Frequently Asked Questions: Freedom of Information and Protection of Privacy Act

Transcription

1 March 2011 Frequently Asked Questions: Freedom of Information and Protection of Privacy Act BACKGROUND/CONTEXT The Broader Public Sector Accountability Act contains amendments to the Freedom of Information and Protection of Privacy Act (FIPPA or Act) that brings hospitals under the Freedom of Information (FOI) regime beginning January 1, These Questions and Answers were prepared by the Ontario Hospital Association (OHA) in consultation with the Ministry of Government Services, the Ministry of Health and Long-Term Care (MOHLTC), and the Office of the Information and Privacy Commissioner of Ontario (IPC). The answers set out below are intended to help hospitals understand FIPPA in order to support its effective implementation. This document is intended for general informational purposes only and should not be construed as legal advice. For detailed information regarding specific situations, hospitals may wish to consult independent legal counsel. GENERAL INFORMATION/APPLICATION 1. What information/records does the Act apply to? FIPPA will apply to records that have been in the custody or control of a hospital since January 1, 2007, unless the record is subject to an express exclusion under the Act. Record means any record of information however recorded, whether in printed form, on file, by electronic means or otherwise. The public will have a right to hospital records in the form that they are stored; however, in response to a particular request, the hospital may have an obligation to produce a single electronic record that combines information from various independent records. Sometimes, compiling information or calculating a statistic is a convenient and sensible means of answering an access request. A hospital does not have the duty to create a record, but it does have a duty to provide an electronic record in a requested format if producing it does not unreasonably interfere with the operations of the hospital. Costs can be passed on to the requester in certain circumstances.

2 2. How do we determine if a record is under the custody or control of the hospital? In general, custody means the keeping, care, watch, preservation or security of the record for a legitimate business purpose. While physical possession of a record may not be sufficient to constitute custody, it is the best evidence of custody. An institution must have some right to deal with the records; bare possession with no right to do anything with the record is not considered custody. In general, control of a record does not mean having actual physical possession of the record, but rather the power or authority to make a decision about the use or disclosure of the record. Based on past decisions of the courts and the IPC, a broad and liberal approach is normally taken to determine custody or control. For further information, see IPC Order MO-1251.The question of whether FIPPA s purpose of institutional accountability may also be relevant in determining whether the hospital has custody or control of a record. The IPC has developed a list of factors to consider in determining whether or not a record is in the custody or control of an institution. These factors include: Was the record created by an officer or employee of the institution? What use did the creator intend to make of the record? Does the institution have statutory power or the duty to carry out the activity that resulted in the creation of the record? Is the activity in question a core, central or basic function of the institution? Does the content of the record relate to the institution s mandate and functions? Does the institution have physical possession of the record, either because it has been voluntarily provided by the creator or pursuant to a mandatory statutory or employment requirement? If the institution does not have possession of the record, is it being held by an officer or employee of the institution for the purposes of his or her duties as an officer or employee? Does the institution have a right to possession of the record? Does the institution have the authority to regulate the record s content, use and disposal? Are there any limits on the use to which the institution may put the record, what are those limits, and why do they apply to the record? To what extent has the institution relied upon the record? How closely is the record integrated with other records held by the institution? What is the customary practice of the institution, as well as similar institutions, in relation to possession or control of records of this nature, in similar circumstances? 2

3 If the record is not in the institution s possession, some additional factors the IPC considers include the following: Who owns the record? Who paid for the creation of the record? Are there any provisions in any contracts between the institution and the person who created the record that give the institution the right to possess or otherwise control the record? Was the person who created the record an agent of the institution for the purposes of the activity in question? What is the customary practice about control over records of this nature in the industry? IPC Orders P-120, P-239 and MO-1251 should be reviewed for a more comprehensive list of factors the IPC has considered in past decisions. 3. Does FIPPA apply to records from a long-term care facility that is owned and operated by a hospital? Generally speaking, FIPPA does not currently apply to the long-term care (LTC) sector. (FIPPA has been extended to only include the hospital sector at this time). As such, on an individual FIPPA request basis, the hospital would need to determine if it has custody or control of the LTC home record to determine whether the record is responsive to the specific FIPPA request. For greater clarity, if a hospital has custody or control of a LTC home record, then that record is subject to FOI even though generally the LTC sector is not. See question #2 for further information on how to determine custody or control of a record. 4. What records are not covered by the Act? Records that are subject to express exclusions under the Act are not covered by the Act. For example, records that relate to: employment, labour relations, the appointments or privileges of health professionals, regulated health professionals private practice records, as well as research and teaching records, hospital foundation and charitable donation records, and records relating to the provision of abortion services are excluded from the Act. It is also important to note that FIPPA does not apply to personal health information that is subject to the Personal Health Information Protection Act (PHIPA). As a result of an amendment to the Quality of Care Information Protection Act (QCIPA), FIPPA does not apply to quality of care information prepared by or for a designated quality of care committee under QCIPA. Section 1 of QCIPA defines quality of care information as information 3

