Freedom of Information and Protection of Privacy Act - Ontario ...

March 2011Frequently Asked Questions:Freedom of Information andProtection of Privacy ActBACKGROUND/CONTEXTThe Broader Public Sector Accountability Act contains amendments to the Freedom ofInformation and Protection of Privacy Act (FIPPA or Act) that brings hospitals under theFreedom of Information (FOI) regime beginning January 1, 2012. These Questions andAnswers were prepared by the Ontario Hospital Association (OHA) in consultation with theMinistry of Government Services, the Ministry of Health and Long-Term Care (MOHLTC), andthe Office of the Information and Privacy Commissioner of Ontario (IPC). The answers set outbelow are intended to help hospitals understand FIPPA in order to support its effectiveimplementation.This document is intended for general informational purposes only and should not be construedas legal advice. For detailed information regarding specific situations, hospitals may wish toconsult independent legal counsel.GENERAL INFORMATION/APPLICATION1. What information/records does the Act apply to?FIPPA will apply to “records” that have been in the “custody or control” of a hospital sinceJanuary 1, 2007, unless the record is subject to an express exclusion under the Act. “Record”means any record of information however recorded, whether in printed form, on file, byelectronic means or otherwise. The public will have a right to hospital records in the form thatthey are stored; however, in response to a particular request, the hospital may have anobligation to produce a single electronic record that combines information from variousindependent records. Sometimes, compiling information or calculating a statistic is a convenientand sensible means of answering an access request.A hospital does not have the duty to create a record, but it does have a duty to provide anelectronic record in a requested format if producing it does not unreasonably interfere with theoperations of the hospital. Costs can be passed on to the requester in certain circumstances.

2. How do we determine if a record is under the custody or control of the hospital?In general, custody means the keeping, care, watch, preservation or security of the record for alegitimate business purpose. While physical possession of a record may not be sufficient toconstitute custody, it is the best evidence of custody. An institution must have some right to dealwith the records; “bare possession” with no right to do anything with the record is not consideredcustody.In general, control of a record does not mean having actual physical possession of the record,but rather the power or authority to make a decision about the use or disclosure of the record.Based on past decisions of the courts and the IPC, a “broad and liberal” approach is normallytaken to determine custody or control. For further information, see IPC Order MO-1251.Thequestion of whether FIPPA’s purpose of institutional accountability may also be relevant indetermining whether the hospital has custody or control of a record.The IPC has developed a list of factors to consider in determining whether or not a record is inthe custody or control of an institution. These factors include:Was the record created by an officer or employee of the institution?What use did the creator intend to make of the record?Does the institution have statutory power or the duty to carry out the activity thatresulted in the creation of the record?Is the activity in question a “core”, “central” or “basic” function of the institution?Does the content of the record relate to the institution’s mandate and functions?Does the institution have physical possession of the record, either because it hasbeen voluntarily provided by the creator or pursuant to a mandatory statutory oremployment requirement?If the institution does not have possession of the record, is it being held by an officeror employee of the institution for the purposes of his or her duties as an officer oremployee?Does the institution have a right to possession of the record?Does the institution have the authority to regulate the record’s content, useand disposal?Are there any limits on the use to which the institution may put the record, what arethose limits, and why do they apply to the record?To what extent has the institution relied upon the record?How closely is the record integrated with other records held by the institution?What is the customary practice of the institution, as well as similar institutions, inrelation to possession or control of records of this nature, in similar circumstances?2

If the record is not in the institution’s possession, some additional factors the IPC considersinclude the following: Who owns the record? Who paid for the creation of the record? Are there any provisions in any contracts between the institution and the person whocreated the record that give the institution the right to possess or otherwise controlthe record? Was the person who created the record an agent of the institution for the purposes ofthe activity in question? What is the customary practice about control over records of this nature in theindustry?IPC Orders P-120, P-239 and MO-1251 should be reviewed for a more comprehensive list offactors the IPC has considered in past decisions.3. Does FIPPA apply to records from a long-term care facility that is owned andoperated by a hospital?Generally speaking, FIPPA does not currently apply to the long-term care (LTC) sector. (FIPPAhas been extended to only include the hospital sector at this time). As such, on an individualFIPPA request basis, the hospital would need to determine if it has “custody or control” of theLTC home record to determine whether the record is responsive to the specific FIPPA request.For greater clarity, if a hospital has custody or control of a LTC home record, then that record issubject to FOI even though generally the LTC sector is not. See question #2 for furtherinformation on how to determine custody or control of a record.4. What records are not covered by the Act?Records that are subject to express exclusions under the Act are not covered by the Act. Forexample, records that relate to: employment, labour relations, the appointments or privileges ofhealth professionals, regulated health professionals’ private practice records, as well asresearch and teaching records, hospital foundation and charitable donation records, andrecords relating to the provision of abortion services are excluded from the Act. It is alsoimportant to note that FIPPA does not apply to “personal health information” that is subject tothe Personal Health Information Protection Act (PHIPA).As a result of an amendment to the Quality of Care Information Protection Act (QCIPA), FIPPAdoes not apply to “quality of care information” prepared by or for a designated quality of carecommittee under QCIPA. Section 1 of QCIPA defines “quality of care information” as information3

