PHIPA DECISION 281

Complaint HC21-00117

Sunnybrook Health Sciences Centre

May 30, 2025

Summary: An individual made a complaint under the Personal Health Information Protection Act (the Act) about the use of their personal health information by Sunnybrook Health Sciences Centre (the hospital) and the Sunnybrook Foundation (the foundation) for the purpose of fundraising activities. The complaint relates to the personal health information that the hospital provided to the foundation, as well as the content of the fundraising letter sent to the complainant by the foundation. In this decision, the adjudicator finds that the foundation is the hospital’s agent and that the provision of personal health information to it for the purpose of fundraising activities is a “use” of that personal health information.

The adjudicator also finds that the collection, use and disclosure of personal health information for the purpose of fundraising activities is exclusively covered under section 32 of the Act and section 10 of its associated Regulation, and that the permitted uses in sections 37(1)(c) and (d) do not apply to fundraising.

The adjudicator finds that the hospital’s use of personal health information for fundraising purposes was generally permitted under the implied consent provision of section 32(1)(b) of the Act and section 10 of the Regulation, but that the fundraising letter the foundation sent to the complainant contained more personal health information than was permitted under the Regulation.

Statutes Considered: Personal Health Information Protection Act, 2004, S.O. 2004, c. 3 sections 2 (definition of “health care”), 4(1)(b) (definition of “personal health information”), 6, 17, 30, 32(1), 32(2), 37(1)(c) and 37(1)(d); Ontario Regulation 329/04, section 10.

Decisions Considered: PHIPA Decisions 17, 29, 44, 144, 176 and 177.

Cases Considered: Rizzo v. Rizzo Shoes Ltd. (Re), 1998 CanLII 837 (SCC).

BACKGROUND:

[1] An individual (the complainant) made a privacy complaint under the Personal Health Information Protection Act, 2004 (the Act) against Sunnybrook Health Sciences Centre (the hospital). The complainant advised that after accessing services from the hospital, they received two fundraising letters from the hospital’s Sunnybrook Foundation (the foundation). The letters referred to the fact that the complainant had previously visited the hospital as a patient and then proceeded to request assistance in the form of a monetary donation to the foundation. For example, one letter stated:

You came to Sunnybrook as a patient, in need of help.

Thank you for that profound act of trust.

Now I come to you, simply, to ask for your help in turn.

[2] The complainant advised that they had attended the hospital twice, both times for the purposes of receiving health care.[1] The complainant said they did not provide consent for the hospital to disclose the fact they were a patient or any other personal health information about them to the foundation. The complainant indicated that the reason they provided their personal health information to the hospital was to receive health care, not for fundraising purposes.

[3] The complaint first went to mediation. As the parties were not able to resolve the matter at mediation, the file was moved to the adjudication stage of the complaints process, where an adjudicator may conduct a review. I decided to conduct a review and invited the parties to make representations. Both the hospital and the complainant provided representations, which were shared between them.

[4] After receiving representations from the hospital and the complainant, I identified the foundation as an affected party and sought its representations on certain issues.[2] I then sought and received further information from the hospital and the foundation.

[5] In this decision, I find that the hospital’s fundraising activities are exclusively covered by the requirements of section 32 of the Act and section 10 of Regulation 329/04 (the Regulation) and that the permitted uses in sections 37(1)(c) and (d) do not apply to fundraising.

[6] I further find that the hospital, and its agent - the foundation - contravened section 32(1)(b) and section 10 of the Regulation when they sent a letter to the complainant containing more personal health information than permitted. I order the hospital, and through it, the foundation, to cease including any information about an individual’s health care or state of health in its fundraising letters including the fact that the individual was a patient of the hospital, has visited the hospital as a patient and/or received services at the hospital.

ISSUES:

1. Has the hospital complied with section 32(1) and 32(2) of the Act and section 10 of the Regulation?
2. Do the “permitted uses” in section in 37(1)(c) or (d) of the Act otherwise authorize the hospital’s use of personal health information for the purpose of fundraising activities?

DISCUSSION:

Background

[7] The hospital and the foundation provided background information with respect to their fundraising practices.

[8] First, the hospital identifies patients to whom it wishes to send fundraising correspondence. It excludes from this list certain patients deemed inappropriate to contact such as minors, deceased individuals, active inpatients, and residents of the hospital’s Long-Term Care facility. The hospital also excludes people who have opted out of fundraising.

[9] The hospital then provides the following information about patients to the foundation for input into the foundation’s fundraising database:

• The patient’s unique identifying number,
• The patient’s first, middle and last name,
• The patient’s street address including the number, apartment number, city, province, postal code and country.[3]

[10] The foundation receives this personal health information on a monthly basis by way of a data file, which is used twice a year for a series of mailings.

[11] Before the foundation uses the data file, the hospital provides the foundation with two “kill files” so the foundation can remove information about patients from whom it is no longer appropriate to solicit funds. For example, patients who have objected or withdrawn their consent for use of their information for this purpose, or who have since passed away. The foundation matches patients in these kill files to the previous data file to remove these persons before using the information in the data file.

[12] The foundation uses the unique identifying number to identify unique individuals and new entries to its database - versus returning patients - to avoid sending duplicates or inappropriate fundraising communications. The unique identifying number is not the patient’s Ontario health card number. The foundation then sends, by mail, a letter to those remaining individuals on behalf of the hospital, asking them to become donors.

Preliminary Issues

[13] The parties do not dispute, and I find, that the hospital is a “health information custodian” as defined in section 3 of the Act.