4 that: (a) is collected by or prepared for a quality of care committee for the sole or primary purpose of assisting the committee in carrying out its functions, or (b) relates solely or primarily to any activity that a quality of care committee carries on as part of its functions. It should be noted, however, that this exclusion does not extend to quality of care information and records generated outside of QCIPA, such as root cause analysis, failure mode and effects analysis, self-assessment activities or chart reviews. Other records that relate primarily to patient safety and risk management may qualify for an exemption from disclosure under other provisions of the Act. 5. When does the Act apply to hospitals? The Act applies to hospitals as of January 1, 2012, but is retrospective to January 1, As a result, records that came into a hospital s custody and/or control on or after January 1, 2007 are subject to the Act. 6. Does the Act apply to other health care organizations/providers? FIPPA was amended by Bill 122, the Broader Public Sector Accountability Act, passed in December 2010 to bring hospitals under Ontario s freedom of information and privacy regime. No other health care organizations were added at that time. However, many health-related organizations and agencies have been made subject to the Act through designation as institutions under the FIPPA regulation. For example, Local Health Integration Networks (LHINs) were added as an institution in 2005, and Cancer Care Ontario was added in The MOHLTC and other provincial and municipal institutions involved in the delivery of health care are also subject to FIPPA. 7. Does the Act apply to /text messages? Yes, and text messages are records for the purposes of FIPPA and, in general, are subject to the right of access. However, there is significant ongoing litigation relating to whether employees personal communications that are stored in an organization s network information systems are records under the custody or control of a FIPPA institution. A recent judicial review by the Ontario Superior Court of Justice of an IPC decision found that personal s unrelated to work that were sent and received from a workplace address were not subject to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) 1. MFIPPA is the municipal equivalent of FIPPA and contains the same custody or 1 City of Ottawa v. Ontario, 2010 ONSC The IPC is requesting leave to appeal the decision to the Court of Appeal of Ontario. 4

5 control provisions. Specifically, the employee s personal s were not considered to be within the custody or control of the institution. The Court held that the IPC Adjudicator failed to consider the purpose and intent of FOI legislation in determining the Act applied to these records. The IPC has requested leave to appeal the Divisional Court s decision to the Ontario Court of Appeal. The outcome of this litigation may affect how hospitals respond to specific requests, but does not warrant any change in approach to the management of electronic communications. As always, hospitals should require responsible use of hospital communication systems and should reserve a broad right of access to all communications stored on their systems. Individuals should understand that all s sent and received via hospital-administered systems are not private vis-à-vis the hospital, and beginning on January 1, 2012, may be required to be retrieved and examined for the purpose of complying with FIPPA. 8. What is the role of the Information & Privacy Commissioner under FIPPA? The Commissioner is appointed by and reports to the Legislative Assembly of Ontario and is independent of the government of the day. The IPC provides an independent review of the decisions and practices of institutions covered by the Act concerning access and privacy. To safeguard the rights established under the Act, the IPC has the following key roles: Resolving appeals when institutions refuse to grant access to information; Investigating privacy complaints related to information held by institutions; Ensuring that institutions comply with the Acts; Conducting research on access and privacy issues and providing advice on proposed government legislation and programs; and Educating the public about Ontario s access, privacy and personal health information laws and access and privacy issues. In resolving access to information appeals, the IPC has the ability to issue orders to resolve issues raised during the appeal, including requiring institutions subject to the Act to disclose records. Privacy complaints may be resolved either informally or formally. Formal resolution may result in the IPC issuing a public investigation report containing recommendations for action by the institution that is the subject of the investigation. 5

