, its publication was not a disclosure of personal health information to the general public. However, in sharing the child’s information with her partner for the purposes of the article, the employee improperly used personal health information to which she was privy in her role as an agent of the centre. While I decline to issue any orders in the circumstances, I recommend some improvements to the centre’s information practices to clarify its agents’ obligations to protect the confidentiality of personal health information, and its expectations around any publication of client information.

DISCUSSION:

[6] One of the purposes of PHIPA is to protect the confidentiality of personal health information and the privacy of the individuals to whom that information relates, while facilitating the effective provision of health care. One of the ways in which PHIPA achieves this purpose is by establishing rules for the collection, use, and disclosure of personal health information by health information custodians and their agents.

[7] “Personal health information,” “health information custodian,” and “agent” are defined terms in PHIPA. As a preliminary matter, there is no dispute that the centre is a health information custodian and that, at the relevant times, the employee was an agent of the centre within the meaning of those terms in PHIPA.[3],[4]

[8] As I will discuss in detail under the next heading, “personal health information” is defined in PHIPA to mean identifying information about an individual that relates to certain health-related topics, including an individual’s physical or mental health, or the providing of health care to the individual. The employee does not deny that her intimate knowledge of the child’s case came through her role as a provider of health care to the child as an employee of the centre. The child’s information in this context is personal health information in the custody or control of the centre, to which the employee had access in her role as an agent. Later in this decision, I will explain why I find the employee’s use of the child’s personal health information for the purposes of the article breached PHIPA.

[9] First, I will address the main issue of whether the child’s information in the context of the magazine article is “personal health information” within the meaning of PHIPA, so that its dissemination through publication of the article was an unauthorized “disclosure” of that information, as the centre alleges.[5]

Does the magazine article contain “personal health information” within the meaning of PHIPA?

[10] “Personal health information” is defined in section 4 of PHIPA, which reads, in part:[6]

(1) “personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information,

(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,

(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,

(c) Repealed: 2020, c. 13, Sched. 3, s. 8 (7).

(c.1) is a plan that sets out the home and community care services for the individual to be provided by a health service provider or Ontario Health Team pursuant to funding under section 21 of the Connecting Care Act, 2019,

(d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,

(e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,

(f) is the individual’s health number, or

(g) identifies an individual’s substitute decision-maker.

(2) In this section,

“identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.

(3) Personal health information includes identifying information that is not personal health information described in subsection (1) but that is contained in a record that contains personal health information described in that subsection.

[11] As the opening words of section 4(1) make clear, only “identifying information” about an individual can be personal health information. Section 4(2) defines identifying information to mean information that itself identifies an individual (for example, the individual’s name), or information in respect of which it is “reasonably foreseeable in the circumstances” that an individual could be identified.

[12] In PHIPA Decision 82, the IPC considered the definition of identifying information in section 4(2). That decision concerned a family’s allegations that a hospital had improperly disclosed the personal health information of their family member (a patient of the hospital) when hospital officials made statements to the media about the care the patient had received at the hospital. There was no dispute that the type of information contained in the statements (e.g., about the patient’s health and the health care the patient had received) would qualify as personal health information if the patient could be identified from the statements. Thus, a threshold issue in PHIPA Decision 82 was whether the media statements contained “identifying information” about the patient, including where those statements did not identify the patient by name and consisted only of details that were already publicly available in a published tribunal decision concerning the patient’s case.

[13] On the question of whether it was reasonably foreseeable that the patient could be identified from the media statements at issue, the IPC explained that the test is whether a member of the public without special knowledge could reasonably be expected to identify the unnamed patient by combining the information at issue with other available information. As the IPC explained:

… the test is not whether someone with special knowledge could identify the patient. Clearly, the family members of the patient could readily identify the patient discussed in the news reports, because of their knowledge of the circumstances. Rather, the test is whether it is reasonably foreseeable, in the circumstances, that others without that special knowledge could identify the patient by combining the information provided by the hospital with other available information.[7]

