Medical records storage company revises its access policy

PIPEDA Case Summary #2006-328

(Principles 4.7, 4.9.4 of Schedule 1)

Several individuals filed complaints against an Ontario medical records storage company, claiming that the company was charging them unreasonable fees to access their medical records. One of the complainants also alleged that the company was selling medical records, and that it had inadequate security safeguards to protect the confidentiality of health information.

The Assistant Privacy Commissioner concluded that the fee matter was resolved when the storage company altered the language of its privacy policy to clarify the difference between gaining access to a file, a right provided under the Personal Information Protection and Electronic Documents Act at minimal or no charge, and obtaining a copy of the file. She did not support the allegation that there were inadequate safeguards, nor did she agree that the company was selling medical records. Nevertheless, the Assistant Commissioner commented that the complaints raised a number of policy issues that she intends to bring to the attention of her provincial and territorial counterparts, as well as the provincial and territorial bodies responsible for licensing physicians.

The following is a detailed overview of the investigation and findings.

Summary of Investigation

The legal obligations of Ontario physicians with respect to the creation, maintenance, and storage of medical records and the provision of access are set out in a policy statement of the College of Physicians and Surgeons of Ontario. Members of the College are required to retain a patient’s original medical records in a secure location for at least ten years after the last entry in the record, or for two years, if a member of the College ceases to practice medicine. In the circumstances of these complaints, a family doctor transferred her practice out of province. She had the option of taking her patient files with her and keeping them herself for ten years or contracting with a medical records storage company to store them on her behalf.

According to the College of Physicians and Surgeons, most patients who transfer to a new doctor are content to have their former doctor give their new doctor a summary of their medical history and not a complete copy of their medical file. Such summaries are subject to a fee. When transferring a complete patient file, the transferring physician is expected to provide a copy only, not the original record. Copying of the record is an uninsured service; in other words, the physician is not reimbursed for this service through the Ontario Health Insurance Plan. The physician “may charge the patient…a reasonable fee.”

The Ontario Medical Association (OMA) issues a physician’s guide to third party and other uninsured services, which sets out the recommended charges for photocopying and/or the transfer of medical records. The recommended fee is $30.61 for the first five pages, and $1.20 for each page thereafter. According to the OMA, the fee schedule builds in the physician’s time spent on file review. He or she is required to ensure that the record can be disclosed, that there is no third party or legal information that should be excluded, and that there is no potential harm to the patient.

The fees can be altered at the discretion of the physician. The guide specifically notes:

There are some instances where patients claim economic hardship and inability to comply with the fees they are charged by doctors for the transfer of the records. It is important for our members to realize that the OMA rates are recommended rates and that they (or their office staff) should use their judgment in reducing the fees in instances of financial hardship.

The medical records administration and storage company in question provides file storage facilities for physicians, and copying and record transfer services for their former patients. The company uses a standard contract for services in its dealings with physicians. Under this contract, the company acts as the custodian of the patient records on behalf of the physician, and undertakes its responsibilities consistent with the regulations set out in the Medicine Act and with the guidelines of the Ontario College of Physicians and Surgeons. The contract also permits the company to contact a doctor’s patients to determine their interest in receiving a copy of their medical information.

When the company receives a doctor’s files, it contacts the doctor’s former patients by telephone, identifies the services the company provides, and informs the patients that they can obtain a copy of their medical file for a fee. If the individual is interested, the company sends out a standard “authorization and consent to release and transfer medical record” form. The form requests the individual’s written consent for the “transfer of this medical record.” The form does not address the issue of access to the record.

In providing a copy of the patient file, the company uses a modified fee structure based on the same fee structure that practicing doctors use, as set out in the schedule of fees discussed above, and issued by the OMA. The company has, however, set an upper limit of $250 for the copy and transfer of a file for an individual.

In the company privacy policy, under “access rights,” it stated:

You have the right to see what personal information we hold about you. We will need to confirm your identity before providing you with this access. This access is in the form of a photocopy of your information only.