[14] I also find that the letters the complainant received contained their “personal health information” as defined in section 4(1)(b) of the Act[4] and the definition of “health care” under section 2 because the letters included their name together with the fact they were a patient of the hospital. The IPC has interpreted the definition of personal health information as including the fact that an individual was the recipient of health care[5] by a health information custodian.[6] For instance, in PHIPA Decision 17, former Assistant Commissioner Sherry Liang found that identifying an individual as a patient of the hospital falls within the meaning of subsection 4(1) of the Act.

The foundation as “agent” of the hospital

[15] I find that the foundation is an “agent” of the hospital, as that term is defined in section 2 of the Act. The hospital submits that the foundation is acting as its “agent” for the purpose of fundraising activities. The foundation agrees with this submission and the complainant does not dispute it.

[16] Section 2 of the Act defines an agent as follows:

“agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated[.]

[17] Sections 17(1) and 17(2) of the Act set out certain responsibilities required of health information custodians and agents with respect to the personal health information.

[18] Section 17(1) states:

A health information custodian is responsible for personal health information in the custody or control of the health information custodian and may permit the custodian’s agents to collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf only if,

(a) the custodian is permitted or required to collect, use, disclose, retain or dispose of the information, as the case may be;

(b) the collection, use, disclosure, retention or disposal of the information, as the case may be, is necessary in the course of the agent’s duties and is not contrary to this Act or another law; and

(c) the prescribed requirements, if any, are met.

(1.1) A permission granted to an agent under subsection (1) may be subject to such conditions or restrictions as the health information custodian may impose.

[19] Section 17(2) states:

Subject to any exception that may be prescribed, an agent of a health information custodian may collect, use, disclose, retain or dispose of personal health information only if,

(a) the collection use, disclosure, retention or disposal of the information, as the case may be,

(i) is permitted by the custodian in accordance with subsection (1)

(ii) is necessary for the purpose of carrying out his or her duties as agent of the custodian,

(iii) is not contrary to this Act or another law, and

(iv) complies with any conditions or restrictions that the custodian has imposed under subsection (1.1); and

(b) the prescribed requirements, if any, are met.

[20] The hospital submits that the foundation is a not-for-profit corporation, which exists solely to serve the fundraising needs of the hospital. The hospital and the foundation have an agreement that addresses the use of personal health information for the purpose of fundraising and it is agreed between them that the foundation is authorized by the hospital to use personal health information for the hospital’s fundraising purposes. The hospital provided a copy of the agreement, pointing out that the agreement specifically states that the foundation contacts individuals for donations on behalf of the hospital and that the foundation receives a “subset of patient solicitation data” permitted by the Act. The agreement between the hospital and the foundation authorizes the foundation only to collect, use or disclose personal health information for the purpose of fundraising and for no other purpose.

[21] Past IPC orders have found that certain organizations or individuals qualify as “agents” as defined in section 2 of the Act where they are acting on behalf of a health information custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, and with the health information custodian’s authorization.

[22] Based on my consideration of the parties’ representations, and the terms of the agreement described above, I find that the foundation meets the definition of an agent as defined in section 2 of the Act. In particular, I find that the foundation is authorized by the hospital to act on its behalf in respect of personal health information solely for the purpose of fundraising activities for the hospital[7] and that the foundation is not authorized to collect, use or disclose personal health information for any other purpose without the prior written authorization of the hospital based on the terms of the agreement and the requirements set out under section 17 of the Act.

The “use” of personal health information by the hospital

[23] The hospital takes the position that its provision of personal health information to the foundation is a “use” of personal health information, as defined in section 6(1) of the Act, as opposed to a “disclosure” of that information.[8] The foundation and the complainant agree with this position.

[24] Section 6(1) of the Act states:

For the purposes of this Act, the providing of personal health information between a health information custodian and an agent of the custodian is a use by the custodian, and not a disclosure by the person providing the information or a collection by the person to whom the information is provided.

[25] The term “use” is defined in section 2 of the Act as follows:

“use”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to view, handle or deal with the information, subject to subsection 6(1), but does not include to disclose the information, and “use”, as a noun, has a corresponding meaning.

[26] Past IPC orders have confirmed that the provision of personal health information to an agent by a health information custodian is a use of that personal health information under section 6(1).[9] I find in this case that the provision of personal health information by the hospital to the foundation, as its agent, for the purpose of fundraising activities is a use of that personal health information.

[27] I further find that the hospital’s practice of excluding patients whom it deems inappropriate to contact from the fundraising list before providing it to the foundation– referred to as “pre-processing” – is also a “use” of personal health information.

Issue A: Has the hospital complied with section 32(1) and 32(2) of the Act and section 10 of the Regulation?

[28] The hospital’s position is that it, and the foundation as its agent, are in compliance with the fundraising requirements of PHIPA in section 32 of the Act, and section 10 of the Regulation. The complainant disagrees.

[29] Sections 32(1) and 32(2) of the Act state:

(1) Subject to subsection (2), a health information custodian may collect, use or disclose personal health information about an individual for the purpose of fundraising activities only where,

(a) the individual expressly consents; or

(b) the individual consents by way of an implied consent and the information consists only of the individual’s name and the prescribed types of contact information.

(2) The manner in which consent is obtained under subsection (1) and the resulting collection, use or disclosure of personal health information for the purpose of fundraising activities shall comply with the requirements and restrictions that are prescribed.