that: (a) is collected by or prepared for a quality of care committee for the sole or primarypurpose of assisting the committee in carrying out its functions, or (b) relates solely or primarilyto any activity that a quality of care committee carries on as part of its functions.It should be noted, however, that this exclusion does not extend to quality of care informationand records generated outside of QCIPA, such as root cause analysis, failure mode and effectsanalysis, self-assessment activities or chart reviews. Other records that relate primarily topatient safety and risk management may qualify for an exemption from disclosure under otherprovisions of the Act.5. When does the Act apply to hospitals?The Act applies to hospitals as of January 1, 2012, but is retrospective to January 1, 2007. As aresult, records that came into a hospital’s custody and/or control on or after January 1, 2007 aresubject to the Act.6. Does the Act apply to other health care organizations/providers?FIPPA was amended by Bill 122, the Broader Public Sector Accountability Act, passed inDecember 2010 to bring hospitals under Ontario’s freedom of information and privacy regime.No other health care organizations were added at that time. However, many health-relatedorganizations and agencies have been made subject to the Act through designation as“institutions” under the FIPPA regulation. For example, Local Health Integration Networks(LHINs) were added as an institution in 2005, and Cancer Care Ontario was added in 2010. TheMOHLTC and other provincial and municipal institutions involved in the delivery of health careare also subject to FIPPA.7. Does the Act apply to email/text messages?Yes, e-mail and text messages are “records” for the purposes of FIPPA and, in general, aresubject to the right of access. However, there is significant ongoing litigation relating to whetheremployees’ “personal communications” that are stored in an organization’s network informationsystems are records under the “custody or control” of a FIPPA institution.A recent judicial review by the Ontario Superior Court of Justice of an IPC decision found thatpersonal emails unrelated to work that were sent and received from a workplace email addresswere not subject to the Municipal Freedom of Information and Protection of Privacy Act(MFIPPA) 1 . MFIPPA is the municipal equivalent of FIPPA and contains the same “custody or1 City of Ottawa v. Ontario, 2010 ONSC 6835. The IPC is requesting leave to appeal the decision to theCourt of Appeal of Ontario.4

control” provisions. Specifically, the employee’s personal emails were not considered to bewithin the “custody or control” of the institution. The Court held that the IPC Adjudicator failed toconsider the purpose and intent of FOI legislation in determining the Act applied to theserecords. The IPC has requested leave to appeal the Divisional Court’s decision to the OntarioCourt of Appeal.The outcome of this litigation may affect how hospitals respond to specific requests, but doesnot warrant any change in approach to the management of electronic communications. Asalways, hospitals should require responsible use of hospital communication systems and shouldreserve a broad right of access to all communications stored on their systems. Individualsshould understand that all emails sent and received via hospital-administered systems are notprivate vis-à-vis the hospital, and beginning on January 1, 2012, may be required to be retrievedand examined for the purpose of complying with FIPPA.8. What is the role of the Information & Privacy Commissioner under FIPPA?The Commissioner is appointed by and reports to the Legislative Assembly of Ontario and isindependent of the government of the day. The IPC provides an independent review of thedecisions and practices of institutions covered by the Act concerning access and privacy. Tosafeguard the rights established under the Act, the IPC has the following key roles:Resolving appeals when institutions refuse to grant access to information;Investigating privacy complaints related to information held by institutions;Ensuring that institutions comply with the Acts;Conducting research on access and privacy issues and providing advice onproposed government legislation and programs; andEducating the public about Ontario’s access, privacy and personal healthinformation laws and access and privacy issues.In resolving access to information appeals, the IPC has the ability to issue orders to resolveissues raised during the appeal, including requiring institutions subject to the Act to discloserecords. Privacy complaints may be resolved either informally or formally. Formal resolutionmay result in the IPC issuing a public investigation report containing recommendations foraction by the institution that is the subject of the investigation.5

9. What is the role of the “head” under FIPPA?The Act refers to the “head of the institution” as the person responsible for making decisions inrespect of access requests. The head is responsible for the Act’s day-to-day administration anddecision-making and for ensuring that personal information held by the hospital is accurate, upto-dateand collected, used and disclosed only as authorized.FIPPA identifies the chair of the board of a public hospital, the superintendent of a privatehospital and the chair of the board of the Ottawa Heart Institute as the “head”. The Act permitsthe head to delegate in writing some or all of his/her powers and duties under the Act to anofficer(s) of the hospital. It is essential that the delegated officer(s) have expert knowledge aboutthe Act and the hospital, and have the authority to make decisions independently. The head,however, ultimately remains accountable for all actions taken and any decisions made under theAct. The head may also place limitations, restrictions, conditions or requirements on thedelegation of powers (Section 62). The Act specifies circumstances where the head must denyaccess to information, may exercise his/her discretion to deny access, or grant access.A summary of the head’s responsibilities are as follows: Adhering to time limits and notification requirements; Considering representations from third parties; Responding to access requests; Determining the method of disclosure; Responding to requests for correction of personal information; Obligation/ discretion to refuse access based on exemptions; Calculating and collecting fees; Providing access to the public by preparing manuals and guidelines of records; Include in a personal information bank all personal information under the institution'scontrol, (that is not personal health information); Responding to access appeals; and Administering the privacy protection provisions of the Act.10. What are the reporting obligations of hospitals under FIPPA?Hospitals must submit an annual report to the IPC. The report must set out:The number of access requests received;The number of requests refused, the provisions of the Act relied upon for refusal, andthe number of times each provision was invoked;For each provision of the Act, the number of appeals commenced;6

