ORDER PO-4081

Appeal PA16-361

The Ottawa Hospital

November 4, 2020

Summary: A mother filed an access request with the hospital to obtain records she believes would demonstrate that nine individuals accessed her late daughter’s personal health information without her or her daughter’s knowledge and informed consent, and not for valid research purposes as claimed by the hospital (a related privacy complaint about the same accesses was dismissed in another complaint file).

The hospital issued a decision under the Personal Health Information Protection (PHIPA) granting the requester access to her daughter’s medical records. The hospital was of the view that the records, together with an audit report previously provided to the requester, shows her what information had been accessed by whom. The requester filed a complaint claiming that the hospital’s response did not adequately respond to her request as she sought access to the specific pages of records accessed by the named individuals.

The hospital’s decision also denied the requester access to records it located which would respond to her request for information about the authority of the individuals who accessed her daughter’s medical records for research purposes. The hospital withheld these records under the research exclusion under section 65(8.1) (c) of the Freedom of Information and Protection of Privacy Act . The requester filed an appeal of that decision.

In this order, I find that the hospital adequately responded to the request under PHIPA, and I dismiss the PHIPA complaint. I also find that the remaining records are excluded from the scope of FIPPA under section 65(8.1)(c) and I uphold the hospital’s decision.

Statutes Considered: Freedom of Information and Protection of Privacy Act,  R.S.O. 1990, c. F.31 , as amended, s. 65(8.1) (c); Personal Health Information Protection Act, ss. 4(1) and 52.

Orders Considered: Order PO-3930.

BACKGROUND:

[1]  A mother (the requester), acting as her deceased daughter’s substitute decision- maker, [1] submitted a four-page access request under the Personal Health Information Protection Act (PHIPA) and Freedom of Information and Protection of Privacy Act  (FIPPA ) to the Ottawa Hospital (the hospital).

[2]  By way of background, the requester’s daughter was a patient at the hospital. The requester submits that neither she, her daughter, nor her daughter’s father (the other substitute decision-maker) consented to her daughter’s participation in various research projects associated with the hospital. The requester takes the position that if her daughter’s personal health information (PHI) was used by the hospital for research purposes, this was done improperly and without “informed consent”.

[3]  The mother obtained an audit report from the hospital which identified a number of accesses to her daughter’s personal health information by nine individuals. The mother subsequently filed a privacy complaint with this office alleging various breaches of PHIPA in relation to the accesses to her daughter’s health records described in the audit report. The privacy complaint was investigated by this office, which found that the accesses to the daughter’s records were all permitted under PHIPA, as they were done with the daughter’s consent, were in relation to coroner or College of Nurses of Ontario investigations, were the result of access requests by the requester, or were in relation to research projects by the hospital or the Institute for Clinical Evaluative Sciences. [2]

[4]  In addition to the privacy complaint, the requester made an access request to the hospital. The hospital’s decision letter summarized the requester’s four-page request as follows:

1. Records and information from the following third parties: the Coroner’s Office; the College of Nurses of Ontario (CNO); and the Institute for Clinical Evaluative Sciences (ICES);
2. A copy of all the personal health information/records that were accessed by specific individuals at hospital;
3. Under what authority (and/or an explanation) specific individuals at the Hospital accessed the requester’s daughter’s electronic health record;
4. A copy of the Research Project and the Research Plan, Consideration and Decision and any other documentation by the Research Ethics Board that provided specific individuals with the authority to access the requester’s daughter’s personal health information for research purposes; and
5. A copy of the written consent documentation authorizing specific individuals’ access to the requester’s daughter’s personal health information for research purposes.

[5]  For the remainder of this order, the four-page request summarized into five parts by the hospital will be referred to as the request.

[6]  In response to part 1 of the request, the hospital told the requester that it “was not the appropriate institution to process those requests.” The hospital told the requester to redirect her request to the Coroner’s Office, College of Nurses of Ontario and Institute for Clinical Evaluative Sciences and provided her with the relevant contact information.