[30] Section 10 of the Regulation states:

(1) The following types of contact information are prescribed for the purposes of clause 32(1)(b) of the Act:

1. The mailing address of the individual.

2. The name and mailing address of the individual's substitute decision-maker.

(2) For the purposes of subsection 32(2) of the Act, the following are prescribed as requirements and restrictions on the manner in which consent is obtained and on the resulting collection, use or disclosure of personal health information:

1. Personal health information held by a health information custodian may only be collected, used or disclosed for the purpose of fundraising activities undertaken for a charitable or philanthropic purpose related to the custodian's operations.

2. For personal health information collected on or after November 1, 2004, consent under clause 32(1)(b) of the Act may only be inferred where,

i. the custodian has at the time of providing service to the individual, posted or made available to the individual, in a manner likely to come to the attention of the individual, a brief statement that unless he or she requests otherwise, his or her name and contact information may be disclosed and used for fundraising purposes on behalf of the custodian, together with information on how the individual can easily opt-out of receiving any future fundraising solicitations on behalf of the custodian, and

ii. the individual has not opted out within 60 days of when the statement provided under subparagraph i was made available to him or her.

2.1 [Provision dealing with information collected prior to November 1, 2004 does not apply to this complaint.]

3. All solicitations for fundraising must provide the individual with an easy way to opt-out of receiving future solicitations.

4. A communication from the custodian or a person conducting fundraising on its behalf to an individual for the purpose of fundraising must not include any information about the individual's health care or state of health.

[31] Section 30 of the Act is also relevant to this complaint in that it sets out two general limitation principles:

(1) A health information custodian shall not collect, use or disclose personal health information if other information will serve the purpose of the collection, use or disclosure.

(2) A health information custodian shall not collect, use or disclose more personal health information that is reasonably necessary to meet the purpose of the collection, use or disclosure, as the case may be.

Representations

The hospital’s representations

[32] The hospital’s position is that its provision of personal health information to the foundation (its agent) and the foundation’s use of that information to solicit funds are permitted uses because under section 32 it is authorized to engage in fundraising activities.

[33] The hospital also submits that its pre-processing activity of extracting and sorting personal health information to identify patients from whom it is not appropriate to solicit donations[10] is necessary to operate effectively and enable appropriate fundraising.

[34] The hospital goes on to submit that the only way for the implied consent provision in section 32 to function is if a health information custodian can turn its mind on a preliminary basis to which types or groups of patients should not receive fundraising correspondence under the implied consent provisions of section 32(1)(b) of the Act and section 10 of the Regulation. In that regard, the hospital states:

The need to select patients is directly implicit in PHIPA and the Regulation’s provisions on fundraising. Section 10(2) [of the Regulation] only permits the Hospital to contact individuals after they’ve had 60 days to opt out after receiving notice of the Hospital’s use of PHI [personal health information] for fundraising. That requires the Hospital to consider when they received notice, e.g. when they attended the hospital, and when 60 days have passed. This requires considering PHI outside of name and address at this preliminary stage, including their visit date or discharge date, when selecting which patients are added to the fundraising database. The complainant’s position that only name and address be used would make compliance with this requirement impossible.

[35] Concerning the content of fundraising letters sent to patients, the hospital submits that the fact that the letter identifies the individual as having been a patient complies with the Regulation, as it is merely a means of advising the patient where and how their information was collected. The hospital goes on to argue that by proactively advising the patient of the basis for the letter, the hospital is being open and transparent and keeping patients informed of the reason for the contact so they understand the use of their personal health information. The hospital goes on to argue that if advising a patient where their information was sourced is a violation of the Act, then the patient’s right to understand the use of their personal health information would be hindered.

[36] With regard to the notice requirements set out in section 10(2)2(i) of the Regulation, the hospital submits that it is fully compliant with these requirements. First, it posts notices throughout high profile areas in the hospital including in or beside all elevators, inpatient waiting rooms, patient care units, nursing stations, cafeterias, patient registration and/or reception areas, lobbies, the research department, surgery recovery areas, the foundation’s office, the CEO’s office, the Patient Relations office and the health records department. Second, the notices contain a brief statement that unless patients request otherwise, their name and contact information may be disclosed and used for fundraising purposes on behalf of the custodian, together with information on how they can opt-out of receiving any future fundraising solicitations.

The complainant’s representations

[37] The complainant does not dispute the use of their name and mailing address for fundraising as permitted under section 32(1)(b) of the Act and section 10(1) of the Regulation. However, the complainant submits that the hospital used more personal health information than simply their name and address and thereby acted beyond the implied consent provision in section 32(1)(b).

[38] Concerning the hospital’s position that it must consider the personal health information of patients other than the name and address at the preliminary stage to determine when the 60 day opt-out period has expired, the complainant suggests that to comply with the Regulation, the hospital could provide a monthly or quarterly list of potential donors to the foundation. The complainant further suggests that the foundation, in turn, could wait for 60 days from the date the list was provided to it to cross-reference the opt-out list and then send out the fundraising letters to the individuals remaining on the list.

[39] Turning to the notice provided by the hospital regarding its use of personal health information for fundraising purposes, the complainant advises that at the time they attended the hospital, the COVID-19 pandemic was occurring and the area where their testing was conducted did not have Regulation notices posted at all.

[40] Lastly, the complainant submits that the hospital is not in compliance with section 10(2)4 of the Regulation, which states that communication from the hospital or the foundation to an individual for the purpose of fundraising must not include any information about the individual's health care or state of health. The complainant advises that the letter they received included the statement “You came to Sunnybrook as a patient, in need of help. Now I come to you, simply, to ask for your help in turn.” The fact that the complainant was identified as having been a patient at the hospital reveals their personal health information, and there is no mention in the letter where and how their personal health information was collected, as the hospital suggests.