6 9. What is the role of the head under FIPPA? The Act refers to the head of the institution as the person responsible for making decisions in respect of access requests. The head is responsible for the Act s day-to-day administration and decision-making and for ensuring that personal information held by the hospital is accurate, upto-date and collected, used and disclosed only as authorized. FIPPA identifies the chair of the board of a public hospital, the superintendent of a private hospital and the chair of the board of the Ottawa Heart Institute as the head. The Act permits the head to delegate in writing some or all of his/her powers and duties under the Act to an officer(s) of the hospital. It is essential that the delegated officer(s) have expert knowledge about the Act and the hospital, and have the authority to make decisions independently. The head, however, ultimately remains accountable for all actions taken and any decisions made under the Act. The head may also place limitations, restrictions, conditions or requirements on the delegation of powers (Section 62). The Act specifies circumstances where the head must deny access to information, may exercise his/her discretion to deny access, or grant access. A summary of the head s responsibilities are as follows: Adhering to time limits and notification requirements; Considering representations from third parties; Responding to access requests; Determining the method of disclosure; Responding to requests for correction of personal information; Obligation/ discretion to refuse access based on exemptions; Calculating and collecting fees; Providing access to the public by preparing manuals and guidelines of records; Include in a personal information bank all personal information under the institution's control, (that is not personal health information); Responding to access appeals; and Administering the privacy protection provisions of the Act. 10. What are the reporting obligations of hospitals under FIPPA? Hospitals must submit an annual report to the IPC. The report must set out: The number of access requests received; The number of requests refused, the provisions of the Act relied upon for refusal, and the number of times each provision was invoked; For each provision of the Act, the number of appeals commenced; 6

7 The number of times personal information was used or disclosed for a purpose which is not included in the statements of uses and purposes set forth under section 45 paragraphs (d) and (e) of the Act (relating to the use of personal information banks); The amount of fees collected under section 57 of the Act, and Any other information indicating an effort by the institution to put into practice the purposes of the Act. These are in addition to the existing reporting requirements under PHIPA. DEALING WITH ACCESS REQUESTS 11. Who can request records? Any person can make a request for access to records. A person includes individuals and organizations such as corporations, partnerships and sole proprietorships. The right of access is not limited by citizenship or place of residence. It is important to note that there may be situations where one person represents another individual (e.g., substitute decision maker). The rights and powers which an individual may exercise on behalf of another include the right to make access requests. 12. How does the request process begin? Under the Act, an access request must be made in writing, be accompanied by the $5.00 application fee, and provide sufficient detail to enable an experienced hospital employee to identify the record(s) requested. If an individual is seeking access to his/her own personal information, the request must also identify the personal information bank or the location of the personal information being requested. If after a thorough search, the institution cannot locate the requested personal information, and the requester cannot provide any credible evidence to support the existence of records, the head may conclude that the institution does not have the records. There is a prescribed form available on the IPC website and the Ministry of Government Services website for access requests. A letter (not on the prescribed form) that makes reference to the Act is also considered a request if accompanied by the required application fee. If an institution is in doubt about whether or not a requester wishes a letter of inquiry to be treated as a request under the Act, the requester should be contacted and clarification of the inquiry obtained. FIPPA does not require a freedom of information request to access hospital records. If a formal access request can be better handled by the hospital on an informal basis, the hospital should 7

8 contact the requester to determine whether he/she is agreeable to this change. An agreement to request a record on an informal basis generally results in quicker access to the records, but removes the opportunity to appeal the hospital s decision at a later date. 13. How long do we have to respond to a request? The Act requires the institution to respond to access requests within 30 calendar days from the date a request is received. The 30-day time period starts to run the day the institution receives a complete request. A complete request is one which has been clarified, or one which provides sufficient detail to allow the institution to understand what information is being requested. The $5.00 application fee must also have been received. The institution may extend the 30-day time limit in two situations: i. The request is for a large number of records or necessitates a search through a large number of records and meeting the time limit would unreasonably interfere with the operations of the institution; or ii. Consultations with a person outside the institution are necessary to comply with the request and cannot reasonably be completed within the time limit. The time limit for responding to a request is automatically extended where notice is given to a third-party. For example: An institution that receives an access request for records whose disclosure may affect a third-party must notify the third-party within 30 days of receiving the request. This initial time period allows the institution time to gather the records, make a determination that a third-party must be consulted and define exactly what the-third party must be consulted about. The third-party is allowed 20 days to respond to this notice. Upon receipt of the third-party's response, the institution has a further 10 days to make its final decision about the requested records. Under normal circumstances then, an institution would have up to 60 days to respond to an access request that involves third-party notification. 14. How long do we have to respond to a request that has been forwarded or transferred to another institution? A hospital has 15 calendar days from the date a request is received to forward or transfer the request. The 30-day time limit begins when the request is received at the first institution. The second institution that receives the request has the remainder of the 30-day period to respond. For more information on forwarding or transferring a request see question # 23. 8