[7]  The hospital’s decision letter indicated that it was granting access to a CD-ROM containing copies of records responsive to parts 2, 3 and 5 of the request. I will refer to these records as “electronic records” for the remainder of this decision. The hospital granted the requester full access to her daughter’s electronic personal health information records and stated:

Almost all the records/information you are requesting can either be characterized as personal health information and/or information connected to health care. As such, this request primarily falls within the purview of the Personal Health Information Protection Act (PHIPA) and not FIPPA. It is our understanding that the Hospital has already provided you and/or [the requesters spouse] with a copy of your daughter’s health record, with clarifications, in response to a previous access request under PHIPA. To facilitate your review, we have included on the enclosed CD-ROM additional copies of the relevant records previously released through PHIPA requests relating to your daughter’s health care.

[8]  As explained in more detail below under issue B, the hospital says that the electronic records, viewed with the audit report, show who accessed what information.

[9]  The hospital denied access to records responsive to part 4 of the request on the basis that they are excluded under section 65(8.1) of the Act. I will refer to these records as “research records” for the remainder of this decision.

[10]  The requester filed a complaint under PHIPA and an appeal under FIPPA to this office. The matters were assigned one file number and processed together. The mediator appointed to the file explored settlement with the parties.

[11]  During mediation, the hospital issued revised decision letters under FIPPA disclosing the Coroner’s Office and College of Nurses of Ontario records [3] partially responsive to part 1 of the request. However, the hospital maintained its position regarding ICES records which would respond to part 1 of the request.

[12]  Also during mediation, the hospital confirmed its position that it adequately responded to the requester’s request for electronic records under PHIPA. As no further mediation was possible, the matter was transferred to the adjudication stage. An adjudicator commenced a review by sending notices to the parties setting out the facts and issues and inviting their representations on the issues in dispute. The parties’ representations were shared in accordance with the confidentiality criteria set out in this office’s Practice Direction 7. The matter was subsequently transferred to me for completion.

[13]  In this decision, I find that the research records are excluded from the scope of FIPPA under section 65(8.1)(c). I also find that the hospital adequately responded to the requester’s request for electronic records under PHIPA.

PRELIMINARY MATTER:

[14]  In her representations, the requester takes the positon that the hospital should have transferred or forwarded part 1 of her request for ICES records under section 25(1) of FIPPA. The specific wording of this portion of the request states:

On [a specified date, a named individual] accessed my daughter's electronic medical record 26 times. I would like a copy of all documentation from ICES that authorizes [the named individual] to access and use my daughter's personal medical information/records as per PHIPA Provision Section 45. I would also like a copy of all the personal health information/records that was accessed by [the named individual on the specified date] from my daughter's electronic medical record. I would also like to know the name/names of the person/persons that this information was provided to and how my daughter's personal health information was used including the specific study, analysis or compiling statistical information.

[15]  Earlier in this decision, I noted the privacy complaint the requester filed with this office. The privacy complaint found that the individual’s accesses referenced in part 1 of the request related to disclosures to ICES, a prescribed entity, were authorized under section 45(3) of PHIPA.

[16]  The requester does not claim that the hospital has control or custody of records which would respond to this part of her request and states that the information she seeks “can only be provided by ICES.”

[17]  The hospital responded in its representations that ICES is not an institution under FIPPA and thus section 25(1) has no application.

[18]  I confirm that ICES is not an institution listed in the Schedule contained in Ontario Regulation 460 identifying institutions subject to FIPPA and agree that section 25(1) has no application to any records the requester requested that may be in the custody or control of ICES.

[19]  Accordingly, this decision will not address part 1 of the request and the requester should make her inquiries directly to ICES.

RECORDS:

[20]  The records at issue in the PHIPA complaint are the daughter’s PHI records.

[21]  The records at issue regarding the FIPPA appeal respond to part 4 of the request comprise of:

• data sharing agreements, and related documents including a renewal letter (ICES information at pages 30-52); and
• Research Ethics Board application and/or annual renewal letters between two physicians identified as the lead researchers (Other research records at pages 1-29).