The hospital’s reply representations

[41] The hospital submits that the failure to post a notice, if that were the case, on a particular wall in exigent circumstances and for good reason does not establish a failure to give reasonable notice or any compliance problems in that regard.

The complainant’s sur-reply representations

[42] The complainant reiterates that the Act provides for two methods of consent related to the use of personal health information for fundraising purposes. Section 32(1)(a) allows for express consent by an individual. Section 32(1)(b) allows for implied consent as the basis for the collection, use or disclosure of personal health information. The implied consent provision in section 32(1)(b), combined with section 10 of the Regulation, permit the use of only the patient’s name and address for “the purpose of fundraising activities” and require “communication from the custodian or a person conducting fundraising on its behalf to an individual for the purpose of fundraising”.

[43] The complainant submits that if the hospital requires the use of more than the patient’s name and contact information for fundraising purposes, it can find another way to conduct its fundraising or have the legislation changed to accommodate its practice of using more personal health information.

[44] Concerning the posting of notices, the complainant does not dispute that notice is adequately posted throughout the main body of the hospital where the vast majority of patients are likely to see it. The complainant’s issue is that during the COVID-19 pandemic, the area where they attended did not have notices posted anywhere and that this lack of notice would have affected more than 1,000 patients per week.

The foundation’s representations

[45] The foundation refers to the consent provision in section 10(2)2 of the Regulation, submitting that by creating the 60-day opt-out period, the Regulation specifically contemplates the use of personal health information other than simply the name and address of the individual because it refers to “the time of providing service.” The foundation submits that on its face the opt-out requirement in section 10(2)2 would conflict with any reading of the Act that only allows the name and address to be used for fundraising purposes in the absence of express consent. The foundation goes on to argue that courts do not “rush” to find conflict between regulations and their empowering statues. For example, in Katz Group Canada Inc. v. Ontario,[11] Abella J. stated:

Regulations benefit from a presumption of validity . . . [t]his presumption . . . favours an interpretive approach that reconciles the regulation with its enabling statute so that, where possible, the regulation is construed in a manner which renders it intra vires.

[46] Applying the Katz decision to the facts in this complaint, the foundation argues that the use of additional personal health information required by section 10(2)2 of the Regulation is intra vires the Act if responsible fundraising efforts are considered a “program” of the hospital.[12]

[47] The foundation further submits that the complainant appears to accept that certain individuals should not be targeted for fundraising, for example, minors, deceased individuals and long-term care residents, which applies a modern, contextual and purposive interpretation of the Act. However, the complainant’s position is that the hospital cannot use the personal health information of an individual in the absence of express consent for its pre-processing activity. The foundation argues that the complainant applies a technical reading of the Act which conflicts with the modern, contextual and purposive approach it endorses. The foundation goes on to state that “…there is no other way to screen out patients to whom sending a fundraising letter would be inappropriate without relying on the personal health information that makes it inappropriate.”

[48] Finally, the foundation addresses the letters it sends out to individuals for the purpose of fundraising activities. The foundation’s position is that its letters comply with section 10(2)4 of the Regulation because they do not include information about the individual’s health care or state of health. The foundation submits that the statement in the letter that the individual came to the hospital as a patient in need of help does not include information about the individual’s health. The letter, the foundation argues, is a means of being transparent about the source of information used for fundraising and does not include clinical information.

[49] The foundation further argues that the word “about” is elastic and allows for the consideration of context and purpose. The foundation relies on a decision of the Alberta Court of Appeal[13] where the Court found that vehicle license numbers were “about” a vehicle and not “about” registered vehicle owners for the purposes of Alberta’s Personal Information Protection Act. The foundation submits that this case is the same, in that the hospital and the foundation use non-clinical, non-sensitive information to engage in responsible fundraising practices and that the information it uses is “about” fundraising and not health care.

Analysis and findings

[50] The parties have raised, and I will address, three arguments about: the scope of personal health information that can be used by the hospital and the foundation on the basis of implied consent, the notices posted by the hospital advising individuals about the use of their personal health information, and the content of the fundraising letters sent to individuals by the foundation.

[51] Before I address these arguments, it is necessary to examine the history of section 32 of the Act, including the Legislative intent and the concept of modern statutory interpretation.

[52] The modern approach to statutory interpretation cited by the Supreme Court of Canada in Bell Express Vu Limited Partnership v. Rex[14] and TELUS Communications Inc. v. Wellman[15] is set out in Elmer Driedger’s text on Construction of Statutes[16] which states that:

[T]he words of an Act are to be read in their entire context and in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament.

[53] Section 64(1)  of the Legislation Act, 2006 [17] also applies to the interpretation of an Ontario statute, requiring that the legislation be given “such fair, large and liberal interpretation as best ensures the attainment of its objects.”

