Number 3– April, 2005

• Mandatory Revocation Penalty in Sexual Abuse Cases Ruled Constitutional
• Update on The Personal Health Information Protection Act

Mandatory Revocation Penalty in Sexual Abuse Cases Ruled Constitutional

By Fay Faraday

The Ontario Court of Appeal has upheld the “zero tolerance” approach that governs discipline for frank sexual conduct between health professionals and patients.

Under the Health Professions Procedural Code, where the Discipline Committee of a regulated health profession’s governing college finds that a health professional has engaged in certain specified acts of sexual conduct with a patient, the mandatory penalty is to revoke the health professional’s licence. The health professional cannot apply for reinstatement for five years.

Under the mandatory revocation provisions, the Discipline Committee has no discretion as to what penalty they can impose – the professional’s license much be revoked.

In Mussani v. College of Physicians and Surgeons of Ontario, it was argued that by eliminating any discretion that could be exercised by the Discipline Committee, the mandatory revocation provisions violated the Canadian Charter of Rights and Freedoms. Under the Code, the Discipline Committee has no discretion to consider whether the sexual relationship was in fact marked by a power imbalance that lends itself to abuse, whether the sexual relationship was in fact consensual or whether there are any other mitigating factors. removing any discretion, mandatory revocation can apply too broadly to fact situations that are not in fact abusive and

1. violates the right to liberty and security of the person in a manner that did not accord with the principles of fundamental justice;

2. constitutes cruel and unusual punishment or treatment; and

3. violates the right to freedom of association.

It was also argued that the failure to define who is a patient and when relationship between a patient and professional ends created an unconstitutionally vague law.

The Court of Appeal’s decision, released 29 December 2004, dismissed each of these arguments and ruled that the mandatory revocation provisions are constitutional.

The proceeding with respect to Dr. Mussani arose in relation to a sexual relationship he had with A.K. over a 2 ½ year period. Dr. Mussani treated A.K. as her family physician and had also provided her with counselling and psychotherapy. Dr. Mussani and his wife and A.K. and her husband also knew each socially, were friends and vacationed together. Dr. Mussani continued to provide counselling and psychotherapy sessions for A.K. while the sexual relationship was ongoing and there was no evidence that he ever attempted to terminate the doctor-patient relationship. The Discipline Committee of the College and Physicians of Surgeons found that he had violated the sexual abuse provisions of the Code and imposed the penalty of mandatory revocation. The Discipline Committee further concluded that revocation was the appropriate sanction even if it had not been mandated by the Code. The Divisional Court upheld this ruling and Dr. Mussani appealed to the Court of Appeal.

The Court of Appeal stressed that the mandatory revocation regime was enacted following the 1991 final report of a Task Force established by the College of Physicians and Surgeons to make recommendations concerning what was then recognized to be an ineffective response by the College and Courts to the problem of sexual abuse of patients by doctors. The Task Force recommended a policy of zero tolerance together with mandatory revocation of a doctor’s
license. These recommendations formed the basis for Bill 100 which enacted the mandatory revocation provisions in the Code which were at issue on the appeal. The Court emphasized that Bill 100 was the subject of wide-spread consultation amongst health professionals and that health care professional organizations, on the whole supported the zero tolerance approach.

The Court ruled that Charter does not protect the right to engage in the economic activity of an individual’s choice. There is no constitutional right to practise a profession unfettered by the applicable rules and standards which regulate that profession. As a result, the mandatory revocation of a health professional’s certificate affects an economic interest of the sort that is not protected by the Charter. While the Court ruled that this was sufficient to dispose of the appeal, it addressed the Charter arguments because of their importance to the twenty-one health professions that are governed by the Code.

The Court ruled that a certain amount of stress, anxiety and stigma inevitably arises in the context of disciplinary proceedings relating to sexual abuse. Accordingly, the stigma of being disciplined by the College for sexual abuse of a patient, the publicity associated with such a proceeding, the loss of privacy and the mandatory revocation of a doctor’s certificate do not violate a person’s security of the person contrary to the Charter.

The Court also ruled that the health professional’s right to liberty was not violated:

The parties and intervenors all concede that sexual relations between a health professional and his or her patient are unacceptable. In the context of a regulated health profession, then, the liberty interest cannot extend to the point of protecting a doctor’s right to decide to have sex with a current patient. There is no valid liberty interest, in that sense.