The number of times personal information was used or disclosed for a purpose which isnot included in the statements of uses and purposes set forth under section 45paragraphs (d) and (e) of the Act (relating to the use of personal information banks);The amount of fees collected under section 57 of the Act, andAny other information indicating an effort by the institution to put into practice thepurposes of the Act.These are in addition to the existing reporting requirements under PHIPA.DEALING WITH ACCESS REQUESTS11. Who can request records?Any person can make a request for access to records. A “person” includes individuals andorganizations such as corporations, partnerships and sole proprietorships. The right of access isnot limited by citizenship or place of residence. It is important to note that there may besituations where one person represents another individual (e.g., substitute decision maker). Therights and powers which an individual may exercise on behalf of another include the right tomake access requests.12. How does the request process begin?Under the Act, an access request must be made in writing, be accompanied by the $5.00application fee, and provide sufficient detail to enable an experienced hospital employee toidentify the record(s) requested. If an individual is seeking access to his/her own personalinformation, the request must also identify the personal information bank or the location of thepersonal information being requested. If after a thorough search, the institution cannot locatethe requested personal information, and the requester cannot provide any credible evidence tosupport the existence of records, the head may conclude that the institution does not have therecords.There is a prescribed form available on the IPC website and the Ministry of GovernmentServices website for access requests. A letter (not on the prescribed form) that makes referenceto the Act is also considered a request if accompanied by the required application fee. If aninstitution is in doubt about whether or not a requester wishes a letter of inquiry to be treated asa request under the Act, the requester should be contacted and clarification of the inquiryobtained.FIPPA does not require a freedom of information request to access hospital records. If a formalaccess request can be better handled by the hospital on an informal basis, the hospital should7

contact the requester to determine whether he/she is agreeable to this change. An agreement torequest a record on an informal basis generally results in quicker access to the records, butremoves the opportunity to appeal the hospital’s decision at a later date.13. How long do we have to respond to a request?The Act requires the institution to respond to access requests within 30 calendar days from thedate a request is received. The 30-day time period starts to run the day the institution receives acomplete request. A complete request is one which has been clarified, or one which providessufficient detail to allow the institution to understand what information is being requested. The$5.00 application fee must also have been received.The institution may extend the 30-day time limit in two situations:i. The request is for a large number of records or necessitates a search through a largenumber of records and meeting the time limit would unreasonably interfere with theoperations of the institution; orii. Consultations with a person outside the institution are necessary to comply with therequest and cannot reasonably be completed within the time limit.The time limit for responding to a request is automatically extended where notice is given to athird-party.For example: An institution that receives an access request for records whose disclosuremay affect a third-party must notify the third-party within 30 days of receiving the request.This initial time period allows the institution time to gather the records, make a determinationthat a third-party must be consulted and define exactly what the-third party must beconsulted about. The third-party is allowed 20 days to respond to this notice. Upon receipt ofthe third-party's response, the institution has a further 10 days to make its final decisionabout the requested records. Under normal circumstances then, an institution would have upto 60 days to respond to an access request that involves third-party notification.14. How long do we have to respond to a request that has been forwarded or transferredto another institution?A hospital has 15 calendar days from the date a request is received to forward or transfer therequest. The 30-day time limit begins when the request is received at the first institution. Thesecond institution that receives the request has the remainder of the 30-day period to respond.For more information on forwarding or transferring a request see question # 23.8

15. Do we need to have a formal FIPPA request before we can release information?No. Hospitals may continue to respond to informal requests for information. The access toinformation regime established by FIPPA is only one avenue through which hospitals are able torelease information. Because of the resources involved in the formal FOI process, it should bereserved for requests where information will not be released, or where there is some questionas to the hospital’s ability to disclose records. Hospitals are encouraged to consider theproactive disclosure of information to the public on a routine basis to minimize the volume ofrequests.16. Does the request have to be in writing?Yes, under the Act a formal access request must be made in writing. Only a formal requestprovides the requester with the opportunity to appeal the hospital’s decision to the IPC at a laterdate. For more information on formal vs. informal requests see question # 12.17. What is the fee structure under FIPPA?FIPPA adopts a user pay principle; a person making an access request must pay some of thecosts the hospital incurs in processing the request. A fee schedule is contained in the regulationto FIPPA. Under FIPPA, different fees are applied depending on whether the request is forgeneral records or the requester's own personal information. Fees must be charged unless theyare waived by the institution.A $5.00 mandatory application fee must accompany a request for either personal information orgeneral records under FIPPA. Once the application fee is received, the head is required toprovide a requester with access to records and/or a decision letter within 30 days. Thisrequirement does not apply if the mandatory application fee has not been received by theinstitution. The onus is on the institution to collect this application fee before processing therequest if it decides to proceed.A request for personal information under FIPPA is a request made by an individual (or anotherperson acting on his/her behalf) for the individual's own information. No fees are charged forsearch or preparation time, but there are fees for photocopying ($0.20 per page) and computercosts as specified in the regulations.All other (general record) requests under FIPPA may be subject to the following charges: Photocopies and computer printouts; The amount of time required to search for records; Personnel time involved in physically preparing the record for disclosure;9