[54] The Hansard debates on the purpose of section 32 are helpful in ascertaining the Legislative intent with respect to this section of the Act. Then Minister of Health, the Hon. George Smitherman, stated that “What this bill does is restrict the capacity of health care organizations to use the fact that you’ve been a patient to directly solicit you for financial resources.”[18]

[55] The original version of section 32 included a requirement for express consent for the purpose of fundraising activities. In the Legislative debates, there was a concern that if express consent was required for all fundraising activities, it would be onerous for hospitals to obtain that consent. The net result would be a significant drop in money raised through fundraising - money that is used by hospitals for research purposes, for the purchase of capital equipment, for health care reforms and for infection control and prevention measures.[19] Then Minister of Health, the Hon. George Smitherman stated that:

. . . We have made this amendment as an expression of good faith toward our hospitals, which provide so much support to Ontarians. We know that they can be trusted to deal with this most cherished information. Even the knowledge that one has sought treatment is personal information, and we are grateful for the commitments that Ontario’s hospitals have made about the way this information will be handled.[20]

[56] Hence, the fundraising provision was amended as a way for hospitals to be able to rely on patients’ implied consent to collect, use and disclose their names and contact information for fundraising purposes. Moreover, there was a clear discussion in the debates that this information should only be provided after a certain time period, to allow for the passage of time from any discharge from the hospital to ensure that there is “no ability at all to tie care and the provision of it to a donation.”[21] In addition, there was discussion in the debates about excluding certain vulnerable patients or those in sensitive scenarios from fundraising activities.[22]

[57] Since then, the Act and its regulation have been understood and interpreted to “prevent explicitly referring to the fact that the person has been a patient in the facility for which the fundraising is taking place, since that is information about the patient’s health care.”[23]

The scope of personal health information used by the hospital and the foundation

[58] The hospital’s position is that its use of personal health information for fundraising purposes, including its pre-processing practice, is in compliance with section 32 of the Act and section 10 of the Regulation. The complainant does not dispute the use of their name and mailing address for fundraising. The complainant’s position is that the hospital used personal health information above and beyond simply their name and address, contrary to the implied consent provision in section 32(1)(b). The foundation has argued that the hospital and the foundation use non-clinical, non-sensitive information to engage in responsible fundraising practices and that the information it uses is “about” fundraising and not health care, relying on a court decision where vehicle license numbers were found to be “about” a vehicle and not “about” registered vehicle owners.

[59] In the circumstances of this complaint, there is no vehicle or object at issue. I find that the information being used by the foundation – including the name of the patient together with the fact they were a patient of the hospital - qualifies as their personal health information within the meaning of section 4(1)(b) of the Act and the definition of “health care” under section 2 of the Act.

[60] The requirements with respect to the manner in which consent is obtained (express or implied) and the resulting collection, use or disclosure of personal health information for purposes of fundraising under section 32(1)(b) are addressed in section 10 of the Regulation.

[61] Section 10(1) of the Regulation specifies that, in addition to a person’s name, only their mailing address can be collected, used or disclosed for fundraising purposes. Section 10(2)2 of the Regulation further stipulates that the custodian can only rely on individuals’ implied consent to use their name and contact information for fundraising activities if the custodian posts a notice about the use in a manner that is likely to come to the attention of individuals, together with information on how the individual can easily opt-out of receiving any future fundraising solicitations on behalf of the custodian, and if the individual has not opted out within 60 days of when the notice was made available to them.

Pre-processing activities

[62] I will first address whether the hospital’s use of personal health information for pre-processing activities is in compliance with section 32. At a minimum, the hospital is permitted to use an individual’s name and contact information for the purpose of fundraising activities. From a practical perspective, for that use to become operative and useful, I accept that the hospital must be able to give effect to the requirement not to contact those who have opted out of fundraising or others whom it would be inappropriate to contact, for example, minors, deceased persons, active in-patients or incapacitated persons.

[63] As a result, applying the modern approach to statutory interpretation set out above, I find that the screening out and excluding of certain individuals from fundraising activities as described by the hospital is a permitted use of personal information under the fundraising provision in section 32 of the Act. The amount of information used is “reasonably necessary” to meet the purpose in accordance with the general limitation principle of section 30 of the Act. I also find that the hospital’s pre-processing activities are reasonable and necessary to give effect to permitted fundraising activities while also respecting the objects of the Act, one of which is to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care.[24] Further, I find that the pre-processing avoids fundraising where it may negatively impact the effective provision of health care to individuals by the hospital.

Provision of information to the foundation

[64] I will now turn to consider the hospital’s provision of information to the foundation, which I have already found above is a “use”, for the purposes of the Act.

[65] At a minimum, I find that the hospital’s provision of name and contact information to the foundation is in compliance with the implied consent provision in section 32(1)(b) of the Act and section 10 of the Regulation, which explicitly refer to this very type of information.

[66] I further find that the hospital’s provision of the patient’s identifying number to the foundation is permitted under section 32(1)(b) and complies with the general limitation principle at section 30(2). Applying a pragmatic approach, I accept the hospital’s and the foundation’s evidence that the identifying number – which is not the Ontario health card number - is used solely for the administrative purpose of properly identifying patients to whom the foundation sends fundraising letters and is the minimum information necessary to avoid sending duplicates or letters where it would be inappropriate – for example – where an individual had opted-out of receiving fundraising correspondence.

The notices posted advising individuals of the use of their personal health information for fundraising purposes

[67] Section 10(2)2(i) of the Regulation requires a health information custodian to post or make available to the individual, in a manner likely to come to the attention of the individual, a brief statement that unless they request otherwise, their name and contact information may be disclosed and used for fundraising purposes on behalf of the custodian, together with information on how the individual can easily opt-out of receiving any future fundraising solicitations on behalf of the custodian.

[68] I accept the hospital’s evidence that it posts notices throughout high profile areas including in or beside all elevators, inpatient waiting rooms, patient care units, nursing stations, cafeterias, patient registration and/or reception areas, lobbies, the research department, surgery recovery areas, the foundation’s office, the CEO’s office, the Patient Relations office and the health records department. I am satisfied that the notices contain a brief statement that unless they request otherwise, the patient’s name and contact information may be disclosed and used for fundraising purposes on behalf of the custodian, along with information on how they can opt-out of receiving any future fundraising solicitations. The hospital acknowledged that during the “exigent” circumstances of the COVID-19 pandemic, notices may not have been posted in the area that the complainant visited.