ISSUES:

1. Does section 65(8.1)(c) exclude the research records at issue from FIPPA?
2. Did the hospital adequately respond to the requester’s request under PHIPA for electronic records?

DISCUSSION:

[22]  There is no dispute that the hospital is both an institution under FIPPA and a health information custodian under PHIPA. [4] Both statutes provide that requests for access to one’s personal information, or personal health information, respectively, can be made by individuals authorized to act as a substitute decision-maker.

[23]  However, for the research records request under FIPPA, neither party claims that they contain “personal information” as defined in section 2(1) of FIPPA. I have reviewed the research records and find that they do not contain the personal information or any other information which would identify the requester’s daughter or any other research participant. As noted above, the records consist of the data sharing agreements related to an identified research project and Research Ethics Board’s approval and/or annual renewal letters. The only individuals identified in the records are the researchers and individuals associated with the hospital or Research Ethics Board.

[24]  As the records do not contain the “personal information” of the requester’s daughter as defined in section 2(1) of FIPPA, the request to access the research records is a general access request under FIPPA and the issue of whether or not the requester has a right to act as her daughter’s substitute decision-maker is not relevant.

[25]  This differs from the requester’s request for the electronic records. Pursuant to section 52 of PHIPA, the right of access to personal health information belongs to the individual to whom the information relates. Unlike FIPPA, PHIPA does not provide any general right of access to records of personal health information.

[26]  The parties agree and I find that these records contain the personal health information of the requester’s daughter as defined in sections 4(1)(a) and/or (b) of PHIPA. [5] These records consist of the requester’s daughter’s medical records linked with information regarding the name of the individual who accessed these records. The parties also agree and I find that the requester can act as a substitute decision-maker to make a request under PHIPA to access these records. [6]

ACCESS UNDER FIPPA: the research records

A. Does section 65(8.1)(c) exclude the research records from FIPPA?

[27]  The research records do not contain any personal health information of the daughter. The relevant statute is, therefore, FIPPA and not PHIPA.

[28]  Section 65(8.1)(c) of FIPPA states:

This Act does not apply,

…

(c) to a record respecting or associated with research, including clinical trials, conducted or proposed by an employee of a hospital or by a person associated with a hospital;

[29]  Research is defined as “… a systematic investigation designed to develop or establish principles, facts or generalizable knowledge, or any combination of them, and includes the development, testing and evaluation of research.” The research must be referable to specific, identifiable research projects that have been conceived by a specific faculty member, employee or associate of a hospital. [7]

[30]  This section applies where it is reasonable to conclude that there is at least “some connection” between the record and the specific, identifiable “research conducted or proposed by an employee of a hospital or by a person associated with a hospital.” [8]

[31]  Previous orders have emphasized the importance of considering the purposes of FIPPA as a context for interpreting the research exclusion under section 65(8.1). [9] In Order PO-3365, the adjudicator concluded that the legislative intent with regard to section 65(8.1)(c) was to protect the academic freedom and competitiveness of hospital-based research.

[32]  If the exclusion in section 65(8.1)(c) applies to the records at issue, they are excluded from the access provisions of FIPPA. [10] When a record is excluded from the FIPPA, it means only that FIPPA does not apply to it. An institution can choose to disclose a record outside of the FIPPA access scheme.

Representations of the parties

[33]  In its representations, the hospital states that the responsive records relate to the following two research projects:

1. Chart Review of Collection and Sharing of Anonymous Health Information and Storing of Specimens from Stem Cell Transplant Receipts and Donors (the stem cell project); and
2. Initiative to Maximize Progress in Adolescent and Young Adults Cancer Therapy (the young adults cancer therapy project).