[14] In the circumstances of that case, the IPC found it reasonably foreseeable that the patient could be identified through the combination of the media statements at issue and other available information, which included the public tribunal decision and a publicly available death notice. (And, in fact, in that case, such identification by a third party had actually occurred.[8]) In those circumstances, the IPC found that though the media statements did not identify the patient by name (and, in most instances, did not reveal more information than what was already publicly available), they nonetheless qualified as the patient’s personal health information. This finding turned on the IPC’s conclusion, based on the facts at hand, that although the statements did not name the patient, they were about a person whom members of the public could reasonably identify.[9]

[15] The test set out in PHIPA Decision 82 for assessing the identifiability of information under PHIPA is consistent with the IPC’s approach to assessing the analogous question under the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), the access and privacy statutes governing public sector institutions in Ontario. “Personal information” is defined in those statutes to mean recorded information about an “identifiable individual.” Information is about an “identifiable individual” if it is reasonable to expect that an individual can be identified, either from the information by itself, or from the information combined with other information.[10] A number of IPC orders under FIPPA and MFIPPA have considered the question of identifiability where there are claims that the information at issue in an appeal is personal information (i.e., is information about an “identifiable individual”) when combined with other information in the public realm.

[16] In these orders, the IPC has recognized that persons with special connections to a situation may be able to identify an unnamed individual whose information is contained in records at issue. The IPC has found, however, that the special knowledge of those persons cannot be said to exist generally in the public realm. The test for identifiability is not whether persons with special connections to a situation—for example, the coworkers or relatives of the individual—could make the identification.[11] Instead, the test is whether a person without special knowledge—i.e., a member of the general public—could reasonably be expected to identify the individual from the information at issue, either alone or in combination with other information generally available in the public realm. Furthermore, it is not sufficient for a party to assert that there is information in the public realm that could lead to the identification of an individual—there must be evidence to support such a claim.[12] In every case, the assessment must be made on the facts at hand.

[17] The magazine article at issue in this matter describes an unnamed child’s experiences in the child welfare system, including the involvement of a children’s aid society and general details about the child’s physical and developmental health. I do not understand it to be in dispute that this type of information would qualify as personal health information, under one or more paragraphs of section 4(1), if it is “identifying information” within the meaning of section 4(2).

[18] In deciding whether the information in the article is “identifying information,” I apply the test set out in PHIPA Decision 82, with which I agree (and which has been applied in later decisions),[13] and the reasoning followed in IPC orders under FIPPA and MFIPPA. Information about an unnamed individual is “identifying information” if it is reasonably foreseeable in the circumstances that members of the public without special knowledge could identify the individual, either through the information alone or by combining the information at issue with other information.

[19] Applying these well-established principles to the facts at hand, I find that the magazine article at issue does not contain “identifying information” of the child within the meaning of PHIPA.

[20] In arriving at this conclusion, I have considered the centre’s arguments made in support of an opposite finding. First, the centre observes that the article refers to a family member of the child, and notes that the identity of an individual’s substitute decision- maker qualifies as the individual’s personal health information under PHIPA.[14] While this is true, the centre does not explain how the family member (who, like the child, is not named in the article) could be identified from the article, and how the child, in turn, could reasonably be expected to be identified from this information.

[21] The centre next lists several categories of persons who, it says, “could read the author’s article and ‘connect the dots’ to reasonable foreseeability given the details provided.” According to the centre, these are:

• persons who know that the employee and author are partners, and who might assume the article is based on the views of the employee;
• clients of the centre or their substitute decision-makers, or other members of the public “who may know something about the case,” and any third parties with whom those persons may have shared that information; and
• current or past staff of the centre with knowledge of the child’s case.

[22] On the first category of persons (those “who know the employee and author are partners”), the centre says:

It could easily be assumed that this article is based on the views of [the employee]; if so, at the material time, this serves to identify [the centre], where she worked. We believe it to be more than theoretical that as all of these elements are combined, the possibility of identifying the family and the child become[s] more likely.

[23] I understand the centre to be proposing that persons who know the author’s relationship to the employee could deduce that the child described in the article received services from the employee at the centre, and from this could reasonably be expected to identify the child’s family and thus the child.

[24] Information that relates to the providing of health care to an individual (including the identification of a provider of health care to the individual) is personal health information[15] if that information is identifying information within the meaning of section 4(2). The centre does not explain how a person who deduces that the employee and/or the centre provided services to the child could reasonably be expected to identify the child from this information, and I see no reasonable basis to reach this conclusion.