[69] The complainant does not dispute that notice is adequately posted throughout the main body of the hospital where the vast majority of patients are likely to see it. The complainant’s issue is that during the COVID-19 pandemic, the area where they attended did not have notices posted anywhere and that this lack of notice would have affected more than 1,000 patients per week.

[70] I am satisfied and I find that the hospital’s notice complied with section 10(2)2(i) of the Regulation relating to the use of personal health information for the purpose of fundraising activities. I accept that the state of the global COVID-19 pandemic was exigent and exceptional. I find that during this exceptional time, the hospital was focused on the effective provision of health care and having to provide makeshift areas dedicated to vaccinating and treating large volumes of incoming patients and sectioning off affected individuals. Given the catastrophic nature of the pandemic and the pressing need for the implementation of temporary structures, I find the hospital’s position to be reasonable on this issue, and in compliance with section 10(2)2(i) of the Regulation.

The content of the fundraising letters

[71] The hospital’s position is that the fact that the letter identifies the individual as having been a patient complies with the Regulation, as it is merely a means of advising the patient where and how their information was collected. The hospital states that by proactively advising the patient of the basis for the letter, it is being open and transparent and keeping patients informed of the reason for the contact and the right to understand the use of their personal health information. The hospital argues that if advising a patient where their information was sourced is a violation of the Act, then the patient’s right to understand the use of their personal health information would be hindered.

[72] The foundation’s position is that the letters comply with section 10(2)4 of the Regulation because they do not include information about the individual’s health care or state of health. The foundation submits that the statement referring to the fact that the individual came to the hospital as a patient in need of help does not include information about the individual’s health. The foundation argues it is a means of being transparent about the source of information used for fundraising.

[73] The complainant takes issue with the fact that the fundraising letter they received identified that the complainant had previously visited the hospital as a patient and that this is not compliant with section 32 of the Act and the Regulation.

[74] Section 32(2) of the Act states that the collection, use or disclosure of personal health information for fundraising purposes shall comply with the requirements and restrictions that are prescribed. Section 10 of the Regulation sets out the requirements and restrictions regarding the content of the fundraising letters sent to individuals. Specifically, section 10(2)4 states:

(2) For the purposes of subsection 32(2) of the Act, the following are prescribed as requirements and restrictions on the manner in which consent is obtained and the resulting collection, use or disclosure of personal health information:

. . .

4. A communication from the custodian or a person conducting fundraising on its behalf to an individual for the purpose of fundraising must not include any information about the individual's health care or state of health.

[75] While I am sympathetic to the hospital’s and foundation’s submissions that referring to the individual’s stay in hospital as a patient may help reduce the surprise factor upon receiving a fundraising letter from the foundation, the language of the Act is clear that the communication with respect to fundraising must not include any information about the individual's health care or state of health. In any event, the notices posted by the hospital should serve the function of advising the individual of where and when their personal health information was collected for fundraising purposes.

[76] The foundation appears to argue that the fact that the patient visited the hospital does not constitute personal health information at all. I therefore consider this issue, below.

[77] A previously stated, section 4(1)(b) of the Act states:

Personal health information 4 (1) In this Act,

“personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information,

(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,

[78] As previously stated, the IPC has interpreted the definition of personal health information as including the fact that an individual was the recipient of health care[25] by a health information custodian.[26] In PHIPA Decision 17, former Assistant Commissioner Sherry Liang found that identifying an individual as a patient of the hospital falls within the meaning of subsection 4(1) of the Act. I agree with and adopt this finding. Section 10(2)4 of the Regulation requires that the communication from the fundraiser must not include any information about the individuals’ health care or state of health. This is consistent with the underlying intent of the legislature as revealed by the Hansard debates above.

[79] I find that “health care” as defined by the Act includes the fact that an individual was a patient of the hospital and/or received health care at the hospital. As a result, I find that the letter sent to the complainant contained more personal health information than is permitted under sections 32(2) and 10(2)4 of the Regulation.

Issue B: Do the “permitted uses” section in 37(1)(c) or (d) of the Act otherwise permit the hospital’s use of personal health information for the purpose of fundraising activities?

[80] The hospital’s position is that in addition to section 32 of the Act (which I have addressed above), the permitted uses of personal health information in sections 37(1)(c) and 37(1)(d) apply to the hospital’s uses of personal health information for the purpose of fundraising activities.

[81] For the reasons that follow, I find that sections 37(1)(c) and (d) do not apply to the hospital’s uses of personal health information for “the purpose of fundraising activities” as set out in section 32 of the Act.

[82] Sections 37(1)(c) and (d) state:

A health information custodian may use personal health information about an individual,

(c) for planning or delivering programs or services that the custodian provides or that the custodian funds in whole or in part, allocating resources to any of them, evaluating or monitoring any of them or detecting, monitoring or preventing fraud or any unauthorized receipt of services or benefits related to any of them;

(d) for the purpose of risk management, error management or for the purposes of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian[.]

[83] If section 37(1) authorizes a health information custodian to use personal health information for a purpose, section 37(2) permits an agent to use that personal health information on behalf of the health information custodian for the same purpose.