9 15. Do we need to have a formal FIPPA request before we can release information? No. Hospitals may continue to respond to informal requests for information. The access to information regime established by FIPPA is only one avenue through which hospitals are able to release information. Because of the resources involved in the formal FOI process, it should be reserved for requests where information will not be released, or where there is some question as to the hospital s ability to disclose records. Hospitals are encouraged to consider the proactive disclosure of information to the public on a routine basis to minimize the volume of requests. 16. Does the request have to be in writing? Yes, under the Act a formal access request must be made in writing. Only a formal request provides the requester with the opportunity to appeal the hospital s decision to the IPC at a later date. For more information on formal vs. informal requests see question # What is the fee structure under FIPPA? FIPPA adopts a user pay principle; a person making an access request must pay some of the costs the hospital incurs in processing the request. A fee schedule is contained in the regulation to FIPPA. Under FIPPA, different fees are applied depending on whether the request is for general records or the requester's own personal information. Fees must be charged unless they are waived by the institution. A $5.00 mandatory application fee must accompany a request for either personal information or general records under FIPPA. Once the application fee is received, the head is required to provide a requester with access to records and/or a decision letter within 30 days. This requirement does not apply if the mandatory application fee has not been received by the institution. The onus is on the institution to collect this application fee before processing the request if it decides to proceed. A request for personal information under FIPPA is a request made by an individual (or another person acting on his/her behalf) for the individual's own information. No fees are charged for search or preparation time, but there are fees for photocopying ($0.20 per page) and computer costs as specified in the regulations. All other (general record) requests under FIPPA may be subject to the following charges: Photocopies and computer printouts; The amount of time required to search for records; Personnel time involved in physically preparing the record for disclosure; 9

10 Computer costs; and Shipping costs. Refer to Regulation 460 under FIPPA for further details on charges. 18. Do we have to provide an estimate of the expected fee? Unlike PHIPA, a fee estimate is only required under FIPPA where it appears that the cost of processing the request will be over $ Further, where the cost estimate is $ or more, the head may require the requester to pay a deposit equal to 50 per cent of the estimate before taking any further steps to respond to the request. 19. Can we waive the fees? Yes, under FIPPA a head must waive the payment of all or part of the fee where the head is of the opinion that it is fair and equitable to do so. This decision is made only after the head has considered specific factors provided in the Act. Under FIPPA, it is the requester's responsibility to ask the institution for a fee waiver. A request for a waiver need not be explicit, it may be implied. The party seeking a fee waiver also bears the responsibility of establishing his/her case. 20. Are there costs associated with appealing a decision under FIPPA? Yes, under FIPPA there are mandatory fees for a requester appealing a decision to the IPC. A $10.00 fee applies to personal information request appeals and a $25.00 fee applies for general records request appeals. There is no fee for a third-party to appeal an institution's decision to disclose information. 21. Can we refuse a request for access to a record? What happens then? Yes, a request for a record can be refused where: (1) the record or part of the record falls within one of the enumerated exemptions, or (2) the head is of the opinion that the request is frivolous or vexatious. (Subsection 10(1)) Once the decision to refuse access to the record, in whole or in part, has been made, written notice of the decision (a decision letter ) must be provided to the requester and any affected third-parties. The decision letter must be provided to the requester within the 30-day time period (or within the period of extended time, if any). 10

11 However, if third-party notices have been given, the decision letter cannot be issued until the 20-day period in which a third-party can respond to a third-party notice has elapsed, or sooner if the third-party responds before the 20 days expire. The decision letter must contain the following information: A statement that the record does not exist; or Where the record exists, the specific provision of the Act under which access is refused and the reason the provision permits the head to deny access; The name and position of the person responsible for the decision; and That the requester may appeal the decision to the Commissioner. The head is also required to provide the requester with a clear description of the records responsive to the request. The decision letter should be accompanied by a detailed index of records at issue which describes the subject matter of the withheld record(s) in general terms. This can be done by providing at least a summary of the categories of the responsive records in enough detail that the requester should be in the position to make a reasonably informed decision on whether to seek a review of the head's decision with the IPC. If a head does not give the requester notice of his/her decision within the 30 days (or within the time frames extended under the extension of time, for third-party notice procedures) the head is deemed to have refused access to the record, and this refusal can be appealed to the IPC by the requester. 22. Are we allowed to ask the reason/purpose for the request? If so, can this be used as a justification to deny access to a record? A hospital is permitted to ask for the purpose of a request if this will assist the hospital in identifying the specific records that the requester is looking for. Obtaining this information can help you determine what types or categories of records to search for. However, care must be taken to properly word the question when you are seeking reasons for the request because the requester has no obligation to provide reasons. When asking why it is important to explain to the requester that knowing the purpose of the request will assist you in finding the exact document they are looking for. Note: the purpose of the request is irrelevant to FIPPA and cannot be used as a reason to refuse disclosure. 23. Where a request for access to records from Hospital A is made to Hospital B, which hospital is responsible for handling the request? Forwarding a request Occurs when Hospital A does not have the record in its custody or under its control 11