[25] The second and third categories of persons described by the centre are persons who have specific relationships to the child, or who otherwise “may know something about the case.” The centre reports that an unspecified number of its staff and a parent of the child were in fact able to identify the child from the article. The other categories of persons listed by the centre (e.g., other clients, their substitute decision-makers, and members of the public who know something about the child’s case) seem to be hypothetical examples. The centre does not report any other actual instances of the child’s being identified, and the IPC has not to my knowledge received any privacy complaints relating to this matter.

[26] I am not persuaded that any actual or potential identification of the child in the examples cited by the centre establishes the reasonable foreseeability of identification contemplated by section 4(2). The categories of persons described by the centre are those who would have special knowledge of the child’s case. For these persons, any identification of the child would flow from their familiarity with the situation described in the article.[16] This does not establish that a member of the public without this special knowledge could reasonably be expected to make the same identification.

[27] I recognize that the centre devotes a significant portion of its representations to arguing that the test for identifiability in PHIPA Decision 82 should not apply in this case. I am not persuaded by these arguments, as I explain below.

[28] First, the centre proposes that the facts in PHIPA Decision 82 are distinguishable from the facts at hand, so that its interpretation of section 4(2) is inapplicable here. The centre says that PHIPA Decision 82 involved a hospital that made media statements about a case that was already in the public domain, while the present case involves an employee who violated her confidentiality agreement with the centre in sharing client information with her partner. I do not agree that these factual differences are a basis for applying a different test for assessing the identifiability of information under PHIPA.

[29] More generally, the centre says that applying a definition of “identifying information” that excludes the special knowledge of persons close to an individual could inappropriately dilute the rights of individuals and could lead to results that are undesirable and contrary to the spirit of PHIPA. The centre expresses concern for clients who may experience shock and surprise on seeing information about themselves published without their consent in a magazine. I agree with the centre that the employee’s unilateral decision to use the child’s information for the purposes of the article raises concerns under PHIPA. (I will address these under the next heading.) However, this is distinct from the issue I am considering under this heading, which is whether the magazine article contains personal health information within the meaning of PHIPA. On this key issue, the approach to identifiability set out in PHIPA Decision 82 is the applicable test.

[30] The centre also worries that publication of client information in this manner could enable a person with some—but not full—knowledge of a client’s situation to learn more about the client than the person already knows or has a right to know. Such a situation should be assessed on its own facts. In this case, the centre has not identified any specific details in the article that would not already be within the knowledge of those persons who are able to identify the child based on their connections to the child. In these circumstances, I decline to consider hypothetical issues raised by such a scenario.[17]

[31] Lastly on this topic, the centre proposes that the IPC’s interpretation of section 4(2) is inconsistent with the health sector’s treatment of identifying information in other contexts. It provides a number of examples that I do not find to be relevant in the circumstances, as I explain.

[32] The centre says that when health information custodians draft legal agreements, they generally make a distinction between “personal health information” and other “confidential information.” The centre says this is because information that would otherwise be considered confidential can lose that status in certain circumstances, such as when it is in the public domain. It says the special treatment of personal health information in custodians’ contracts demonstrates that custodians intend to maintain the confidentiality of personal health information, even when it is placed in the public domain.

[33] This example does not support the centre’s argument for a broader reading of the test in section 4(2). The question before me is whether the magazine article contains personal health information, not whether personal health information loses that designation (and protections under PHIPA) if it is made public. I note again that the IPC has explicitly said that the availability of information in the public domain does not preclude a finding that the information is personal health information subject to PHIPA.[18]

[34] The centre next cites the example of a clinical research agreement. The centre says that when a clinical researcher seeks informed consent from a prospective research participant, it is standard to state that unless there is express consent, the participant’s information will not be used or disclosed in presentations or publications in a manner that would identify the individual. The centre says that in this context clinical researchers do not apply a test of whether the participant’s identity would be known to a third party who has some knowledge of the participant.