Representations

The hospital’s representations

[84] The hospital submits that section 37(1) permits the use of personal health information for the purposes of the Act “. . . as a whole – in this case section 32,” and that section 37(2) provides that a health information custodian may provide the information to an agent who may then use it for that purpose on behalf of the health information custodian. The hospital relies on PHIPA Decision 29, where the IPC found that an agent may deal with health records as long as the use is consistent with the health information custodian’s legal requirements.

The complainant’s representations

[85] The complainant disagrees with the hospital’s argument that section 37(1) applies to the use of information for fundraising, stating that “(s)ection 37 of the Act permits the use of personal health information about an individual for the purposes outlined in paragraphs (a) to (k) and not for the Act, “as a whole.””

[86] The appellant goes on to argue that section 37(1) should not be used to circumvent the specific requirements and limitations of section 32 of the Act, which are that only the patient’s name and contact information may be collected and used for fundraising purposes.

The hospital’s reply representations

[87] The hospital’s position is that sections 37(1)(c) and (d) co-exist with section 32 and that the complainant is asking the IPC to interpret section 32 in an unreasonably restrictive manner. The hospital argues that the complainant’s position that only section 32 applies would result in a single fundraising database with millions of potential donors identified only by name and address, which would prevent the hospital from: screening out patients for fundraising, sending letters based on an assessment of appropriateness regarding health care status and timing, and being transparent by letting patients know that they are being contacted because they recently visited the hospital.

[88] The hospital submits that it is essential to consider the legislative intent and the debates that took place about fundraising under the Act in order to assist in making a finding that fundraising is a “program” for which a health information custodian may use personal health information, above and beyond names and addresses, in order to enable appropriate fundraising under the permitted uses in sections 37(1)(c) and 37(1)(d).

[89] Regarding the enactment of the Act, the hospital states:

The Honorable Shelley Martel, in second reading debates, argued that “fundraising efforts would essentially dry up” if PHIPA were to require express consent for fundraising.[[27]] The former Privacy Commissioner expressed similar concerns in addressing the Standing Committee on General Government, stating that express consent “does not reflect the existing realities facing healthcare organizations and serve the public” and “Requiring express consent for fundraising purposes will adversely affect their ability to raise funds.”[[28]]

[90] The hospital then argues that legislative purpose carries great weight in statutory interpretation, which is an aspect of the “modern rule of statutory interpretation,”[29] and that based on this modern rule, the IPC must not interpret the Act to produce an outcome that conflicts with legislative intent.[30] It further submits that the Legislature, in authorizing health information custodians to engage in fundraising without express consent, is presumed to have understood all the practical needs of hospital fundraisers, including the need to pre-process information to avoid sending out inappropriate communications. This, the hospital submits, is based on the “presumption of knowledge” described in Sullivan on the Construction of Statutes.[31]

[91] The hospital’s position is that the IPC must adopt a plausible interpretation of the Act that will bring about a workable and practical result that is aligned with the legislative intent, quoting from the Supreme Court of Canada as follows:

When one interpretation can be placed upon a statutory provision which would bring about a more workable and practical result, such an interpretation should be preferred if the words invoked by the Legislature can reasonably bear it.[32]

[92] It goes on to submit that the “plausible interpretation” that best accords with the legislative intent in these circumstances is to treat the hospital’s fundraising as a “program” for which health information custodians may use personal information above and beyond the name and contact information of the patient, and that the authority for the use of this personal health information is set out in sections 37(1)(c) and (d).

[93] In particular, the hospital argues that the Legislature enacted sections 37(1)(c) and (d) to permit health information custodians to use personal health information to operate effectively, for example, to allow health information custodians to pre-process personal health information beyond strictly the name and contact information of a patient in order to enable appropriate fundraising.

[94] Furthermore, the hospital submits that its pre-processing activity of screening out inappropriate patients and targeting appropriate patients is privacy protective because it limits the use of contact information for fundraising purposes when contact would be inappropriate.

[95] Lastly, the hospital submits that the operational focus of sections 37(1)(c) and 37(1)(d) is different than the focus of section 32, where the Legislature meant to constrain the manner of fundraising contact, not other legitimate operational uses of personal health information.

The complainant’s sur-reply representations

[96] In their representations, the complainant submits that they agree with the Rizzo decision as it relates to the weight that legislative intent and purpose ought to be given when interpreting statutes. However, the complainant further submits that there were other statements made during the legislative debates regarding the Act, namely:

• fundraising was a consideration in the drafting of the Act, but was not its primary intent,[33]
• fundraising is not to be hindered but the privacy of individuals’ “health records” is to be protected,[34] and
• health information custodians are permitted to use and disclose limited personal information about a patient for fundraising purposes where it has implied consent, and this information is limited to only patient’s name and contact information.[35]

[97] The complainant submits that the hospital’s interpretation of sections 37(1)(c) and (d) suggests that the Act prioritizes fundraising over health information privacy. The complainant reiterates that fundraising is specifically addressed in its own section and regulation – section 32 and the Regulation – and is referred to in section 32 as an “activity” and not a “program.” The complainant concludes that the Legislature “knew what they were doing” when they intentionally added a section to the Act that was specific to fundraising, and when they intentionally did not include fundraising as one of the permitted uses in section 37(1).

[98] With respect to the hospital’s position that section 32 applies to the manner of fundraising contact as opposed to the focus of section 37(1), which is related to the operational uses of personal health information, the complainant argues that section 32 deals with the collection, use or disclosure of personal health information for the purpose of fundraising.

