Ensuring health data privacy: Insights from the UTOPIAN case

Case of Note: PHIPA Decision 243 

Introduction

Health information research plays a vital role in improving medical treatments and the quality of care. To conduct health research, researchers require access to personal health information, the collection and use of which is regulated under health privacy laws. However, health researchers in Ontario, dealing with this sensitive personal health information, must ensure that they adhere to the requirements of the Personal Health Information Protection Act (PHIPA). These requirements exist to protect such health information, while also allowing important health research to take place.

Background

Established by the University of Toronto in 2013, UTOPIAN is described as a research database composed of de-identified records of patients extracted from electronic medical records (EMR) of contributing primary care physicians. The personal health information uploaded to UTOPIAN was collected from health information custodians under the PHIPA research provisions. 

The university provided custodians with a Provider Agreement, which consisted of a multi-page letter describing the UTOPIAN project, followed by a custodian consent form. The Provider Agreement stated that only de-identified data extracted from the database would be provided to researchers to support primary care research in Ontario. The university, however, did not provide contributing custodians with a copy of the research plan, or the updated research plans following renewals and amendments to that plan. The university also did not provide to custodians a copy of the Research Ethics Board (REB) decision approving the research plan. 

Initially, UTOPIAN’s research plan specified that it would not extract any direct patient identifiers. However, that changed in 2020, when the university significantly expanded the scope of the personal health information UTOPIAN collected to include patient identifiers such as patient names, addresses, phone numbers, emails and health card numbers. UTOPIAN also started collecting personal health information within the free text fields from the EMRs, as well as images and other picture-like documents from providers.

To notify custodians of the change, the university sent an amendment email and followed that up with another email two weeks later, using the “read receipt” function for both. However, the university did not provide an updated version of the Provider Agreement to be executed by custodians who had already executed an earlier version of it.   

The university also acknowledged that there were two periods when REB approvals had lapsed during which the university continued to collect personal health information. While the university provided notice of the breach to the custodians for one of the periods, it did not do so for the other. 

Complaint

In 2022, an anonymous complaint was made by a group of doctors alleging that the university obtained personal health information from health information custodians without patient consent, and without providing sufficient information to the custodians. The complainants also conveyed their concern about the database uploading personal health information that may be “intentionally taken, transferred, used, altered, stored, and sold.” Additionally, the complainants raised concerns about the adequacy of the de-identification process and the disclosure of potentially identifying information from the database to other parties.

Findings

The IPC investigator found that there was a failure to comply with the section 44 PHIPA obligations for research. Among other failings, the IPC found that the university failed to provide custodians with a research plan and the REB decision approving the plan. It was also found that the university collected personal health information without valid REB approval at times when the REB approval had lapsed, and failed to provide notice of one of these breaches. 

The investigator was also not satisfied with the university’s claim that the Provider Agreement was effectively amended by sending the amendment emails about the 2020 changes. The investigator found that the university should have taken steps to ensure that custodians clearly, unambiguously and unequivocally communicated their acceptance of the proposed amendment to the Provider Agreement, instead of relying on silence.

Under section 44, PHIPA does not require consent by patients, however the university failed to ensure that custodians were providing patients with appropriate notice about the research which was one of the conditions of the research plan approved by the REB. 

Finally, the investigator found no evidence to support the complainants’ allegations regarding the sale of personal health information, or their de-identification concerns.

Recommendations

The investigator made a number of recommendations and provided the university with a six-month time-frame to report back to the IPC regarding the implementation of these recommendations. Some of the recommendations included ensuring that the university has a valid research agreement in place with each custodian, and that any significant amendments be included in that research agreement and be explicitly agreed to. 

The investigator also recommended that the university conduct a re-identification study to evaluate the robustness of its de-identification procedures. The investigator recommended that the university update its means of notifying patients about the UTOPIAN project and not rely solely on posters in doctors’ physical offices, particularly in a context of virtual care. Finally, the investigator recommended that the university exercise greater transparency with the contributing custodians and actively build up trust by having more open lines of communication with them. 

Key Takeaways

This decision raised several important points regarding researchers’ obligations under PHIPA:

  1. Researchers must ensure that they provide custodians with all required information under PHIPA so that custodians can make an informed decision about their participation in a health research project. This includes a copy of the research plan and the REB approval(s) of that plan.
  2. When significant amendments are made to a health research plan, researchers should take steps to ensure custodians clearly and explicitly communicate their acceptance of the proposed amendments. For instance, in this case, copies of the revised Provider Agreement with the updated consent form could have been sent with the request that custodians execute these, by including a link in the email for the custodians to click to indicate acceptance, or similar means.
  3. Researchers should reconsider their traditional methods of notifying patients about research (by way of posters in physicians’ physical offices) and reassess their effectiveness particularly in a context of virtual health care. For instance, a research plan could be varied in such a way as to propose an alternative and more effective form of notice where virtual care is more prevalent.
  4. Researchers should be transparent and maintain open lines of communication with custodians about the collection and use of personal health information to build up their trust in the research.
  5. Researchers should periodically reassess the robustness of their de-identification procedures to minimize re-identification risks that evolve over time with changes to the research plan and/or changes to the dynamic research environment. This can be done by way of a re-identification assessment in accordance with the best practices set out in the IPC’s De-identification Guidelines for Structured Data and ISO/IEC 27559:2022, including analysis of a specific dataset.

The bottom line is that personal health information is sensitive information that requires a high level of protection. While research is vitally important to improve the quality of health care and the effectiveness of the health system, custodians and the public want to be assured that their personal health information is being protected and that the researchers, who are collecting and using this information, are doing so in compliance with the law.

Help us improve our website. Was this page helpful?

Note:

  • You will not receive a direct reply. For further enquiries, please contact us at @email
  • Do not include any personal information, such as your name, social insurance number (SIN), home or business address, any case or files numbers or any personal health information.
  • For more information about this tool, please see our Privacy Policy.