[34]  The requester takes the position that the exclusion at section 65(8.1)(c) should not be applied to bar research participants from accessing records related to an institution’s research activities. The requester states:

It is obvious that [the section 65(8.1)(c) exclusion] was intended to prevent the general “public” from accessing documents related to the institution’s research activities. What is important to note is that my daughter is a research participant in the studies. A research participant has more rights to research documentation than that of the general public. To withhold the Research Ethics Board (REB) documentation from a research participant and/or in this case the [substitute decision makers] is unreasonable and unethical. It is unreasonable because the information that they are withholding contains the very information that should have been provided to my late daughter and/or her [substitute decision makers] to obtain informed consent.

[35]  In support of this position, the requester refers to the hospital’s policy regarding its commitment to accountability and transparency in the ethical conduct of research.

[36]  The requester also raises questions about the timing of the information the hospital shared with her about the two projects in question. The requester submits that the hospital only identified the two projects after this office became involved and suggests that the hospital is now, “after the fact”, attempting to make it appear that the projects were specific and identifiable. The requester disagrees with the hospital’s claim that the projects are “specific” and submits that the titles of the projects, themselves refer to “very broad subjects.”

[37]  Finally, the requester submits that her deceased daughter and the substitute decision-makers were not informed about the existence of the above-referenced projects. In support of this argument, the requester provided a lengthy explanation of the circumstances surrounding her daughter’s signing of various consent forms related to treatment plans or the eligibility to participate in research studies. The requester argues these consents were signed on the provision that subsequent consents would be required to allow the hospital to do things like withdraw blood or bone marrow for research purposes. The requester submits that in some cases the written consent forms were only partially completed as the hospital was to provide further information or explanations.

[38]  It appears that the requester takes the position that if her daughter’s personal health information was used in the stem cell project or young adult cancer therapy project it was done so improperly and without “informed consent.”

[39]  A significant portion of the requester’s representations focussed on her commitment to finding answers about the extent to which her daughter’s personal health information was used in research projects. For example, the requester states:

As [a substitute decision-maker] for my daughter who is a research participant, I have a right to know the research results, conclusions and/or any material incidental findings discovered in the course of the research that relates to the “Stem Cell Project” and the “Young Adults Cancer Therapy Project” and/or the specific research studies that [two named individuals] were involved in that used my daughter’s personal health information.

[The hospital] is adamant that my daughter’s personal health information was used for research with consent and has provided a “Table of Findings” document to verify their position. I have clearly provided submissions to dispute this finding.

… I have a legal obligation to ensure that [my daughter’s] personal health information is protected. I also assume the responsibility to ensure that her personal health information is not being improperly accessed and used. The only way I can fulfill my legal obligations as [a substitute decision-maker] is to be granted the [Research Ethics Board] documentation that I have requested in my access request.

[40]  In its reply representations, the hospital responded that “moral or ethical reasons have no bearing on the legal question of whether or not the test for the application for section 65(8.1) is met.”

[41]  I note that this office has already completed its review of the requester’s privacy complaint alleging various breaches of PHIPA in relation to various accesses to her daughter’s health records described in the audit report. Furthermore, the requester’s moral or ethical concerns about the research do not have a bearing on whether the records are excluded from the scope of FIPPA.

[42]  The hospital asserts and I agree that the records do not contain information disclosing the amount of funding being received with respect to the research referred to in the above-referenced projects. Accordingly, the exception in section 65(9) [11] does not apply in the circumstances.

[43]  For the reasons that follow, I find that section 65(8.1)(c) applies and as a result the records fall outside the scope of FIPPA.

Stem cell project - Other research records at pages 1-29

[44]  The hospital submits that it withheld a full research ethics board application and multiple approvals with respect to this project. It describes the project as a “systemic investigation” with a purpose “to develop or establish facts and data which will be used to develop and support further research projects.” The hospital goes on to state:

On the face of these documents it is clear that the Stem Cell Project constitutes “research” within the meaning of s.65(8.1)(c). To find otherwise would undermine the protection of original research which was intended by the Legislature in enacting s.65(8.1). The fact that the Research Ethics Board has approved this project lends further support to the conclusion that this is a specific, defined, identifiable research project.

