This investigation file was opened after a public hospital contacted the Office of the Information and Privacy Commissioner/Ontario to report a privacy breach under the Personal Health Information Protection Act, 2004. The hospital advised that a patient had made a complaint, which alleged the unauthorized use and disclosure of her personal health information by a named physician. In particular, this investigation related to concerns that a “quality audit” the physician was conducting resulted in referrals of motor vehicle accident patients to his wife, a personal injury lawyer.
This Decision concludes that the quality audit conducted by the physician was an unauthorized use under the Act, and that I am unable to determine whether the physician disclosed personal health information in contravention of the Act. It also concludes that the hospital’s previously vague policies, practices and procedures regarding quality audits, and the complete lack of privacy training for physicians, did not amount to taking reasonable steps to protect the personal health information within the meaning of section 12(1) of the Act. However, I also find that the hospital has since remedied these issues.
Lastly, I decide that this review will be concluded without proceeding to the adjudication stage and without an order being issued by this office.
PHIPA DECISION 147
Collection
Health Information and Privacy
Date
File Numbers
HR16-32
Adjudicators
Lucy Costa
Decision Type
Decision - PHIPA
Applicable Legislation
PHIPA - 2
PHIPA - 3(1)
PHIPA - 4(1)(a)
PHIPA - 4(1)(b)
PHIPA - 6(1)
PHIPA - 10(1)
PHIPA - 10(2)
PHIPA - 12(1)
PHIPA - 17(2)
PHIPA - 18
PHIPA - 20(2)
PHIPA - 29
PHIPA - 37(1)