[35] The test that clinical researchers may apply in assessing their compliance with a clinical research agreement and/or with PHIPA does not bear on my determination of whether the magazine article at issue in this review contains identifying information within the meaning of section 4(2). I find this example irrelevant.

[36] Next, the centre describes some scenarios in which it says a health information custodian should not disclose information about an individual without that individual’s express consent. Its examples are the following: where a reporter asks a custodian for a media statement about a particular patient’s case; and where a media crew asks to attend and to audio-record a custodian’s session with a client, with no names revealed, for the purpose of a documentary. The centre says that if the test of identifiability from PHIPA Decision 82 were applied to these situations, no consent would be needed, and that this would be inconsistent with PHIPA.

[37] Whether a given media statement or audio recording contains identifying information about an individual is a question to be addressed on the particular facts. I make no findings on the hypothetical scenarios described by the centre. I note, however, that to the extent the first scenario is based on the facts in PHIPA Decision 82, the IPC explicitly found in that decision that certain media statements contained a patient’s personal health information, so were subject to the privacy protections in PHIPA, including its rules governing any disclosure of that information.[19]

[38] Lastly, the centre refers to section 37(1) of PHIPA, which sets out particular circumstances in which a health information custodian may use personal health information without consent. The centre notes that an agent’s use of personal health information under section 37(1) is subject to the authority and approval of the custodian. I will briefly consider the relevance of this section under the next heading, when I consider whether the employee’s actions otherwise breached PHIPA. It has no relevance to the centre’s arguments about the test for identifiability under section 4(2).

[39] Having considered and rejected the centre’s various arguments for departing from the test set out in PHIPA Decision 82, I apply it to the facts before me. The test is whether it is reasonably foreseeable in the circumstances that a member of the public without special knowledge could identify the child, either from the article alone, or from the article in combination with other information.

[40] On this question, the centre makes only vague and speculative assertions about the reasonable foreseeability of identification. For example, the centre says it is “not providing details here about a special database that [the centre] can point to from which someone may link information about this child [substitute decision-maker] to what was published.” I cannot ascertain from this statement whether and where such a database exists, nor how it could be combined with the information in the article to transform the latter into identifying information about the child. I have no other evidence before me of sources of “other information” in the public domain that could combine with the information in the article to give rise to a reasonable foreseeability of identification.

[41] I conclude that the information in the article is not “identifying information” of the child. This means the article does not contain personal health information within the meaning of PHIPA, and its publication was not a disclosure of personal health information to the general public.

Did the employee’s sharing of the child’s information otherwise breach PHIPA?

[42] I found above that the information in the published article is not identifying information of the child. In the context of the article, the child’s information is not personal health information subject to PHIPA.

[43] It is not in dispute, however, that this information came to the author from the employee, who had access to identifying information about the child relating to the child’s health and to the providing of health care to the child, among other matters, in her role as an agent of the centre. The child’s information in this context is personal health information in the custody or control of the centre, and its collection, use, and disclosure are governed by the protections in PHIPA.

[44] The employee says that in sharing information with the author for the purposes of the article, she maintained the anonymity of the child. She asserts that the level of detail she gave the author is the same as (or less than) what she would have shared at a conference were she presenting the child’s situation as a case study. While acknowledging that it does not apply directly to this situation, she cites in support of her actions a guidance document issued by the centre on case presentations by agents who are clinicians. Both the author and the employee also refer more broadly to the public interest aims of the article.

[45] I understand the employee to be proposing that her actions complied with PHIPA because she did not give the author enough detail to make the child identifiable to him. It is not possible for me to say with certainty what information she gave the author. However, even if I accept her account about the level of detail she gave him, this would not alter my view that the employee’s actions in facilitating the article involved violations of PHIPA.

[46] At a minimum, the employee used[20] personal health information to which she was privy in her role as an agent for her own purposes, and not for the custodian’s purposes, without authority under PHIPA. There is no credible claim that her use of the child’s personal health information for these purposes was done with the appropriate consent, or was permitted or required to be done without consent under PHIPA.[21] To the extent the employee proposes that this use served a broader societal or public interest function, I agree with the centre’s observation that there is no applicable provision in PHIPA for journalistic or public interest use of personal health information. I also agree with the centre that section 37(1)(e) of PHIPA (which contemplates the use of personal health information “for educating agents to provide health care”)[22] does not apply in the circumstances. There is no persuasive argument that publication of the article in a general interest magazine serves this purpose, and the centre makes clear that this use by the employee was done without its knowledge or authorization.