12 Where Hospital A receives a request for access to a record that is not in the hospital s custody or under its control, the head is required to make inquiries to determine whether Hospital B has the record in their custody or control. Where the head determines that Hospital B does have custody or control of the record, the head (of Hospital A ) has 15 days after the original access request was received to (a) forward the request to Hospital B ; and (b) provide written notice to the requester that the request has been forwarded to Hospital B. Transferring a request Occurs when Hospital A may or may not have the record but Hospital B has a greater interest in the record. Where Hospital A receives a request for access to a record that the head believes Hospital B has a greater interest in, the head may transfer the request to Hospital B. In this situation Hospital A may also be required to transfer the record where Hospital B does not have the record despite its greater interest. The head must provide written notice of the transfer to the requester, and complete the transfer within 15 days after receiving the access request. What constitutes a greater interest is described in subsection 25(3) of the Act. Two essential factors determine greater interest: i. A record was originally produced in or for an institution; or ii. A record was not produced in or for an institution, but it was the first to receive a copy of it A request from Hospital A is deemed to be forwarded or transferred to Hospital B on the day Hospital A received the request. (Subsection 24(4)) 24. How are hospitals to deal with requests for access to records that contain third-party personal information? If the third-party information is personal health information, the request cannot be processed under FIPPA. Records sometimes contain information concerning a person other than the requester. Before granting access to a record affecting a third-party, a head must give written notice to the thirdparty to whom the information relates. The information is considered to affect a third-party if: The head has reason to believe that the record contains third-party information, proprietary, commercial or labour relation information described in section 17(1) of the Act; or 12

13 The record contains personal information (not personal health information) that the head has reason to believe might, if released, constitute an unjustified invasion of personal privacy. 25. What is the notice requirement for access to records that contain third-party personal information? If the head intends to release the records, then the affected party must be given notice. Notice to an affected party gives that party an opportunity to make representations to the hospital about how the proposed disclosure of records will affect him/her. The notice must contain: A statement that the head intends to disclose a record or part of a record that may affect the interests of the person or organization; A description of the contents of the record or the part that relates to the third-party; and A statement that the person may, within 20 days after the notice is given, make representations to the head as to why the record in whole or in part should not be released. The notice must be given within the initial 30-day period after a complete request is received or, if there has been an extension of time, within the extended time period. The third-party then has 20 days after the notice is given to make representations to the head. Representations are to be in writing unless the head permits them to be made orally. After the representations are received, or after the 20-day period for representations has elapsed (whichever time is shorter), the head must decide within 10 days whether to disclose the record. If affected third-parties have been notified, this will delay the processing of a request. Therefore, the head must notify the requester of the delay. It is advisable to do this at the same time that the affected third-party is notified. The notice to the requester must state that the: Disclosure of the record or part may affect the interests of a third-party; Third-party has an opportunity to make representations concerning the disclosure; and The head will decide within 30 days if the record or part will be released. 13

14 If a head decides to release a record in whole or in part that affects a third-party and has heard representations from the third-party, or the time period for making representations has expired, the head must notify the requester and the affected third-party that: The affected person may appeal the decision to the IPC within 30 days; and The requester will be given access to the record or part unless such an appeal is filed within the 30 days after the notice is given. 26. How are hospitals to deal with requests for access to records that contain third-party information of a commercial party? Hospitals often acquire information about the activities of private sector organizations. Some of this information may constitute a valuable asset to the organization, and disclosure would impair its ability to compete effectively. FIPPA provides a mandatory exemption from disclosure for certain third-party information where disclosure could reasonably be expected to cause certain harms. This exemption is not limited to commercial third-parties, but can also be applied to any supplier or institution (including another hospital) which meets all three of the following threshold tests: 1. The information must fit within one of the specified categories of third-party information; 2. The information must have been "supplied" by the third-party "in confidence", implicitly or explicitly; and 3. The disclosure of the information could reasonably be expected to cause certain harms as specified in the (third-party) exemption. The threshold test has been the subject of significant IPC jurisprudence and interpretation by the courts. For example, in general, contracts with suppliers of goods and services are negotiated, not supplied and therefore do not qualify for this exemption. 27. What is the notice requirement for access to records that contain third- party information of a commercial party? FIPPA provides that before access is granted to a record that might contain information referred to in the third-party exemption, that party must be notified and given the opportunity to make representations before a final access decision is made. If a third-party claims in its representations that the record is exempt, the burden of establishing that the record falls within the exemption rests with that third-party. Similarly, where an institution asserts that this 14