While it was generally accepted by all parties that the state has an interest in limiting the right of health professionals to engage in sexual relations with their patients, it was argued that the mandatory revocation provisions violated liberty and security under the Charter because they were too vague – they do not define who a patient is or when the doctor-patient relationship ends.

The Court rejected this argument. The Court ruled that doctors know who their patients are, by and large. While there may be difficulties in some individual circumstances in determining when the health professional-patient relationship has ended, an examination of the various disciplinary and court decisions demonstrates that such situations are capable of resolution under the Code.

Next it was argued that the mandatory revocation provisions violate liberty and security under the Charter because they are too broad – they apply to fact situations which do not in reality amount to abuse. It was argued that the provisions apply equally to fact situations in which there is no power imbalance, no exploitation and where there is actual consent.

The Court of Appeal also rejected this argument. The Court ruled that state protection against sexual abuse and sexual exploitation in general is a basic tenet of our legal system and this basic tenet is reflected in provisions which protect patients from sexual abuse or sexual exploitation by health practitioners.

The Court acknowledged that there are problems with zero tolerance/mandatory penalty regimes because they are rigid and can lead to results in individual cases that are harsh, extreme and even arguably unjust. However, the Court concluded that the mandatory revocation provisions were enacted in response to a recognized and growing problem of sexual abuse in the medical profession where discretionary sanctioning by discipline committees and courts had been found to be wanting.

The Court ruled that the fact that a consensual sexual relationship may be caught by the mandatory revocation provisions does not make the provisions unconstitutionally overbroad because “[t]he health professional need only terminate the treatment relationship to avoid the problem.”

The Court concluded that the mandatory revocation provisions are not overbroad in relation to the legislature’s objectives. Mandatory revocation

(a) signals the seriousness with which the sexual abuse of patients is to be taken;
(b) underscores the gravity of the breach of trust involved;
(c) emphasizes the considerable impact of the practitioner’s failure to meet his or her responsibility towards maintaining the integrity of the profession; and
(d) responds to the need to protect the public from the risk of recidivism by removing the practitioner from the practice for a minimum period of time.

The Court of Appeal made clear that its ruling applies to all regulated health professions governed by the Health Professions Procedural Code. While the mandatory revocation provisions may have had their genesis in the Task Force Report regarding physicians, Bill 100 had widespread input from the various health professions and notwithstanding the differences between professions, there was solid support for the zero tolerance principle of the legislation. Moreover, the Court concluded that “all of these professional relationships are characterized in some fashion by the opportunity to capitalize on practitioner-patient dynamics for the purpose of invading the patient’s sexual boundaries, if the practitioner is so minded.”

The Court also briefly ruled that the mandatory revocation provisions do not constitute cruel and unusual treatment or punishment under the Charter and do not violate freedom of association.

To view a copy of the Mussani decision, click here.

Top

Update on The Personal Health Information Protection Act

By Sharan K. Basran

Overview and Purpose

The Personal Health Information Protection Act (PHIPA or Act), which came into force on November 1, 2004, fills a significant gap in privacy legislation by creating a comprehensive set of rules for the handling of personal health information in the health care system. These rules are guided by a number of overarching purposes:

• The fundamental purpose of the PHIPA is to protect the privacy of individuals and the confidentiality of their personal health information;

• The Act also strives to ensure the effective delivery of heath care, in part through requiring institutions to maintain accurate information;

• The PHIPA sets up a process for challenging compliance and ensuring enforcement of its principles, rights, and obligations.

Application

The Act casts a broad net since it applies to the collection, use and disclosure of personal health information by “health care custodians.” Health care custodians are given primary responsibility for PHI and must take steps to ensure the confidentiality of information in their custody or control. Health Care Custodians (custodians) are individuals and institutions involved in the delivery of health services and regularly handle personal health information. A Health care Custodian includes amongst other examples, health care practitioners, Hospitals, Long-Term Care Homes, Nursing Homes, and Community Health Programs. In this definition, the Act places responsibility and obligations both on an institutional and individual level.

