Friday, July 22, 2011
OIPC's Albert Park Clinic Report - Breaking New Ground Under HIPA by Greg
Information and Privacy Commissioner Dickson's Investigation Report H-2011-001 has received ample media attention over the past few days in its thorough review of mismanagement of personal health information at the Albert Park Family Medical Centre. But while much of the report involves documenting and identifying obvious violations of a trustee's obligations under the Health Information Protection Act and reiterating basic advice as to the types of policies and procedures required to protect personal health information, a few of Commissioner Dickson's observations break some new ground in the interpretation of HIPA.
To start with, Commission Dickson considered the nature of trusteeship under HIPA, particularly in assessing whether Dr. Teik Im Ooi could escape responsibility for management of personal health information by her "managing partner". Commissioner Dickson concluded at para. 65 that notwithstanding her apparent deference to the decisions of her partner, Dr. Ooi remained fully responsible for HIPA compliance as a trustee:
As a partner, if she chose to defer to her partner in terms of patient records and related decisions as she apparently has done, she is nonetheless liable for the consequences of bad decisions made by her former business partner.
Commissioner Dickson went on to note at para. 78 that on taking sole trustee of records containing personal health information, Dr. Ooi was responsible for the management of those records over their full life cycle - including for decisions about off-site storage made by others:
In the circumstances of APFMC, Dr. Ooi had a responsibility to learn of any arrangements made by her present and former partners with respect to off-site storage of patient records and to initiate any action required to ensure compliance with HIPA.
Among the failings identified by Commissioner Dickson was a lack of any system to identify or index large volumes of patient records. Commissioner Dickson held at para. 180 that such indexing is required for a trustee to comply with its obligation under section 17(2)(a) to keep personal health information in a form which is "retrievable, readable and useable for the purpose for which it was collected".
Commissioner Dickson also reviewed the application of HIPA section 18 respecting information management service providers. Commissioner Dickson concluded that the IMSP title applied to numerous parties, including not only the pharmacist tasked with finding storage space for APFMC's records, but also the landlord who provided the space and even Dr. Ooi's own children and their friends who were paid to review, cull and move files.
This finding may have been primarily intended to ensure that Dr. Ooi's use and disclosure of personal health information received scrutiny under section 18(1). However, it also serves to impose potential liability on the IMSPs themselves under section 18(3) - highlighting the danger that even a party which would not see itself as likely to hold any obligations under HIPA might itself become liable through the mistakes of a trustee.
Finally, Commissioner Dickson recommended that the Minister of Justice consider commencing a prosecution under HIPA - which would represent a new step in Saskatchewan. In a future post, I'll deal with the ramifications of that step in more detail.
This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please feel free to contact me at firstname.lastname@example.org if you require legal advice related to privacy or access to information.