NEWS

CYBER AND PRIVACY LAW JUNE, 2023

The Ontario Superior Court issued a decision recently in regards to PHIPPA and the meaning of Health Care Custodian. The court also dealt with the issue as to what standard of review is applicable in the case: correctness or reasonableness. The case style of cause is: The Estate of Richard Martin v. Health Professions Appeal and Review Board, 2023 ONSC 2993 and the case can be found here on Canlii: https://www.canlii.org/en/on/onscdc/doc/2023/2023onsc2993/2023onsc2993.html  

The standard of review applicable in this matter is reasonableness. The court found that there was not a significant legal issue of general importance as alleged by the Applicant, so the court found that the test of reasonableness ought to be the standard of review. 

Further, the court held that neither the ICRC nor HPARB carried out an analysis as to whether Dr. Shah was in fact a health information custodian of the hospital records he accessed. PHIPA distinguishes between a “health information custodian” and an “agent” of the custodian. The Act imposes a series of restrictions on the collection, use and disclosure of personal health information, which differ as between the custodian and the agent. The court found that since the doctor in question did not have control over the health records he could not be a health information custodian but rather he is an agent of the health information custodian. The doctor in the instant case unilaterally accessed the PHI of the former patient and he did NOT check with the health information custodian, the hospital in this case, to see whether they would exercise their inherent discretion to authorize access to the PHI. That was the error made by the doctor.  

“The established case law, as summarized in the leading case of Burgess v. Wu (2003), 2003 CanLII 6385 (ON SC), 235 D.L.R. (4th) 341 , holds that “confidentiality is not automatically waived by a patient by starting a lawsuit”. The applicant submits in the context of a civil lawsuit there are limits to the plaintiff’s obligation to disclose their PHI, both in terms of relevance, time frame, and subject matter and other legal considerations.”  We agree that s.30(1) of PHIPA, when applied in the context of civil proceedings governed by the Rules of Civil Procedure that regulate the disclosure and production requirements of relevant PHI, will result in the production of “other information [which] will serve the purpose of the use and disclosure”.  

The court awarded $18,000 in damages to the Applicant and concluded their analysis in this way: “It is undisputed that Dr. Shah was unilaterally and without the permission of the patient or the health care information custodian, the LHSC, accessing his former patient’s hospital records, some four years after the one occasion in which he rendered medical treatment and long after he ceased to be part of the patient’s circle of care. This occurred at a time when these hospital records were in an electronic data base under the custody and control of a public hospital with policies and oversight responsibilities for the use and disclosure of these records. Moreover, this happened in circumstances where Dr. Shah had already been provided by his counsel with copies of the relevant parts of the hospital record, obtained pursuant to the Rulesof Civil Procedure which were applicable in the lawsuit.”  

The Collision Conference in Toronto, ON just took place from June 26 – 29th, 2023 and it involved many interesting discussions around privacy and data protection as well as the increasing importance of cyber security. The main topic that was prevalent and top of mind is the intersection of AI with Web3. The convergence of the two technologies are destined to collide in the near future. What will such a collision of technological ideas mean for data protection and the whole idea of “privacy”?  Some of the guest speakers at Collision take the position that AI developments and innovation is going to make it more difficult to maintain privacy in the way we understand that concept today. The question remains whether the permissionless world of crypto in conjunction with AI can make for a more robust cybersecurity program.  

Bill C-18 recently passed and received Royal Assent on June 22nd, 2023. In response major players Google and Meta have announced their intentions to block news links on their platforms from Canadian users. Freedom of speech and other civil rights are on full display with the controversial Bill. We will see over time the net effect of the Online News Act as it has become known. Is it unwarranted censorship? Will it really assist local news media? The questions are endless. This is just another reaction to the constant changing world of data collection and how news is being distributed around the world. More will follow on this topic in the coming months. 

David H. Davis of Davis Cyber Law specializes in strategic risk management, incident response, privacy & data protection, and advocacy. He can be reached by email at david@daviscyberlaw.com or by telephone at 204-956-2336. We are also on the web at www.daviscyberlaw.com