Computer costs; and Shipping costs.Refer to Regulation 460 under FIPPA for further details on charges.18. Do we have to provide an estimate of the expected fee?Unlike PHIPA, a fee estimate is only required under FIPPA where it appears that the cost ofprocessing the request will be over $25.00. Further, where the cost estimate is $100.00 or more,the head may require the requester to pay a deposit equal to 50 per cent of the estimate beforetaking any further steps to respond to the request.19. Can we waive the fees?Yes, under FIPPA a head must waive the payment of all or part of the fee where the head is ofthe opinion that it is fair and equitable to do so. This decision is made only after the head hasconsidered specific factors provided in the Act. Under FIPPA, it is the requester's responsibilityto ask the institution for a fee waiver. A request for a waiver need not be explicit, it may beimplied. The party seeking a fee waiver also bears the responsibility of establishing his/hercase.20. Are there costs associated with appealing a decision under FIPPA?Yes, under FIPPA there are mandatory fees for a requester appealing a decision to the IPC. A$10.00 fee applies to personal information request appeals and a $25.00 fee applies for generalrecords request appeals. There is no fee for a third-party to appeal an institution's decision todisclose information.21. Can we refuse a request for access to a record? What happens then?Yes, a request for a record can be refused where: (1) the record or part of the record falls withinone of the enumerated exemptions, or (2) the head is of the opinion that the request is frivolousor vexatious. (Subsection 10(1))Once the decision to refuse access to the record, in whole or in part, has been made, writtennotice of the decision (a “decision letter”) must be provided to the requester and any affectedthird-parties. The decision letter must be provided to the requester within the 30-day time period(or within the period of extended time, if any).10

However, if third-party notices have been given, the decision letter cannot be issued until the20-day period in which a third-party can respond to a third-party notice has elapsed, or sooner ifthe third-party responds before the 20 days expire.The decision letter must contain the following information:A statement that the record does not exist; orWhere the record exists, the specific provision of the Act under which access is refusedand the reason the provision permits the head to deny access;The name and position of the person responsible for the decision; andThat the requester may appeal the decision to the Commissioner.The head is also required to provide the requester with a clear description of the recordsresponsive to the request. The decision letter should be accompanied by a detailed index ofrecords at issue which describes the subject matter of the withheld record(s) in general terms.This can be done by providing at least a summary of the categories of the responsive records inenough detail that the requester should be in the position to make a reasonably informeddecision on whether to seek a review of the head's decision with the IPC.If a head does not give the requester notice of his/her decision within the 30 days (or within thetime frames extended under the extension of time, for third-party notice procedures) the head isdeemed to have refused access to the record, and this refusal can be appealed to the IPC bythe requester.22. Are we allowed to ask the reason/purpose for the request? If so, can this be used as ajustification to deny access to a record?A hospital is permitted to ask for the purpose of a request if this will assist the hospital inidentifying the specific records that the requester is looking for. Obtaining this information canhelp you determine what types or categories of records to search for. However, care must betaken to properly word the question when you are seeking reasons for the request because therequester has no obligation to provide reasons. When asking “why” it is important to explain tothe requester that knowing the purpose of the request will assist you in finding the exactdocument they are looking for. Note: the purpose of the request is irrelevant to FIPPA andcannot be used as a reason to refuse disclosure.23. Where a request for access to records from ‘Hospital A’ is made to ‘Hospital B’, whichhospital is responsible for handling the request?Forwarding a request – Occurs when “Hospital A” does not have the record in its custody orunder its control11

Where “Hospital A” receives a request for access to a record that is not in the hospital’s custodyor under its control, the head is required to make inquiries to determine whether “Hospital B”has the record in their custody or control. Where the head determines that “Hospital B” doeshave custody or control of the record, the head (of “Hospital A”) has 15 days after the originalaccess request was received to (a) forward the request to “Hospital B”; and (b) provide writtennotice to the requester that the request has been forwarded to “Hospital B.”Transferring a request – Occurs when “Hospital A” may or may not have the record but“Hospital B” has a greater interest in the record.Where “Hospital A” receives a request for access to a record that the head believes “Hospital B”has a greater interest in, the head may transfer the request to “Hospital B”. In this situation“Hospital A” may also be required to transfer the record where “Hospital B” does not have therecord despite its greater interest. The head must provide written notice of the transfer to therequester, and complete the transfer within 15 days after receiving the access request. Whatconstitutes a “greater interest” is described in subsection 25(3) of the Act. Two essential factorsdetermine greater interest:i. A record was originally produced in or for an institution; orii.A record was not produced in or for an institution, but it was the first to receive acopy of itA request from “Hospital A” is deemed to be forwarded or transferred to “Hospital B” on the day“Hospital A” received the request. (Subsection 24(4))24. How are hospitals to deal with requests for access to records that contain third-partypersonal information?If the “third-party information” is personal health information, the request cannot be processedunder FIPPA.Records sometimes contain information concerning a person other than the requester. Beforegranting access to a record affecting a third-party, a head must give written notice to the thirdpartyto whom the information relates. The information is considered to affect a third-party if:The head has reason to believe that the record contains third-party information,proprietary, commercial or labour relation information described in section 17(1) ofthe Act; or12