15 provision applies, the burden of proof is on the institution. It should be noted that the final decision on whether the record should be disclosed rests with the institution, not the third-party. 28. Can a hospital publicly post who is making access requests and the costs of handling the request? No, a hospital is not able to publicly identify/ post the names of individuals who make access requests. In fact, the identity of a requester should only be shared with the hospital staff who require the information in order to respond to the request. The costs of handling a particular request can only be published as long as the requester cannot be identified in anyway. For example, linking a particular requester to multiple access requests may result in the requester being identified. EXEMPTIONS/EXCLUSIONS FOR HOSPITAL RECORDS 29. Do we have to provide access to all hospital records? Hospitals must provide access to only those records that are in their custody or control. The general right to access hospital records is limited by the retrospective application provision, such that a person s right of access applies only to records that came into the custody or under control of the hospital on or after January 1, Do I have to give the requester the entire record? Not necessarily. Portions of the record may be severed prior to disclosing the record. When information falls within an exemption and can reasonably be severed from the record, FIPPA provides the requester with a right of access to the remainder of the record. One method of severing is to blank out the exempt information from a photocopy of the record using a black marker, and releasing a copy of the severed photocopy to the requester. Generally, the smallest unit of information to be disclosed after severing is a sentence. But even where only a sentence remains, some information, such as a name, might be removed and the remainder released. When information is severed from a record, the notification to the requester must specify the section(s) of the Act under which access to the severed information is refused. As well, where information must be severed from a record, it is not feasible to allow a requester the option of viewing the original. It is not necessary to disclose disconnected snippets of information. 15

16 Severing does not apply where the Act specifically exempts from disclosure an entire class of records such as qualified in-camera meeting records that discuss litigation or drafts of by-laws or resolutions. In all cases, the information in a record must be assessed to determine whether portions are severable. 31. What is the difference between an exemption and an exclusion? The primary difference is that excluded records are not subject to the Act. As a result, the hospital is not required to process requests for records that fall within section 65 of the Act. However, the hospital must still respond to the requests, indicate the exclusion claimed and that the requester has the right to appeal this decision to the IPC. Similarly, the IPC will review the matter to determine if the exclusion has been properly claimed, The IPC reserves the right to require the production of records for which an exclusion has been claimed as part of such an appeal. It should also be noted that records that are excluded from the Act may still be disclosed. The exclusion simply means that the records are not available through the formal FOI process. By contrast, exempted records are subject to the Act and must be processed under the Act to determine how and to what extent an exemption applies. As a result, the hospital may have grounds to refuse to disclose information that falls within the description of one of the exemptions in the Act, but nonetheless review the request and determine what other information in the record can reasonably be severed and disclosed to the requestor. See question #30 for information on severing. 32. What is the difference between mandatory and discretionary exemptions? Mandatory exemptions impose a duty on the head of an institution to refuse to disclose a record. In the case of mandatory exemptions, the head must determine whether the actual contents of the requested record(s) fall within the exemption. Only two mandatory exemptions may apply to hospital records: section 17 (third-party proprietary confidential information) and section 21 (personal information). All other exemptions are discretionary exemptions. They permit the head to disclose a record despite the application of the exemption to the requested record. A decision by a head to disclose, or not disclose information falling within an exemption is an exercise of discretion, and must be based on appropriate and relevant grounds. An example of a proper exercise of discretion occurs when the hospital first determines if an exemption applies, and after that considers if there are circumstances which require the information to be withheld. Hospitals should only exercise a discretionary exemption where there is a compelling reason to do so. 16

17 33. What changes were made to FIPPA to reflect the kinds of records kept by hospitals? The BPSAA provided new exemptions and exclusions to FIPPA for a broad range of hospital records. These include records relating to credentialing, teaching and research, provision of abortion services, charitable donations, foundations and ecclesiastical records. Amendments were also made to QCIPA to clarify that FIPPA does not apply to quality of care information as defined under QCIPA. More information on protection for funding and planning records of a hospital will follow in additional guidance documents including the OHA FIPPA Toolkit and related material. 34. Are records from employment and labour relations negotiations at the hospital subject to disclosure under FIPPA? Exclusions set out in subsections 65(6) and 65(7) provide that most employment and labour relations records collected, maintained, prepared or used by, or on behalf of a hospital are excluded from FIPPA. Exclusions relevant to the hospital sector include: Proceedings or anticipated proceedings before a court, tribunal, or other entity (relating to labour relations/ employment of a person by the hospital); Negotiations or anticipated negations regarding hospital labour relations/ employment of a person; Meetings, consultations, discussions or communications about labour relations/ employment-related matters in which the hospital has an interest; and Meetings, consultations, discussions or communications about applications for hospital appointments, the appointments or privileges of persons who have hospital privileges, and anything that forms part of the personnel files of those persons. However, subject to an exemption, FIPPA does apply to: An agreement between a hospital and a union; An agreement between a hospital and at least one employee that concludes a labour relations/ employment-related proceeding; An agreement between a hospital and at least one employee resulting from employment related negotiations; and 17