Our office reviewed the access provisions under the Act with a representative of the company. As a result, the company amended the language of its privacy policy. The revised policy now indicates that an individual can access – that is, simply view – his or her medical file at no cost. The company will require information to confirm the individual’s identity, and sufficient notice, and then will arrange for the individual to view the file on site. The company will continue to charge a fee for the copying and transfer of the individual’s medical file.

With respect to the safeguarding and confidentiality of medical records, the storage of patient medical records is considered to be a constituent element of insured medical services. Doctors are expected to provide for the “secure” storage of medical records for the required retention period, which, as previously noted, may be as long as ten years. There are no specific legislative, regulatory, or practice guidelines that outline how or where the files are to be stored.

The investigation confirmed that the company provides a physically secure site for the processing of records. The office reception area is physically separate from the records processing area, and access to both areas is key-controlled. Records in storage are held off-site in a secure fenced facility, where entry is controlled by a security guard, and access is monitored and recorded. The company pre-screens its employees, and provides training and orientation on their obligations to maintain the confidentiality and security of patient records.

Findings

Issued June 9, 2006

Application: Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information; Principle 4.9.4 requires an organization to respond to an individual’s request for access to personal information within a reasonable time frame and at minimal or no cost to the individual.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• In the circumstances of this complaint, a family doctor had arranged for the secure storage of her patients’ medical records through a contract with the storage company.
• The investigation established the company was not selling medical records, and the Assistant Commissioner therefore determined that the company was not in contravention of any provisions of the Act with respect to that allegation.
• The company copies and transfers medical records to the patient’s new physician, with the patient’s consent, and charges a fee that corresponds to the recommended fee guide set out by the Ontario Medical Association for such a service. 
• However, had a patient only wished to have access to his or her file, which is distinct from the copying and transfer of medical records, the patient would have understood from the company’s communications with the patient and from its privacy policy, that access would only be provided in the form of a copy of a medical record, for which the individual would have to pay.
• The Act, the Assistant Commissioner noted, does not compel an organization to meet its access requirements by providing copies. The company amended the language of its privacy policy to ensure that individuals are aware of their right to access – that is, to simply view – their medical records at minimal or no cost, as per Principle 4.9.4. If the patient wants a copy of his or her file transferred to a new physician, the company will continue to charge fees for such a service.
• With respect to the allegations regarding the safeguarding of personal health information, the Assistant Commissioner was satisfied that the company has appropriate protections in place, in accordance with its obligations under principle 4.7.

The Assistant Commissioner concluded that the complaints regarding safeguards and the sale of personal information were not well-founded and the complaint regarding unreasonable fees for access to medical records was resolved.

Further Considerations

The Assistant Commissioner commented that these complaints raised a great many policy issues about physicians’ handling of medical files. One such issue is whether it is appropriate for physicians to close their practice without notifying their patients that they are transferring their files to a third party for storage (in accordance with their professional obligations). To what extent do physicians, in fact, have a responsibility to notify their patients of the transfer and storage of their medical records? Another consideration is whether storage companies should be making cold calls to patients who have not been forewarned of the situation by their physician. As for matters of consent, there is the question of whether it is sufficient for a physician to consent on behalf of his or her patients via an agreement with a storage company that said company may contact the patient directly. Is there cause for concern that patients could have access to their medical files at the storage company without any medical interpretation?

The Office accepted this complaint prior to the enactment of Ontario’s personal health information legislation and completed the investigation before the Governor in Council, on November 28, 2005, deemed the Personal Health Information Protection Act (PHIPA) substantially similar to the Personal Information Protection and Electronic Documents Act. In Ontario, physician conduct with respect to the handling of health information now falls under the jurisdiction of PHIPA, which is administered by the Office of the Information and Privacy Assistant Commissioner of Ontario (OIPC). The Office of the Privacy Commissioner of Canada has discussed these issues with OIPC, since it has jurisdiction over physicians in Ontario and it is considering the issues regarding physician responsibility for notification when files are transferred. The Assistant Commissioner signalled the Office’s intention of raising these policy issues with its other provincial privacy counterparts to encourage a discussion about the privacy implications of physicians’ record management practices.