The Stem Cell Project is a research study conducted by a number of physicians with privileges at [the hospital], including the principal investigator, [the Director of the hospital’s Blood and Marrow Transplant Program].

[45]  The requester submits that the stem cell project does not meet the definition of research. The requester argues that a research study must attempt to answer a question or hypothesis, must be methodologically driven and have data that is analyzed. Finally, the requester argues that a conclusion must be drawn from the result. The requester’s definition of “research” departs from the definition of the term recognized by previous decisions from this office. The notice sent to the requester inviting her representations set out that previous decisions from this office found that the term research is defined as “… a systematic investigation designed to develop or establish principles, facts or generalizable knowledge, or any combination of them, and includes the development, testing and evaluation of research.” [12] I agree with those decisions and will apply the definition of “research” set out in them.

[46]  The requester also takes the position that the stem cell project does not constitute a systematic investigation as the hospital’s own submissions admit that its purpose was not to answer a research question or hypothesis but rather to “develop or establish facts and data which will be used to develop and support further research projects.”

[47]  Having regard to the representations of the parties and the records themselves, I find that it is reasonable to conclude that the stem cell project records are associated with specific, identifiable research conducted or proposed by an employee of the hospital. I reject the requester’s proposition that the research in question must answer a specific question or hypothesis. I find that the stated purpose of the stem cell project to establish facts and data to be used to develop and support further research projects fits within the definition of research recognized by this office (ie: a systematic investigation designed to develop or establish principles, facts or generalized knowledge…).” Accordingly, I find that these records qualify for exclusion from the scope of FIPPA by section 65(8.1)(c).

The young adults cancer therapy project – ICES records at pages 30-52

[48]  The hospital submits that it properly withheld the data sharing agreements and related documents, including a renewal letter associated with this project. The confidential portion of the hospital’s representations reference the descriptions contained in the withheld agreements defining the scope and purposes of the project. Though the hospital takes the position that the purpose and scope of the project should remain confidential, it states in the non-confidential portion of its representations:

It is apparent on the face of [the] description that this project meets the definition of a “systemic investigation designed to develop or establish principles, facts or generalizable knowledge ….” The multiple research ethics approvals which have been granted for this project reinforce this conclusion.

The Young Adults Cancer Therapy Project is led by [named physician,] with privileges at the [named children’s hospital]. Although [the named physician] does not have privileges at the [hospital], she is a “person associated with a Hospital”, namely the [children’s hospital]. Nothing in the language of s.65(8.1)(c) requires that the person conducting the research must be associate[d] with the Hospital which applies the exclusion to withhold the records.

The rationale for extending s.65(8.1)(c) to research conducted by individuals associated with other hospitals is clear from the multi- institutional nature of this research project. There is an obvious benefit to health researchers in coordinating their work across multiple hospitals. The exclusion for research-related records must apply regardless of the Hospital with whom the lead investigator is most closely associated.

[49]  The requester’s representations in response primarily rely on a definition of “research” which already noted departs from the definition recognized by previous decisions from this office and states that the project:

… does not meet all the requirements of a systematic investigation, namely an attempt to answer research questions (in some research, this would be a hypothesis) and therefore, the [hospital] cannot rely on Section 65(8.1)(c) of [FIPPA] to withhold any of the Research Ethics Board documentation that I have requested regarding the Young Adults Cancer Therapy Project.

[50]  The requester acknowledges that the physician leading the project was her daughter’s primary physician at the children’s hospital.

[51]  Having regard to the representations of the parties and the records themselves, I find that the hospital has established that the young adult cancer therapy project records are related to research within the meaning of section 65(8.1)(c). In making my decision, I took into consideration the confidential submissions of the hospital. Without revealing the substance of the hospital’s submissions, I agree with the hospital’s assertion that the stated purpose of the project meets the definition of a “systematic investigation designed to develop or establish principles, facts or generalizable knowledge….”