18 An expense account submitted to the hospital by an employee (for expenses incurred during employment). Unless the person to whom the information relates consents to disclosure, the third-party information exemption must be applied to hospitals labour relations/employment records (subsection 17(1)) to exempt the following from disclosure: A record that reveals labour relations information that was supplied in confidence (either implicitly or explicitly) must not be disclosed where disclosure could reasonably be expected to: o o o o Significantly prejudice the competitive position or interfere significantly with negotiations; Result in similar information (that is in the public s interest to be supplied) to no longer be supplied; Result in undue loss or gain; or Reveal information supplied to, or the report of a conciliation officer, mediator, labour relations officer or other person appointed to resolve a labour relations dispute. FIPPA AND OTHER ACTS 35. What is the relationship between FIPPA and PHIPA? FIPPA does not apply to records of personal health information in the custody or control of health information custodians unless PHIPA provides otherwise. Section 8 of PHIPA provides that only sections 11, 12, 15, 16, 17, 33 and 34, subsection 35 (2) and sections 3 and 44 of FIPPA apply to personal health information held by the health information custodian (i.e. hospital). Personal health information is defined in PHIPA as identifying information about an individual in oral or recorded form, if the information, (a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual s family, (b) relates to the provision of health care to the individual, including the identification of a person as a provider of health care to the individual, (c) is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual, (d) relates to payments or 18

19 eligibility for health care, or eligibility for coverage for health care, in respect of the individual, (e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance, (f) is the individual s health number, or (g) identifies an individual s substitute decision-maker. PHIPA does not limit the right of access to the records if personal health information is reasonably severed from the document(s). Therefore, the public does not have a right of access under FIPPA to records of personal health information under the custody or control of a hospital. However, if a hospital record contains both personal health information and non-personal, administrative information, the latter remains subject to FIPPA (and access requests), if the former can be reasonably severed from the record. 36. How does the amendment to QCIPA protect all quality of care information from disclosure? The amendment to QCIPA does not necessarily protect all quality of care information from disclosure. As a result of the amendment to QCIPA, FIPPA does not apply to quality of care information prepared by or for a designated quality of care committee under QCIPA. Section 1 of QCIPA defines quality of care information as information that: (a) is collected by or prepared for a quality of care committee for the sole or primary purpose of assisting the committee in carrying out its functions, or (b) relates solely or primarily to any activity that a quality of care committee carries on as part of its functions. As such, this exclusion from FIPPA does not extend to quality of care information and records generated outside of QCIPA, such as root cause analysis, failure mode and effects analysis, self-assessment activities or chart reviews. Note: Section 2 of QCIPA provides that QCIPA and its regulations prevail (over any other act or its regulations) unless otherwise specifically provided. 37. How do we deal with a request that is made jointly under PHIPA and FIPPA? All information that can be disclosed under PHIPA should be disclosed under that Act. A request for an individual s own health information (or about an individual for whom the requester is acting as a substitute decision maker) can only be made under PHIPA. There are some limited exemptions under PHIPA that may prevent all requested records from being disclosed. The hospital should decide whether or not to deal with the outstanding records via a FIPPA request. Before this is done the hospital should explain to the requester that some of the records fall under FIPPA, not PHIPA, and therefore an access request for those records must be made under FIPPA. The requester must also be made aware of the fee that comes with requests for access to records under the Act. 19

