Mere possibility of harm insufficient to deny access to records

By Paul Russell, Contributor

Health-care organizations must provide individuals with all of their personal health information — including the names of those individuals providing the service — unless one of the exemptions in the law applies, says Toronto health lawyer Lonny Rosen.

A recent decision by the Information and Privacy Commissioner of Ontario concerning the Personal Health Information Protection Act, 2004 (PHIPA) illustrates that obligation, says Rosen, partner with Rosen Sunshine LLP.

"The adjudicator applied the law from previous decisions regarding the standard for denial of access to records in circumstances where the custodian denies access on the basis that granting the access could reasonably be expected to result in a risk of serious harm, and that standard is the 'likelihood' of harm, not just the mere possibility," Rosen tells

The decision states that a man who was receiving home-care services from the Red Cross asked for a complete copy of his records, including the names of the people who came to his home.

The Red Cross gave him a copy of those files, but made an "exceptional" decision to redact the names of staff members, "based on the complainant's verbal abuse of its office staff and home workers, particularly directed toward female employees," the decision reads.

The decision states that on multiple occasions, the man would call the Red Cross and say "extremely hostile and abusive" things about female staff members, though these phone calls were not specifically documented.

"As an employer, the Red Cross felt it had an ethical and legal obligation to protect its workers, especially when they are going into a home-care environment where they're isolated," says Rosen.

The Red Cross reasoned that releasing the names of these workers could cause them harm, he says, noting one of those women made a submission to the commission, saying that she felt her privacy should be protected and the organization should not disclose her name.

Under s. 52 (1)(e)(i) of the PHIPA, health information custodians such as the Red Cross can withhold information from a patient's record if granting access could "reasonably be expected" to result in a "risk of serious bodily harm to the individual or another person."

After weighing the evidence, the commission's adjudicator directed the Red Cross to comply with the PHIPA and release the workers' names to the client.

"While [the complainant's] behaviour is inappropriate, I conclude that these instances of past verbal abuse are insufficient on their own to engage the exemption under s. 52(1)(e)(i) of the Act," the adjudicator wrote in his decision.

"There is no evidence in the records or the parties' submissions to suggest that the complainant is likely to attempt to contact Red Cross staff, either in person, over the phone, or otherwise, if their names are released," he added.

PHIPA is "intended to provide individuals access to their own personal health information records," Rosen explains.

"That's one of the guiding principles of the legislation, and there are just a few exceptions to it, with the risk of harm being one," he says.

For residents of Ontario, this decision reinforces their right to their own health records in most cases, he says.

"An individual is entitled to all of their own health information unless there's evidence that one of the harms contemplated by s. 52 (1)(e)(i) is a likely, rather than just a mere possibility," says Rosen.

He says this ruling also provides a lesson for health information custodians and health-care providers.

"If there is an incident, such as a threat to a health-care provider, that should be clearly documented so that the custodian can rely on that documentation to support an exemption to an access request," says Rosen.

To Read More Lonny Rosen Posts Click Here