This decision addresses both an individual complaint and an IPC-initiated investigation into a hospital’s practices around its agents’ use of personal health information for education purposes. In the individual complaint, a hospital patient alleged that a doctor had improperly accessed her health records while claiming an education purpose for the accesses. The patient’s allegations raised broader questions about whether the hospital had in place adequate information practices to govern this use of personal health information by its agents. The IPC opened the self-initiated investigation to address those systemic issues.
In this decision, the adjudicator finds there were a number of unauthorized accesses to the patient’s health records. These accesses were made in violation of the hospital’s policy on education use, which permits patients to refuse consent to this use, and the patient’s withdrawal of consent under the policy. The adjudicator finds these accesses were violations of the Personal Health Information Protection Act, 2004 (PHIPA). After considering the circumstances surrounding the accesses, she concludes they were largely the result of systemic deficiencies in the information practices around education use that the hospital had in place at the time. These were failures by the hospital to comply with its obligations under PHIPA, including its duty to take reasonable steps to protect personal health information in its custody or control.
The adjudicator then considers a number of changes the hospital has already made or has committed to making to its information practices in response to the breaches, as well as the hospital’s cooperation throughout the IPC process. In view of all the circumstances, she finds it unnecessary to issue orders against the hospital. However, she provides guidance to the hospital in the form of three key recommendations, as well as some additional recommendations, for further improvements to its information practices in relation to the use of personal health information for education purposes.