The record contains personal information (not personal health information) that thehead has reason to believe might, if released, constitute an unjustified invasion ofpersonal privacy.25. What is the notice requirement for access to records that contain third-party personalinformation?If the head intends to release the records, then the affected party must be given notice. Noticeto an affected party gives that party an opportunity to make representations to the hospital abouthow the proposed disclosure of records will affect him/her.The notice must contain:A statement that the head intends to disclose a record or part of a record that may affectthe interests of the person or organization;A description of the contents of the record or the part that relates to the third-party; andA statement that the person may, within 20 days after the notice is given, makerepresentations to the head as to why the record in whole or in part should not bereleased.The notice must be given within the initial 30-day period after a complete request is received or,if there has been an extension of time, within the extended time period. The third-party then has20 days after the notice is given to make representations to the head. Representations are to bein writing unless the head permits them to be made orally. After the representations arereceived, or after the 20-day period for representations has elapsed (whichever time is shorter),the head must decide within 10 days whether to disclose the record.If affected third-parties have been notified, this will delay the processing of a request. Therefore,the head must notify the requester of the delay. It is advisable to do this at the same time thatthe affected third-party is notified. The notice to the requester must state that the:Disclosure of the record or part may affect the interests of a third-party;Third-party has an opportunity to make representations concerning the disclosure; andThe head will decide within 30 days if the record or part will be released.13

If a head decides to release a record in whole or in part that affects a third-party and has heardrepresentations from the third-party, or the time period for making representations has expired,the head must notify the requester and the affected third-party that:The affected person may appeal the decision to the IPC within 30 days; andThe requester will be given access to the record or part unless such an appeal is filedwithin the 30 days after the notice is given.26. How are hospitals to deal with requests for access to records that contain third-partyinformation of a commercial party?Hospitals often acquire information about the activities of private sector organizations. Some ofthis information may constitute a valuable asset to the organization, and disclosure would impairits ability to compete effectively. FIPPA provides a mandatory exemption from disclosure forcertain third-party information where disclosure could reasonably be expected to cause certainharms. This exemption is not limited to commercial third-parties, but can also be applied to anysupplier or institution (including another hospital) which meets all three of the following thresholdtests:1. The information must fit within one of the specified categories of third-partyinformation;2. The information must have been "supplied" by the third-party "in confidence",implicitly or explicitly; and3. The disclosure of the information could reasonably be expected to cause certainharms as specified in the (third-party) exemption.The threshold test has been the subject of significant IPC jurisprudence and interpretation bythe courts. For example, in general, contracts with suppliers of goods and services arenegotiated, not “supplied” and therefore do not qualify for this exemption.27. What is the notice requirement for access to records that contain third- partyinformation of a commercial party?FIPPA provides that before access is granted to a record that might contain information referredto in the third-party exemption, that party must be notified and given the opportunity to makerepresentations before a final access decision is made. If a third-party claims in itsrepresentations that the record is exempt, the burden of establishing that the record falls withinthe exemption rests with that third-party. Similarly, where an institution asserts that this14

provision applies, the burden of proof is on the institution. It should be noted that the finaldecision on whether the record should be disclosed rests with the institution, not the third-party.28. Can a hospital publicly post who is making access requests and the costs of handlingthe request?No, a hospital is not able to publicly identify/ post the names of individuals who make accessrequests. In fact, the identity of a requester should only be shared with the hospital staff whorequire the information in order to respond to the request. The costs of handling a particularrequest can only be published as long as the requester cannot be identified in anyway. Forexample, linking a particular “requester” to multiple access requests may result in the requesterbeing identified.EXEMPTIONS/EXCLUSIONS FOR HOSPITAL RECORDS29. Do we have to provide access to all hospital records?Hospitals must provide access to only those records that are in their custody or control. Thegeneral right to access hospital records is limited by the retrospective application provision,such that a person’s right of access applies only to records that came into the custody or undercontrol of the hospital on or after January 1, 2007.30. Do I have to give the requester the entire record?Not necessarily. Portions of the record may be severed prior to disclosing the record. Wheninformation falls within an exemption and can reasonably be severed from the record, FIPPAprovides the requester with a right of access to the remainder of the record.One method of severing is to blank out the exempt information from a photocopy of the recordusing a black marker, and releasing a copy of the severed photocopy to the requester.Generally, the smallest unit of information to be disclosed after severing is a sentence. But evenwhere only a sentence remains, some information, such as a name, might be removed and theremainder released.When information is severed from a record, the notification to the requester must specify thesection(s) of the Act under which access to the severed information is refused. As well, whereinformation must be severed from a record, it is not feasible to allow a requester the option ofviewing the original. It is not necessary to disclose “disconnected” snippets of information.15