The Act also extends to the use and disclosure of personal health information (PHI) by other individuals where they receive PHI from a health care custodian. It is important to note that the PHIPA recognizes and places similar duties of confidentiality on agents of health care custodians. An agent is anyone who is authorized by a custodian to do anything on behalf of the custodian with respect to PHI. This would include employees of a Hospital such as records management services and clerical staff.

Personal Health Information is also given an expansive definition under the Act. It refers to information that identifies an individual or where it is reasonably foreseeable that either alone or with other information it could be used to identify an individual. This includes not only information related to the health of an individual and the nature of health care provided to an individual, but extends to information which relates to payment or eligibility for health care and the individual’s health number. It is significant to observe that the Act excludes from its definition of PHI, identifying information held by a Custodian if the information is about employees or other agents of the Custodian. Such an exclusion is unusual, particularly when Hospitals and other organizations have well-developed Occupational Health Departments which may provide care or assessments on employees. Such information about employees is similar to patient health information as both are sensitive and highly personal in nature.

Obligations and Responsibilities

The key obligations under the Act placed on Health Care Custodians are as follows:

First, the PHIPA sets up an institutional framework to protect PHI by requiring Custodians to develop information practices which comply with the requirements of the Act. The practice must detail how the institution routinely collects, uses, modifies, discloses, retains and disposes of PHI, as well as the safeguards to ensure confidentiality. These information practices must be in writing and available to the public.

Second, the Act polices certain actions which custodians may take in relation to PHI, including collection, use and disclosure. The legislation permits Custodians to collect, use or disclose personal health information only in two defined circumstances: where the individual consents either implicitly or explicitly; or where it is otherwise permitted or authorized under the Act. Considering the proposed actions in relation to PHI, each of the terms collection, use and disclosure is given a special meaning as set out in the Act:

• Collection means to gather, acquire, receive, or obtain personal health information by any means from any source.

• The word “use” is also given a distinct meaning under the Act, to handle or deal with personal health information in the custody or control of a Custodian or a person, but does not include disclosure. The Act provides that transferring personal health information between an agent of the Custodian and the Custodian is considered to be a use and not a disclosure. Therefore, the internal transfer of information within a health information custodian, involving employees and agents of the Custodian are considered uses and not disclosure.

• Disclosure on the other hand means to make PHI available or to release it to another health information custodian or to another person.

The Act requires different types of consent depending on the circumstances. Consent may be either express or implied, except where the Act explicitly says it must be express. Consent must be express where it involves individuals who are not health information custodians. Therefore, consent to the disclosure of PHI by a health information custodian to a person who is not a health care custodian must be express. This would include disclosure to faith healers, insurers, and employers.

On the other hand, the Act allows consent to be implied for the important purpose of providing health care. In this way, implied consent is limited by the purpose for which the information is used. A health information custodian who receives PHI about an individual directly from the individual or substitute decision-maker, or another health care custodian for the purpose of providing health care may assume that the individual implicitly consents to the collection, use or disclosure of such information for the purpose of providing health care, unless the custodian is aware that the individual has expressly withheld or withdrawn consent. Implicit consent attempts to ensure the effective delivery of health while upholding the mainstay of consent in the handling of a patient’s PHI.

Part IV of the Act lays out the specific rules governing collection, use and disclosure. With regards to collection, the Act considers both the collection of information directly from an individual and indirectly from a third party source. For indirect collection, consent is generally required, subject to certain exceptions where pre-conditions must be met. Information may be collected indirectly without the consent of the patient where it is not reasonably possible to collect it directly from the individual in a timely manner, or where the information would likely not be accurate, and the information to be collected is reasonably necessary for the provision of health care.

In considering the “use” of PHI, more latitude is given to Custodians presumably on the grounds that it mostly deals with the internal use of such information within a single organization. A custodian is permitted to use PHI for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose. However, where a patient gives consent or the information is collected indirectly when consent is not adequate or feasible, a patient has the right to later expressly instruct that the information not be used.

Similarly with respect to disclosure, a Custodian is generally required to obtain consent. However, there are certain exceptions. The custodian may disclose information to specified health care custodians (a health care practitioner, a service provider under the Long-Term Care Act, 1994, a Hospital, nursing home, pharmacy and other specified institutions) when it is reasonably necessary for the provision of health care and where it is not reasonably possible to obtain the individual’s consent in a timely manner. Interestingly, the Act allows an individual to expressly instruct an individual not to make disclosure. In that case, a Custodian is prevented from disclosing what may be important information in providing health care, rather than extraneous information. The receiving Custodian may be notified of this non-disclosure.