20 Exceptions to the exemptions should be considered for every request regardless of what act the request falls under. 38. Does access to a record fall under FIPPA or PHIPA after personal health information has been deleted from a record? After personal health information has been deleted from the record, the rest of the record is subject to FIPPA - unless a FIPPA exclusion applies to it. DISCLOSURE 39. How can we protect personal health information received for the purpose of an investigation from disclosure? It is necessary to consider who is asking for the information. If the patient is making the request for their own personal health information, then this falls under PHIPA. However, subsection 52(1)(d) of PHIPA exempts records related to an ongoing investigation. Specifically, an individual does not have a right of access to a record of personal health information where: i. The information was collected or created in the course of an inspection, investigation or similar procedure authorized by law and ii. The inspection, investigation has not been concluded. When the media is asking for a record containing personal health information, the record may be subject to FIPPA, if all health information is removed and the patient cannot be identified (for example, treatment methods). The hospital can then consider if the remaining information falls under an exemption. For example, subsection 14(1)(b) of FIPPA permits a head to refuse to disclose a record where the disclosure could reasonably be expected to interfere with an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result. Note: A record that may identify an individual despite all personal health information having been removed is dealt with under FIPPA. RECORD RETENTION 40. Can hospitals dispose of any existing records? Records must be kept for the prescribed period as set out in relevant statutes. For further information on how long specific types of records need to be kept see the OHA Records Retention Toolkit: A Guide to Maintenance and Disposal of Hospital Records (2006). This guide assists members in understanding the legal retention periods for hospital records. The 20

21 implementation of FIPPA within the hospital sector provides an excellent opportunity for hospitals to consider when reviewing records, the length of time a specific record must be kept in order to abide by legislative requirements. The head must authorize the destruction of all hospital records that contain personal information. Reasonable steps must be taken to ensure that records containing personal information are destroyed in such a way that it cannot be reconstructed or retrieved. All disposed records are to be recorded on a disposal record. The disposal record documents what personal information was disposed, the date of disposal, and the manner by which the records were disposed. This process is not to be confused with subsection 13(1) of PHIPA which requires a health information custodian to dispose of personal health information in a secure manner in accordance with the prescribed requirements (if any) as set out in the Act. 41. Are backup files of deleted s subject to disclosure? This issue has not yet been definitively decided. This may depend on whether the deleted s have been retained by the institution on backup tapes and how difficult the retrieval process would be. Generally speaking, if providing access to requested information is so difficult that it interferes with the operations of an institution, then the requested document is not considered to be a record under the Act. 42. Will OHA be updating its Records Retention Toolkit? As FIPPA has not changed the legal retention periods for hospital records, an update at this point is not needed. As part of the OHA s strategy to support the implementation of FIPPA in hospitals, a practical toolkit to implementing FOI will be developed. This toolkit will provide a brief summary of the retention periods of some common hospital documents. In the interim, it is recommended that hospitals review the OHA Records Retention Toolkit: A Guide to Maintenance and Disposal of Hospital Records (2006) for a more thorough examination of document retention requirements. GETTING READY FOR IMPLEMENTATION 43. Is each hospital required to have a dedicated staff person or office to deal with FIPPA? The person ultimately accountable for meeting a wide range of duties under FIPPA is called the head a position assigned under FIPPA to chairs of boards for public hospitals. However, this 21

22 duty may be delegated to one or more other individuals usually a senior manager. The duties of the head may be undertaken by expanding the duties of an existing office e.g. the Chief Privacy Officer or PHIPA Coordinator. Or, if appropriate, hospitals may delegate privacy-related and access-related duties to two separate offices. Alternatively hospitals may consider sharing resources and delegating responsibilities for a joint office. Additional information on various models or structures will be provided in the OHA FOI Toolkit. 44. What policies or practices should hospitals be putting in place now? Although the Act does not apply to hospitals until January 2012, there are a number of practical implementation issues that you will need to consider in the year ahead. These include such things as identifying needed resources, reviewing records management and privacy policies, establishing issues management protocols, and developing new access procedures, to name a few. 45. How should we respond to FOI requests before the implementation date of January 1, 2012? As the Act does not yet apply to hospitals, you are not required to respond to requests for information. Nonetheless, hospitals are always encouraged to make publicly available general corporate information (e.g., accountability agreements, annual reports, board agendas, etc.). This is consistent with the need to be transparent and accountable to the community and may also ultimately reduce the time and expense of responding to individual access requests. With respect to other information (i.e. that is not routinely made publicly available), to avert potential disclosure of information that is not permitted to be released pursuant to the Act it is recommended that hospitals not process requests before January 2012 unless the key obligations of FIPPA are well understood and hospital policies and procedures are aligned with the requirements of the Act. 46. Is there any way to anticipate the magnitude of requests for access to records? Access requests will be the source of the greatest demand on resources in connection with FIPPA. Unfortunately, there is no way to anticipate the number of requests for access to records. Experiences in other sectors suggest that volume depends on a variety of factors, notably the level of media interest and community advocacy. Likely sources of requests include: media (minutes, proposals), politicians (minutes, proposals, plans), patients (complaints about members of professional staff), members of professional staff and ex-employees (their information and that of other staff members), advocacy groups (minutes), unions (minutes, employee information), and vendors. 22