[52]  The requester did not appear to take a position as to whether the exclusion at section 65(8.1)(c) applied given the fact that the records in this project are not associated with research conducted or proposed by one of the hospital’s employees. I agree with the hospital’s assertion that the wording of the section 65(8.1)(c) exclusion does not require that the research be conducted or proposed by an employee of the hospital claiming the exclusion. I agree that records associated with research conducted or proposed by a physician at any hospital is sufficient for the exclusion to apply. Accordingly, I find that records related to the young adult cancer therapy project also qualify for exclusion from the scope of FIPPA by section 65(8.1)(c).

ACCESS UNDER PHIPA: the electronic records

B. Did the hospital adequately respond to the requester’s request under PHIPA for electronic records?

[53]  Section 52 of PHIPA states:

Subject to this Part, an individual has a right of access to a record of personal health information about the individual that is in the custody or under the control of a health information custodian unless [one of the listed exemptions applies.]

[54]  The hospital has not raised any of the enumerated exemptions in section 52(1) of PHIPA. Rather, the hospital takes the position that it has met its obligations in responding to the requester’s access request under PHIPA.

[55]  The requester takes the position that, for various reasons, the hospital has not responded adequately to the PHIPA portion of her access request.

[56]  For the reasons that follow, I find that the hospital adequately met its obligations in responding to the requester’s access request under PHIPA and dismiss the complaint.

Positons of the parties

[57]  The requester’s request under PHIPA sought access to:

• A copy of all the personal health information/records that were accessed by specific individuals at hospital (part 2);
• Under what authority (and/or an explanation) specific individuals at the Hospital accessed the requester’s daughter’s electronic health record (part 3); and
• A copy of the written consent documentation authorizing specific individuals’ access to the requester’s daughter’s personal health information for research purposes (part 5).

[58]  The hospital’s initial decision letter stated:

Almost all the records/information you are requesting can either be characterized as personal health information and/or information connected to health care. As such, this request primarily falls within the purview of the Personal Health Information Protection Act (PHIPA) and not FIPPA. It is our understanding that the Hospital has already provided you and/or [the requester’s spouse] with a copy of your daughter’s health record, with clarifications, in response to a previous access request under PHIPA. To facilitate your review, we have included on the enclosed CD-ROM additional copies of the relevant records previously released through PHIPA requests relating to your daughter’s health care.

[59]  The hospital’s decision directed the requester to refer to specific columns in the audit report [13] to obtain information responsive to part 2 of the request, to a table [14] responsive to part 3 and consent forms [15] responsive to part 5.

[60]  The requester filed a complaint with this office that her request under PHIPA was for only the pages accessed by hospital employees, and not the entire medical record that was provided by the hospital.

[61]  The requester takes the position that the hospital should have provided her the records in a format which would identify the specific record pages along with a notation of who accessed the record. For example, the requester submits that the hospital could have provided the records in a format which would identify each employee and attach each page that the employee accessed.

[62]  During mediation, the hospital took the position that it adequately responded to the requester’s request by granting her access to her daughter’s entire PHI record along with an audit report. The hospital submitted that the audit report identified each access of her daughter’s PHI by hospital employees by including an identifying Serv ID (SID) number. The hospital submitted that with the audit report, the requester should be able to reconcile the record provided on the CD-ROM to determine who accessed which record. However, the hospital acknowledged that not all of the entries could be reconciled in this fashion where there was more than one record with the same SID description.

[63]  In its representations, the hospital indicates that it issued a supplemental decision letter to the requester providing her copies of the requested records labelled by SID. The hospital submits that it has now provided the requester with copies of the records in the format requested by her.

[64]  The hospital also provided an explanation of a “glitch” it discovered in preparing the records released to the requester. The hospital submits that unrelated SID numbers identified in the audit report were generated by a “glitch”. The hospital states that the glitch “led to [two] records being linked to the [requester’s] daughter when in fact they related to other patients.” The hospital submitted two affidavits with its representations from its Manager of Information and Privacy Office (privacy manager) and Senior Database Administrator (IT administrator) which described the cause, nature of the glitch and the solution for it.