The exception to overriding a refusal to disclose information is in cases where there are reasonable grounds that disclosure is needed to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons. In those cases, a Custodian has the discretion to disclose PHI without a patent’s consent, but is not mandated to do so.

The right of a patient to prohibit a Custodian from using or disclosing PHI may raise practical concerns on a day to day level for health care professionals. Where a Custodian is notified that certain relevant information has been excluded from the medical charts, the question arises as to whether there is a specific risk of serious bodily harm to an identifiable person or group of persons. If this threshold is not met, any consequences from the absence of the PHI in the provision of care is an important consideration. Although recourse may be had for disclosure of such PHI to the Information and Privacy Commission, concerns are not alleviated where care must be provided immediately. It is unclear what impact the right of patients to withhold PHI will have in a clinical setting. However, the tension between the effective delivery of health care and the privacy interests of patient needs to be delicately monitored and navigated. It is important that the Commissioner, regulatory bodies, and institutions provide guidance and direction to health care professionals in balancing what may be competing interests.

Administration and Enforcement

The oversight body for the Act is the Information and Privacy Commissioner established under the Freedom of Information and Protection of Privacy Act.

There are a number of ways that a person may obtain relief under the PHIPA:

• The most formal method is to initiate a complaint. A person who has reasonable grounds to believe a person has or is about to contravene a provision of the Act may make a written complaint to the Commissioner one year after the subject matter of the complaint came to the attention or should have come to the attention of the complaint. The Commissioner may extend the limitation period where it does not result in prejudice to a person.

• The Commissioner also has the right to initiate an investigation without a complaint, where it has reasonable grounds that a person has or is about to contravene the Act.

• The Commissioner has a number of options in dealing with a complaint which involves both informal resolution or a formal review process. In a recent privacy conference, the Assistant Commissioner has indicated that alternate dispute resolution is stressed as the first option and order-making powers are used as a last resort. This is reflected in the Act. A Commissioner may direct the complainant and the person against whom the complaint was made to try effect a settlement, with or without the assistance of a mediator.

• Importantly, the Commission has a discretion not to review a complaint “for whatever reason the Commissioner considers proper.” The discretion of the Commissioner not to consider a complaint is broad and largely unfettered. There is also no statutory right of review set out in the Act. A complainant is only entitled to notice of the decision not to review and reasons. The Act does provide a non-exhaustive list of criteria to be considered in the exercise of the Commissioner’s discretion: whether the complaint could more appropriately be dealt with in another forum; the delay in filing a complaint and whether it would likely result in undue prejudice; whether the complainant does not have a sufficient personal interest in the complaint; and whether the complaint is otherwise frivolous and vexatious.

If the Commissioner decides to review a complaint, the Commissioner has wide powers to investigate and consider evidence including the power to enter and inspect premises without a warrant or court order, require that evidence be given under oath, demand the production of documents, or inquire into information or information practices held by a custodian. After conducting a review, a Commissioner has the authority to issue orders to require compliance with the Act. This includes the following orders:

• directing a custodian to grant individual access or to make a correction in response to a request;
• directing any person whose activities the Commissioner reviewed to perform a duty imposed by the Act;
• directing any person to cease collecting, using, or disclosing personal health information, or to dispose of records where the custodian has contravened the Act;
• directing a custodian to change, cease, not commence an information practice or to implement an information practice specified by the Commissioner.

When the Commissioner makes an order, apart from an order relating to complaints respecting access or corrections, there is a statutory right of appeal by a person affected by the order to the Divisional Court only on a question of law within 30 days. Further, where the Commissioner makes an order, an individual affected by the order may bring an action in the Superior Court of Justice for damages for actual harm suffered as a result of a contravention by a health information custodian of obligations under the Act. However, the right to pursue damages is curtailed under the Act. The Act provides protection from liability to health information custodians and their agents, for acts and omissions made in good faith and reasonably in the circumstances, in the exercise of their powers and duties under the Act.