Severing does not apply where the Act specifically exempts from disclosure an entire class ofrecords such as qualified in-camera meeting records that discuss litigation or drafts of by-lawsor resolutions. In all cases, the information in a record must be assessed to determine whetherportions are severable.31. What is the difference between an exemption and an exclusion?The primary difference is that excluded records are not subject to the Act. As a result, thehospital is not required to process requests for records that fall within section 65 of the Act.However, the hospital must still respond to the requests, indicate the exclusion claimed and thatthe requester has the right to appeal this decision to the IPC. Similarly, the IPC will review thematter to determine if the exclusion has been properly claimed, The IPC reserves the right torequire the production of records for which an exclusion has been claimed as part of such anappeal. It should also be noted that records that are excluded from the Act may still bedisclosed. The exclusion simply means that the records are not available through the formal FOIprocess.By contrast, exempted records are subject to the Act and must be processed under the Act todetermine how and to what extent an exemption applies. As a result, the hospital may havegrounds to refuse to disclose information that falls within the description of one of theexemptions in the Act, but nonetheless review the request and determine what other informationin the record can “reasonably be severed” and disclosed to the requestor. See question #30 forinformation on severing.32. What is the difference between mandatory and discretionary exemptions?Mandatory exemptions impose a duty on the head of an institution to refuse to disclose arecord. In the case of mandatory exemptions, the head must determine whether the actualcontents of the requested record(s) fall within the exemption. Only two mandatory exemptionsmay apply to hospital records: section 17 (third-party proprietary confidential information) andsection 21 (personal information). All other exemptions are discretionary exemptions. Theypermit the head to disclose a record despite the application of the exemption to the requestedrecord. A decision by a head to disclose, or not disclose information falling within an exemptionis an exercise of discretion, and must be based on appropriate and relevant grounds. Anexample of a proper exercise of discretion occurs when the hospital first determines if anexemption applies, and after that considers if there are circumstances which require theinformation to be withheld. Hospitals should only exercise a discretionary exemption wherethere is a compelling reason to do so.16

33. What changes were made to FIPPA to reflect the kinds of records kept by hospitals?The BPSAA provided new exemptions and exclusions to FIPPA for a broad range of hospitalrecords. These include records relating to credentialing, teaching and research, provision ofabortion services, charitable donations, foundations and ecclesiastical records. Amendmentswere also made to QCIPA to clarify that FIPPA does not apply to quality of care information asdefined under QCIPA. More information on protection for funding and planning records of ahospital will follow in additional guidance documents including the OHA FIPPA Toolkit andrelated material.34. Are records from employment and labour relations negotiations at the hospitalsubject to disclosure under FIPPA?Exclusions set out in subsections 65(6) and 65(7) provide that most employment and labourrelations records collected, maintained, prepared or used by, or on behalf of a hospital areexcluded from FIPPA. Exclusions relevant to the hospital sector include:Proceedings or anticipated proceedings before a court, tribunal, or other entity (relatingto labour relations/ employment of a person by the hospital);Negotiations or anticipated negations regarding hospital labour relations/ employment ofa person;Meetings, consultations, discussions or communications about labour relations/employment-related matters in which the hospital has an interest; andMeetings, consultations, discussions or communications about applications for hospitalappointments, the appointments or privileges of persons who have hospital privileges,and anything that forms part of the personnel files of those persons.However, subject to an exemption, FIPPA does apply to:An agreement between a hospital and a union;An agreement between a hospital and at least one employee that concludes a labourrelations/ employment-related proceeding;An agreement between a hospital and at least one employee resulting from employmentrelated negotiations; and17

An expense account submitted to the hospital by an employee (for expenses incurredduring employment).Unless the person to whom the information relates consents to disclosure, the third-partyinformation exemption must be applied to hospitals’ labour relations/employment records(subsection 17(1)) to exempt the following from disclosure:A record that reveals labour relations information that was supplied in confidence (eitherimplicitly or explicitly) must not be disclosed where disclosure could reasonably beexpected to:ooooSignificantly prejudice the competitive position or interfere significantly withnegotiations;Result in similar information (that is in the public’s interest to be supplied) to nolonger be supplied;Result in undue loss or gain; orReveal information supplied to, or the report of a conciliation officer, mediator,labour relations officer or other person appointed to resolve a labour relationsdispute.FIPPA AND OTHER ACTS35. What is the relationship between FIPPA and PHIPA?FIPPA does not apply to records of personal health information in the custody or control ofhealth information custodians unless PHIPA provides otherwise. Section 8 of PHIPA providesthat only sections 11, 12, 15, 16, 17, 33 and 34, subsection 35 (2) and sections 3 and 44 ofFIPPA apply to personal health information held by the health information custodian (i.e.hospital).Personal health information is defined in PHIPA as identifying information about an individual inoral or recorded form, if the information, (a) relates to the physical or mental health of theindividual, including information that consists of the health history of the individual’s family, (b)relates to the provision of health care to the individual, including the identification of a person asa provider of health care to the individual, (c) is a plan of service within the meaning of theHome Care and Community Services Act, 1994 for the individual, (d) relates to payments or18