[65]  The requester states that the records delivered to her with the hospital’s supplemental decision “were totally unexpected”. The requester submits that she still has questions about the records and states that “[t]he only way forward is for [her] to arrange a viewing of her daughter’s Electronic Medical Records in person.” The requester also submits that she continues to seek access to the two records the hospital indicates contain the PHI of another individual. The requester states she is requesting copies of these records as she has “no confidence in the [hospital’s] “glitch” excuse.”

[66]  Finally, the requester asks why the hospital “allowed IT personnel to access [her] daughter’s electronic records without her consent” for the purpose of locating the records released with the hospital’s supplemental decision. The requester states that “[t]his breach of privacy needs to be investigated by the IPC.”

[67]  In its reply representations, the hospital states that the two records previously identified as the requester’s daughter’s records in the audit report:

… are not records of the [requester’s] personal health information but that of other individuals. She cannot be provided with access to these records as doing so would be a breach of the other individual’s privacy. The reason why these records were connected to her daughter’s health record is explained in full in the [affidavits].

[68]  The hospital submits that it is not prepared to meet with the requester to review her daughter’s electronic health records. The hospital takes the position that “no further purpose” would be served by granting the requester with an in-person meeting, “save for permitting her to reargue her complaint about the hospital’s handling of her daughter’s health record in person.”

[69]  The hospital also responded to the requester’s allegation of a privacy breach by referring to the affidavits filed in support of its representations which indicate that IT personnel provided the senior manager with guidance to permit him to identify and print the records listed by SID in the corrected audit report. The hospital states that IT personnel did not view any PHI contained in any the records listed in the corrected audit report in the course of providing guidance to the privacy manager.

Decision and analysis

[70]  The requester’s allegations of a privacy breach are outside the scope of the issues before me in this access complaint and I make no finding on them.

[71]  I find that the hospital adequately responded to the requester’s request for information about who accessed her daughter’s PHI, and which pages they accessed. Initially, the hospital granted the requester with access to a CD-ROM containing electronic copies of her daughter’s health records. The hospital subsequently issued a supplemental decision granting the requester access to the information at issue in the format requested by her.

[72]  In response to the hospital’s supplemental decision the requester asked for an in- person meeting to view her daughter’s electronic records and requested copies of records containing the PHI of other patients. The requester also raised concerns about the hospital’s IT department having access to her daughter’s PHI.

[73]  I have considered the evidence of the parties and agree with the hospital that no useful purpose would be served by requiring the hospital to meet with the requester to review her daughter’s electronic medical records.

[74]  In addition, I accept the hospital’s evidence regarding the error its system generated which resulted in two records being identified in the original audit report as containing the requester’s daughter’s PHI. The requester has requested copies of these records given her lack of trust of the hospital.

[75]  The requester’s loss of confidence in the hospital is a theme re-visited often in her representations. The requester and her husband have experienced an unimaginable loss and she has well documented her experiences seeking information from the hospital. The requester’s search for answers has resulted in her filing various access requests and complaints to this office.

[76]  Despite the requester’s feelings of mistrust, there is no basis for me to order the hospital to grant the requester access to records containing the PHI of another individual. The access rights under PHIPA are limited to records of a requester’s own PHI. Accordingly, the requester is not entitled to make a request under PHIPA for these records as the PHI at issue does not relate to her or her daughter.

[77]  Having regard to the above, I find that the hospital’s response to the requester’s request for her daughter’s electronic records was in accordance with the requirements of PHIPA.

ORDER:

1. I uphold the hospital’s decision that the research records are excluded from FIPPA under section 65(8.1)(c).
2. I uphold the hospital’s decision under PHIPA regarding access to the electronic records.
3. I dismiss the requester’s FIPPA appeal and PHIPA complaint.

Original Signed by:		November 4, 2020
Jennifer James
Adjudicator