Mere possibility of harm insufficient to deny access to records

Health-care organizations must provide individuals with all of their personal health information — including the names of those individuals providing the service — unless one of the exemptions in the law applies, says Lonny Rosen.

A recent decision by the Information and Privacy Commissioner of Ontario concerning the Personal Health Information Protection Act2004 (PHIPA) illustrates that obligation, says Rosen.

“The adjudicator applied the law from previous decisions regarding the standard for denial of access to records in circumstances where the custodian denies access on the basis that granting the access could reasonably be expected to result in a risk of serious harm, and that standard is the ‘likelihood’ of harm, not just the mere possibility,” Rosen tells

The decision states that a man who was receiving home-care services from the Red Cross asked for a complete copy of his records, including the names of the people who came to his home.

The Red Cross gave him a copy of those files, but made an “exceptional” decision to redact the names of staff members, “based on the complainant’s verbal abuse of its office staff and home workers, particularly directed toward female employees,” the decision reads.

The decision states that on multiple occasions, the man would call the Red Cross and say “extremely hostile and abusive” things about female staff members, though these phone calls were not specifically documented.

“As an employer, the Red Cross felt it had an ethical and legal obligation to protect its workers, especially when they are going into a home-care environment where they’re isolated,” says Rosen.

The Red Cross reasoned that releasing the names of these workers could cause them harm, he says, noting one of those women made a submission to the commission, saying that she felt her privacy should be protected and the organization should not disclose her name.

Read More

Posted in:

Back to Top