eligibility for health care, or eligibility for coverage for health care, in respect of the individual, (e)relates to the donation by the individual of any body part or bodily substance of the individual oris derived from the testing or examination of any such body part or bodily substance, (f) is theindividual’s health number, or (g) identifies an individual’s substitute decision-maker. PHIPAdoes not limit the right of access to the records if personal health information is reasonablysevered from the document(s).Therefore, the public does not have a right of access under FIPPA to records of personal healthinformation under the custody or control of a hospital. However, if a hospital record containsboth personal health information and non-personal, administrative information, the latterremains subject to FIPPA (and access requests), if the former can be “reasonably severed” fromthe record.36. How does the amendment to QCIPA protect all quality of care information fromdisclosure?The amendment to QCIPA does not necessarily protect all quality of care information fromdisclosure. As a result of the amendment to QCIPA, FIPPA does not apply to quality of careinformation prepared by or for a designated quality of care committee under QCIPA. Section 1of QCIPA defines “quality of care information” as information that: (a) is collected by or preparedfor a quality of care committee for the sole or primary purpose of assisting the committee incarrying out its functions, or (b) relates solely or primarily to any activity that a quality of carecommittee carries on as part of its functions. As such, this exclusion from FIPPA does notextend to quality of care information and records generated outside of QCIPA, such as rootcause analysis, failure mode and effects analysis, self-assessment activities or chart reviews.Note: Section 2 of QCIPA provides that QCIPA and its regulations prevail (over any other act orits regulations) unless otherwise specifically provided.37. How do we deal with a request that is made jointly under PHIPA and FIPPA?All information that can be disclosed under PHIPA should be disclosed under that Act. A requestfor an individual’s own health information (or about an individual for whom the requester isacting as a substitute decision maker) can only be made under PHIPA. There are some limitedexemptions under PHIPA that may prevent all requested records from being disclosed. Thehospital should decide whether or not to deal with the outstanding records via a FIPPA request.Before this is done the hospital should explain to the requester that some of the records fallunder FIPPA, not PHIPA, and therefore an access request for those records must be madeunder FIPPA. The requester must also be made aware of the fee that comes with requests foraccess to records under the Act.19

Exceptions to the exemptions should be considered for every request regardless of what act therequest falls under.38. Does access to a record fall under FIPPA or PHIPA after personal health informationhas been deleted from a record?After personal health information has been deleted from the record, the rest of the record issubject to FIPPA - unless a FIPPA exclusion applies to it.DISCLOSURE39. How can we protect personal health information received for the purpose of aninvestigation from disclosure?It is necessary to consider who is asking for the information. If the patient is making the requestfor their own personal health information, then this falls under PHIPA. However, subsection52(1)(d) of PHIPA exempts records related to an ongoing investigation. Specifically, anindividual does not have a right of access to a record of personal health information where:i. The information was collected or created in the course of an inspection,investigation or similar procedure authorized by law… andii. The inspection, investigation … has not been concluded.When the media is asking for a record containing personal health information, the record maybe subject to FIPPA, if all health information is removed and the patient cannot be identified (forexample, treatment methods). The hospital can then consider if the remaining information fallsunder an exemption. For example, subsection 14(1)(b) of FIPPA permits a head to refuse todisclose a record where the disclosure could reasonably be expected to “interfere with aninvestigation undertaken with a view to a law enforcement proceeding or from which a lawenforcement proceeding is likely to result.” Note: A record that may identify an individual despiteall personal health information having been removed is dealt with under FIPPA.RECORD RETENTION40. Can hospitals dispose of any existing records?Records must be kept for the prescribed period as set out in relevant statutes. For furtherinformation on how long specific types of records need to be kept see the OHA RecordsRetention Toolkit: A Guide to Maintenance and Disposal of Hospital Records (2006). This guideassists members in understanding the legal retention periods for hospital records. The20