[47] The centre explains that the employee’s actions violated the terms of the confidentiality agreement she signed upon employment with the centre, its privacy training for its agents, and its related policies and procedures concerning the safeguarding of confidential centre information, including personal health information. During the review, the centre provided the IPC with copies of relevant materials, including the guidance to agents on clinical case presentations that the employee had cited in her representations. Among other things, these materials require agents to treat as confidential “all [centre] information that is not in the public domain,” and prohibit its agents from using or disclosing any information (including personal health information) obtained in the course of their employment duties, except as required to perform those duties and as authorized by the centre.

[48] All these materials form part of the centre’s information practices, which are a custodian’s policy for actions in relation to personal health information, including its administrative, technical, and physical safeguards and practices with respect to that information.[23] PHIPA requires custodians to have in place and to comply with information practices,[24] and to take reasonable steps to ensure their agents are aware of and understand the obligations under PHIPA and their information practices.[25] Custodians may also impose conditions or restrictions on their agents’ handling of personal health information on the custodians’ behalf.[26] I agree with the centre that the employee’s actions contravened its information practices as reflected in the confidentiality agreement and its privacy guidance to agents on their handling of personal health information. These contraventions of the centre’s information practices are also contraventions of PHIPA.[27]

[49] The employee is no longer employed by the centre. The centre has informed the child’s parent of the article, and of the family’s right to complain to the IPC. The centre and the employee have also addressed in separate proceedings other employment- related issues arising from these same events.

[50] Having regard to all the circumstances, and in view of the guidance given in this decision, I find it unnecessary to issue any orders under PHIPA. However, to help its agents comply with PHIPA, I recommend that the centre amend its information practices in two main respects.

[51] First, the centre should clarify for its agents that the privacy protections in PHIPA do not cease to apply to personal health information in the public domain. For example, the statement in the confidentiality agreement requiring agents to treat as confidential information “that is not in the public domain” could foster the mistaken impression that agents do not need to comply with PHIPA in respect of personal health information that is publicly available. The centre should correct this statement in its confidentiality agreement with its agents, and any similar statements appearing elsewhere.

[52] Second, I recommend that the centre revisit its guidance to agents on any publication of client information, including its document on case presentations covering clinical presentations, publications, and other instances in which agents who are clinicians share client information with other professionals. The current guidance on case presentations urges agents to seek client consent where feasible, or to use “composite cases” to reduce the likelihood of identifiability of a given client. (The guidance says that a composite case is “a description of the client that does not provide any unique identifiers.”)

[53] While the guidance requires agents who have sought client consent to show the presentation or publication to the client, there is no similar requirement for agents to show the material to the centre. In addition, there is no requirement for agents to show the centre any presentation or publication based on composite cases.

[54] It would in my view be a prudent practice to require any agent who decides to develop a presentation or publication based on client information (i.e., and in this way to use client personal health information) to seek the centre’s express authorization before such use, and its approval of any material produced from this use. (It would also be prudent to require agents to document any client consent to the use and disclosure of their personal health information for these purposes.) Notice of an agent’s intention to publicize a client’s case, along with an opportunity to vet the material in advance, could better ensure the agent’s compliance with PHIPA and with the centre’s information practices, and allow the centre to address any concerns it may have before the material is widely released publicly (and possibly irretrievably). Some of the issues raised by this case might have been better managed had the employee been required to give the centre notice of her intended use of the child’s personal health information, and an opportunity to approve or disapprove the proposed use and any publication derived from that use.

[55] With these recommendations, I conclude the review.

NO ORDER:

For the foregoing reasons, I decline to make any orders under PHIPA.

However, pursuant to section 61(1)(i) of PHIPA, I recommend that the centre amend its information practices to help its agents better understand their obligations to maintain the confidentiality of personal health information in the public domain, and to provide clearer guidance around its agents’ publication of client information.

 

Original Signed by:		October 31, 2024
Jenny Ryu
Adjudicator