Ontario’s privacy commissioner orders patient to destroy records

The Information and Privacy Commissioner of Ontario recently released two decisions all healthcare providers in Ontario should read. Decision 49 is monumental. For the first time, the IPC has ordered a patient to destroy records using the ‘recipient’ rules under the health privacy legislation.

After a clinical appointment, a patient took a photograph of a physician’s computer screen. The image captured the health information of 71 other patients.

The patient was upset that the physician had left the computer unlocked with his and other people’s information on the screen. He wanted to pursue a legal claim against the physician and was threatening to make the image public or share the image with his lawyer in order to file a lawsuit against the physician or both.

Once notified of the photograph, the physician asked the patient to securely destroy it because he was not authorized to have the other patients’ information. The patient refused.

The physician then notified the 71 patients of the privacy breach. The IPC will review the physician’s practices separately.

IPC concluded that the photograph was a record of personal health information and that the physician had disclosed personal health information to the patient by not protecting the information on the computer screen. The disclosure was not authorized by PHIPA.

IPC found that the patient was a “recipient” of personal health information under PHIPA. As such, the IPC had the authority to and ordered the patient to destroy the image and all copies because the patient had or intended to contravene PHIPA.

Because the patient had not yet initiated legal action against the physician many months later, the IPC refrained from deciding whether the patient would have been entitled to use the image for the purposes of litigation. The hospital undertook to maintain a copy of the image in case of future litigation.

Bottom Line: Decision 49 is a bit of a game changer.

First, it is essential that healthcare providers take care not to allow patients or visitors to collect information from computer screens or other sources. Even if done inadvertently, allowing patients to view other patients’ information constitutes a privacy breach.

Second, this is the first time we have seen a recipient ordered to destroy health information. When there has been a breach, one of the first obligations is to contain the breach.

It is rare to have a recipient refuse to comply with this request. This decision now demonstrates the IPC’s power to compel the destruction of copies of health records in the hands of those who should not have the information.

Also worth commenting on is Decision 48. In this case, a hospital received a request for access to records. The hospital provided the complainant with a full copy of his health records, but the complainant believed there should be additional records. The complainant had copies of the letters a social worker had written and wanted confirmation that the hospital had those letters in its records. The hospital searched for those records, but could not find them. The IPC required the hospital to provide affidavits explaining the searches performed and steps taken to locate responsive records. The IPC concluded that the hospital had completed a “reasonable search” and was convinced the hospital did not have copies of the social worker letters. The IPC dismissed the complaint.

Kate Dewhirst is the founder of Kate Dewhirst Health Law. For more information, please see: http://katedewhirst.com/