implementation of FIPPA within the hospital sector provides an excellent opportunity forhospitals to consider when reviewing records, the length of time a specific record must be keptin order to abide by legislative requirements.The head must authorize the destruction of all hospital records that contain personalinformation. Reasonable steps must be taken to ensure that records containing personalinformation are destroyed in such a way that it cannot be reconstructed or retrieved. Alldisposed records are to be recorded on a “disposal record.” The disposal record documentswhat personal information was disposed, the date of disposal, and the manner by which therecords were disposed.This process is not to be confused with subsection 13(1) of PHIPA which requires a healthinformation custodian to dispose of personal health information in a secure manner inaccordance with the prescribed requirements (if any) as set out in the Act.41. Are backup files of deleted emails subject to disclosure?This issue has not yet been definitively decided. This may depend on whether the deletedemails have been retained by the institution on backup tapes and how difficult the retrievalprocess would be. Generally speaking, if providing access to requested information is so difficultthat it interferes with the operations of an institution, then the requested document is notconsidered to be a record under the Act.42. Will OHA be updating its Records Retention Toolkit?As FIPPA has not changed the legal retention periods for hospital records, an update at thispoint is not needed. As part of the OHA’s strategy to support the implementation of FIPPA inhospitals, a practical toolkit to implementing FOI will be developed. This toolkit will provide abrief summary of the retention periods of some common hospital documents. In the interim, it isrecommended that hospitals review the OHA Records Retention Toolkit: A Guide toMaintenance and Disposal of Hospital Records (2006) for a more thorough examination ofdocument retention requirements.GETTING READY FOR IMPLEMENTATION43. Is each hospital required to have a dedicated staff person or office to deal withFIPPA?The person ultimately accountable for meeting a wide range of duties under FIPPA is called the“head” – a position assigned under FIPPA to chairs of boards for public hospitals. However, this21

duty may be delegated to one or more other individuals – usually a senior manager. The dutiesof the head may be undertaken by expanding the duties of an existing office – e.g. the ChiefPrivacy Officer or PHIPA Coordinator. Or, if appropriate, hospitals may delegate privacy-relatedand access-related duties to two separate offices. Alternatively hospitals may consider sharingresources and delegating responsibilities for a joint office. Additional information on variousmodels or structures will be provided in the OHA FOI Toolkit.44. What policies or practices should hospitals be putting in place now?Although the Act does not apply to hospitals until January 2012, there are a number of practicalimplementation issues that you will need to consider in the year ahead. These include suchthings as identifying needed resources, reviewing records management and privacy policies,establishing issues management protocols, and developing new access procedures, to name afew.45. How should we respond to FOI requests before the implementation date of January 1,2012?As the Act does not yet apply to hospitals, you are not required to respond to requests forinformation. Nonetheless, hospitals are always encouraged to make publicly available generalcorporate information (e.g., accountability agreements, annual reports, board agendas, etc.).This is consistent with the need to be transparent and accountable to the community and mayalso ultimately reduce the time and expense of responding to individual access requests. Withrespect to other information (i.e. that is not routinely made publicly available), to avert potentialdisclosure of information that is not permitted to be released pursuant to the Act it isrecommended that hospitals not process requests before January 2012 unless the keyobligations of FIPPA are well understood and hospital policies and procedures are aligned withthe requirements of the Act.46. Is there any way to anticipate the magnitude of requests for access to records?Access requests will be the source of the greatest demand on resources in connection withFIPPA. Unfortunately, there is no way to anticipate the number of requests for access torecords. Experiences in other sectors suggest that volume depends on a variety of factors,notably the level of media interest and community advocacy.Likely sources of requests include: media (minutes, proposals), politicians (minutes, proposals,plans), patients (complaints about members of professional staff), members of professional staffand ex-employees (their information and that of other staff members), advocacy groups(minutes), unions (minutes, employee information), and vendors.22

It is important to create a contingency plan in case the volume of requests exceedsexpectations/ available resources.As indicated earlier, hospitals are encouraged to consider the proactive disclosure ofinformation to the public on a routine basis to minimize the volume of requests.AVAILABLE RESOURCES/EDUCATION47. What will the OHA be providing by way of guidance and/or tools and templates?To ensure that any new administrative and cost burdens are minimized, the OHA is currentlydeveloping a comprehensive and effective implementation strategy. The OHA is working withgovernment and the IPC to create and build on existing FOI resources. In the coming months,the OHA will be developing an FOI toolkit tailored to the needs of hospitals, as well as anextensive number of educational opportunities. An OHA FOI Implementation Advisory Groupwith representatives from hospitals of varying types and sizes has been established to overseeand provide guidance on this work.48. What educational supports can I expect to receive?The OHA will be providing regional training workshops to assist FOI leads in hospitals;developing on-line modules for in-house training on specific issues; and hosting a series ofwebcasts and conferences. These resources will be tailored to the varying needs of all thoseinvolved in developing and overseeing FIPPA implementation - FIPPA leads, senior staff,CEOs and Boards. The educational tools and events are currently being developed and willbegin within the next four to six months. Additional details respecting these educational eventswill be provided in the short time ahead.49. Where can I go to get more information?As noted above, over the next few months the OHA will be producing an FOI toolkit formembers. Hospitals wishing to gain additional background information on FIPPA in the shorttime ahead are encouraged to consult the IPC’s website, as well as the Ministry of GovernmentServices general guidance manual.For additional information on FIPPA, please contact Alissa Raphael, Legislative Advisor ataraphael@oha.com or 416-205-1356, or Elizabeth Carlton, Director, Policy andLegislative/Legal Affairs at ecarlton@oha.com or 416-205-1429. For information respectingupcoming FIPPA educational offerings, contact Sara Simone at ssimone@oha.com or 416-205-1463.23