Who owns my patient files?
By Anthony Lombardi
Earlier this year, a massage therapist removed a large number of confidential patient files from a multidisciplinary clinic prompting investigations by law enforcement and the Information and Privacy Commissioner of Ontario (IPC). Fortunately, the investigations help set a precedent to determine file ownership and the patient information was safely returned to the clinic owner.
Historically, such actions have gone largely unreported but thankfully, health providers are able to learn from this incident.
In March of this year I received an email from an officer at the IPC which outlined documents that described who owns the patient files in multidisciplinary environments. “Ownership” of the health information lies with the Health Information Custodian (HIC).
“Where a group practice is incorporated, the professional corporation is the custodian and the practitioners are its agents.”
Therefore, custodians of the health information must protect against cases of theft or unlawful removal, as it states in an IPC document:
“A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use.”
Even having written consent from the patient does not give any health-care provider legal permission to take files from a clinic they have been working at. For instance, let’s say a person were to walk into a hospital and give their orthopedic surgeon a note asking them to remove their file. That doctor cannot walk down to the records department, take their file, and then leave the premises and never return it. That is considered theft and a clear violation of the Personal Health Information Protection Act (PHIPA).
An analyst with the Office of the Privacy Commissioner of Ontario stated that, where it appears that the clinic is the health information custodian, the medium in which the files are recorded belong to the clinic. This means if the files are recorded on paper, the folders and paper belong to the clinic, and patients and treating therapists are entitled to make copies as needed – but originals must remain with that clinic. If originals are removed from the HIC then the IPC will investigate. In addition, and separate from the IPC, those who unlawfully remove files from the HIC are in violation of Section 354 of the Criminal Code (being in possession of stolen property).
What is troubling about cases like this is that there is a clear disconnect between the governing colleges of health providers with respect to privacy laws and the criminal code. The College of Massage Therapists of Ontario (CMTO) failed to see any wrongdoing in their members actions and stated in their final decision: “nothing dishonourable or unethical took place to forward the complaint to the disciplinary committee.”
Clearly, more needs to be done to educate health providers of all disciplines on how to safely and ethically handle patients’ private and confidential information. This is why the onus to become familiar with all of the privacy laws should fall squarely on the members (health-care providers) of the respective colleges.