The foundation’s representations

[99] The foundation agrees with the hospital that the plausible interpretation that best accords with the legislative intent to ensure responsible fundraising is to treat fundraising as a “program,” and that when responsibly implementing a fundraising program, a health information custodian may rely on sections 37(1)(c) and (d) to use personal health information above and beyond the name and address of the individual as prescribed in section 32(1)(b).

[100] The foundation goes on to argue that sections 37(1)(c) and (d) permit a health information custodian to use personal health information to operate effectively, including for responsible fundraising purposes, and that sections 37(1)(c) and (d) harmoniously co-exist with section 32(1)(b) and section 10(2)2 of the Regulation.

Analysis and findings

[101] For the following reasons, I find that sections 37(1)(c) and (d) do not apply to the hospital’s use of personal health information for the purpose of fundraising activities.

[102] Section 37(1) lists the specific circumstances in which a health information custodian is permitted to use an individual’s personal health information without the consent of the individual. None of the subsections in section 37(1) lists fundraising as a circumstance. The hospital’s position is that fundraising fits within the circumstances described in subsections (c) and (d) of section 37(1). I disagree.

[103] The IPC has found that sections 37(1)(c) and (d) apply in the following types of circumstances:

• the use of personal health information by a radiologist for the provision of health care (37(1)(c)),[36]
• the use of personal health information by health records staff to process the complainant’s request for access to their own records of personal health information (37(1)(c)),[37]
• the use of personal health information by the health information custodian for the purpose of error and risk management where a patient expressed concern with respect to the care provided to them by the custodian (37(1)(d));[38] and
• the use of personal health information by the health information custodian for the purpose of error and risk management activities, and activities to maintain and improve the quality of care following a patient’s death.[39]

[104] In none of these cases was there another provision in the Act that deals specifically with those circumstances.

[105] I agree with the parties that it is important to consider the Legislative intent with regard to the use of personal health information by health information custodians for fundraising purposes. Based on the excerpts of the official transcripts of the Legislative debates provided by both the hospital and the complainant, I find that the transcripts reveal the Legislative intent - that the express consent of the individual is not required for the use of their personal health information by a health information custodian for fundraising purposes and that implied consent may be relied on subject to the restrictions and requirements set out in the Regulation. This is clearly set out in subsection 32(1)(b) and there is no dispute between the parties that section 32(1)(b) permits reliance on implied consent for the purpose of fundraising.

[106] As I have also found above, the debates clearly reveal an intent to limit the amount of information used for fundraising purposes, and to ensure that no information about a person’s health care or state of health be used to solicit funds from them.

[107] These extensive debates provide the rationale as to why the Legislature deliberately turned its mind to, and enacted, a specific section in the Act that addresses the collection, use and disclosure of personal health information by a health information custodian about an individual for the purpose of fundraising activities. That section is section 32 – not sections 37(1)(c) and (d). Just as the circumstances set out in sections 37(1)(c) and (d) permitting the use of personal health information are specific, such as planning or delivering programs, allocating resources, evaluating programs, monitoring or preventing fraud, managing risk and quality of care, so too are the circumstances in section 32 – “for the purpose of fundraising activities.”

[108] Section 32 specifically refers to the collection, use and disclosure of personal health information about an individual by a health information custodian “for the purpose of fundraising activities,” and not simply the “manner of fundraising contact” as argued by the hospital.[40]

[109] I have considered the Legislative intent with respect to fundraising under the Act, and the fact that the Legislature included regulation making power specifically addressing the collection, use and disclosure of personal health information for the purpose of fundraising activities. In addition, the excerpts relied on by the hospital from the Hansard debates do not include any reference or indication that sections 37(1)(c) and (d) of the Act may be relied upon to supplement the fundraising scheme already set out in section 32 of the Act, and its accompanying regulation.

[110] An interpretation of sections 37(1)(c) and (d) that would permit the use of any personal health information for the purpose of fundraising activities without consent would create a direct conflict with section 32 of the Act and section 10 of the Regulation that require either express or implied consent for use of name and address only. These restrictions and requirements as intended by the Legislature would be rendered obsolete if a health information custodian is nevertheless permitted to rely on sections 37(1)(c) and (d) to use any personal health information for fundraising activities without any consent at all.

[111] I have considered the overall purposes and objectives of the Act,[41] the intent of the Legislature as revealed by the debates in Hansard, the wording of sections 32, 37(1)(c), and 37(1)(d) of the Act and section 10 of the Regulation, and all the evidence put before me. I find that it was the intent of the Legislature to permit health information custodians to use personal health information for engaging in fundraising activities in a specific and carefully crafted scheme set out in section 32 and section 10 of the Regulation, and not sections 37(1)(c) and (d).

[112] As I have found above, the use of personal health information by the hospital for the purpose of pre-processing, relayed to the foundation for the purpose of creating a potential donor list and used by the foundation to send out letters to potential donors, was permitted under the implied consent provision of section 32, save and except for the reference to the individual having been a patient in hospital. This finding shows that the scheme does work, as intended by the Legislature.

[113] As a result, I find that sections 37(1)(c) and (d) do not apply to the use of the complainant’s personal health information to expand what the hospital can do for fundraising purposes.

ORDER:

1. For the reasons stated above and pursuant to section 61(1)(d) of the Act, I order the hospital to cease including any information about the individual’s health care or state of health in its fundraising letters sent from its agent, the foundation, to individuals including the fact that the individual was a patient of the hospital, has visited the hospital as a patient and/or received services at the hospital. The hospital is to comply with this provision within 35 days of the date of this decision.

Original Signed by:		May 30, 2025
Cathy Hamilton
Adjudicator