At a recent privacy conference, the Assistant Commissioner has stated that orders and summaries of mediations will be public documents and available on the website at http://www.ipc.on.ca. In addition, he indicated that relevant information such as the number of complaints and common issues will be made available to the public and health care professionals. In reviewing the website, there is no indication to date how many complaints the Information & Privacy Commissioner has received. The Commissioner has made general comments about inquiries from the Public.

There is however a section under the PHIPA section, entitled PHIPA: Resolutions, Reports and Orders. This section sets out cases that the Commissioner has considered. The majority of cases have been resolved without issuing a formal order. Most of the cases involve Personal Health Information which was lost, stolen, or otherwise went missing. For example, in File No. HI-040001-1, two computers containing patient information were stolen from the physiotherapy department of a Hospital. The Hospital advised the Commissioner of this incident. The computers contained progress notes which identified the patient, the services provided, and the outcome for the patient. The computer also contained a list of each patient’s full name and ward within the Hospital. Although there was a practice of saving this PHI on an internal organizational network, which was password protected, the investigation revealed that this practice had not been used on every occasion. In other words, some PHI may have been saved on the local hard drive, which was accessible. The Commissioner considered two issues: whether the Hospital notified patients that the PHI had been stolen as required under section 12(2) of the PHIPA; measures to reduce the risk of a similar incident in the future or other breaches of privacy.

On the first issue, the Hospital verbally notified patient of what had happened and the steps taken to deal with the situation. In terms of preventive measures, the Hospital advised staff dealing with computer information on computers not to save PHI on local hard drives and department managers were asked to remove any PHI from local drives. As well technological measures were taken, such that there was a system or program installed that would result in various applications being automatically saved to the network as a default - to reduce human error.

Another interesting case was a complaint lodged by an individual against a Hospital based on a news release, that the Hospital would be working with a US Company to develop a strategy to streamline the delivery of health record information between health care providers. As well, the strategy also involved a pilot study to test the market for an electronic “continuity of care record”. The complainant was concerned that PHI of Canadian citizens or residents would be accessible to the US Government due to the US Patriot Act. The Hospital provided an explanation. It indicated that the pilot design was in the preliminary stages and was only interested in studying the model of record management used by the US company. The Hospital also stated it would not be engaging the US company to conduct the pilot program, nor would PHI be shared outside Ontario. Further, participation in the pilot program would be based on the “positive consent” of patients. At this stage the complainant agreed to withdraw the complaint on the basis of the explanation provided by the Hospital and the file was closed. Although there was no apparent breach, it was unclear whether any evidence was provided to substantiate the explanation.

Conclusion

With its inception on November 1, 2004, the PHIPA is still in the early phases. As designated Custodians under the PHIPA, health care professionals must now consider not only professional responsibilities but the obligations under the Act.

In that regard, it is important that Hospitals and other health care institutions ensure systemic practices throughout the facility which comply with the PHIPA. This should be reflected in information practices, as well as continuing education and checks/balances within the system to ensure such practices are translated from “the books” to everyday practice. This may include such things as information recording practices, methodologies to verify consent, and guidelines for dealing with inquiries or communications from the public. This ensures that there is effective compliance with the principles enshrined in the PHIPA on both an institutional and individual level.

Top

Update for Professionals Archives | Cavalluzzo website | Human Rights Update

We welcome your comments. If you have comments about the newsletter, we would value receiving them, or to unsubscribe to this newsletter, please send a reply e-mail with UNSUBSCRIBE in the subject or send an e-mail to the Editor, Brian Hanulik, at updateforprofessionals@cavalluzzo.com. To add yourself to the newsletter mailing list, please send an email to majordomo@cavalluzzo.com with the word SUBSCRIBE in the subject line.

To find out more information about the firm and its lawyers and the scope of our practice generally, visit our web site at www.cavalluzzo.com. If you have specific questions regarding the regulated professions, you may contact Elizabeth McIntyre at 416.964.5501 or at emcintyre@cavalluzzo.com.

Providing this information does not constitute individualized legal advice, and does not establish any form of lawyer-client relationship with our firm or with any of our lawyers. Readers should not rely on or take any action based on this information; professional advice should be obtained. While we strive for accuracy, mistakes are possible and there may be errors and omissions. We disclaim any liability for such errors and omissions.

Copyright 2005© Cavalluzzo Hayes Shilton McIntyre & Cornish LLP