This document discusses privacy considerations and challenges related to health records for the elderly. It covers the following key points: - Privacy laws like PHIPA aim to balance individual privacy with proper information sharing in health care, but recent breaches show risks to privacy from lost devices and unencrypted records. - Elderly patients in long-term care often have complex conditions like dementia and dependencies in daily activities, while facilities face challenges from limited resources and increasing use of technology. - By 2031, the number of Canadians with cognitive impairment is projected to double to 1.4 million, drastically increasing health care costs to an estimated $293 billion annually by 2040. - While medical records are owned by facilities

1. Health Records for the Elderly in Long-Term Care and Community Settings
Hot Topic # 1: Privacy Considerations in Health Care Settings for the Elderly
Hot Topic # 2: Optimizing Health Records in Quality Improvement in 2014 –
Whose “Secret” Is It Anyway?
December 4, 2014
Prepared and Presented By:
Edward Mancinelli, Mancinelli PC
mancinelli pc
A Professional Law Corporation

2. Hot Topic # 1: Privacy Considerations in Health Care Settings for the Elderly
Privacy Update on Privacy
•10-year anniversary of PHIPA, the Personal Health Information Protection Act, 2004, S.O. 2004, CH. 3, Sch. A.
(the “Act”), (formerly Bill 31 - Health Information Protection Act, 2003 (“HIPA”)). PHIPA was based on “10 Fair
Information Principles”.
•Frequent media coverage concerning privacy breaches in Ontario health care, e.g. Norfolk General Hospital
(1,300 patients notified), Sault Area Hospital (144 inappropriate cases of “snooping” or accessing patient EHR
files), etc.
•In terms of privacy regulation in Ontario, there have been numerous Orders of the Information and Privacy
Commissioner (“IPC”). As a result, typical “lessons” learned for health organizations include that: Health
information Custodians (HICs”) are responsible for their own “agents”, e.g. in “snooping” cases; lost USB
sticks and laptops as well as unencrypted Personal Health Information (“PHI”) in electronic health record
systems (“EHRs”) are all potential threats to privacy.
•When in force, the Electronic Personal Health Information Act, 2013 (“ePHIPA”) will double PHIPA fines levied
to $100,000 for individuals and $500,000 for corporations.
•Hopkins v Kay, 2014 ON SC 321 – Facts: Approximately 280 patient records of the Peterborough Regional
Health Centre were intentionally and wrongfully accessed. Query: Has PHIPA “occupied the field” such that the
common law “tort of inclusion upon seclusion” (or breach of privacy) is precluded by PHIPA and patients
(whose privacy has been breached) can sue directly?

3. Current Capacity Challenges in Health Care Settings for the Elderly
Current Sector Themes (LTCH Population)
•increased disease acuity and complexity (with comorbidities) for residents
•limited resources of HICs, e.g. LTCH resident to staff ratios on overnight shifts
•increased use of digital technologies, e.g. EMRs and Telemedicine carts by HICs
•frequency of disputes involving families, SDMs and HICs
Care Challenges for Elder Sector
•93% of newly admitted LTCH residents require extensive assistance, or are totally
dependent on assistance with ADLs
•83% of LTCH residents were reported to show “high” or “very high” care needs, compared
to 72% four years earlier [Canadian Institute of Health Information (“CIHI”)]

4. Current Capacity Challenges in Health Care Settings for the Elderly
Care Challenges (Continued)
•LTCH residents with an assessed diagnosis of dementia - 61.1%; with an assessed diagnosis of
hypertension - 61.3%; with some cognitive loss - 39.1%; with severe cognitive impairment -
28.6%; showing signs of depression - 32.7%; with some aggressive behaviour due to dementia or
other mental health challenges - 23.1%; with severe or very severe aggressive behaviour - 23.5%
- Continuing Care Reporting System, 2012-2013, CIHI / SAFER (Staffing Alliance for Every
Resident), 2014
•Only 17% of residents in complex continuing care facilities are involved in programs specifically
related to dementia [SAFER Report, 2014]
•In terms of drug utilization, about 28% of all seniors across various sectors in Ontario are taking
antipsychotic medications (33% in LTCH and 14% in Retirement Homes) - Medisystem Summary
Report, 2014

5. Current Capacity Challenges for the Elderly
What is the Cost?
•In 2011, 747,000 Canadians living with cognitive impairment, including dementia - 14.9% of Canadians 65 and
over.
•By 2031, this figure will increase to 1.4 million.
•In terms of burden of care, the current combined direct (medical) and indirect (lost earnings) costs of
dementia total $33 billion per year.
•This number is expected to climb to $293 billion a year by 2040.
•Reference: http://www.alzheimer.ca/en/About-dementia/What-is-dementia/Dementia-numbers

6. Health Records 101 – Who Owns What?
• For many years, the Courts have recognized that medical
records are the property of the health facility or medical
institution; however, the underlying health data is the
property of the patient/resident/client. Therefore, the key
issue then becomes the right of access - McInerney v
MacDonald [1992] 2 S.C.R. 138.
• As a general rule, a patient/resident/client should have a
right of access to his or her PHI.
• HIC has a corresponding obligation to provide PHI as a
fiduciary that holds PHI in a fashion somewhat akin to a
trust to be used by the provider for the benefit of the
patient/resident/client.

7. Privacy Legislation – A Quick Look at PHIPA
• Balances individual’s right to privacy with the “legitimate” needs of organizations providing health
care services. PHIPA also seeks to balance the proper protection of privacy with the communication
rights within the health care team (i.e. “circle of care”) necessary to provide care.
• On the whole, PHIPA governs PHI in the custody or control of HICs, e.g. health care practitioners,
hospitals, community care access centres (“CCACs”), psychiatric facilities, persons who operates a
group practice of “integrated” health practitioners, LTCHs, care homes, pharmacies, laboratories,
ambulance services, laboratory or specimen collection centres.
• The scope of PHI includes: identifying information about an individual in oral or recorded form that:
relates to an individual’s physical or mental health; relates to the provision of health care to the
individual; identifies the individual’s substitute decision-maker ("SDM").
• An agent of a HIC is a person that - with the authorization of a HIC - acts for or on behalf of a HIC in
respect of PHI.
• Irrelevant whether or not the agent is employed by the HIC, remunerated by the HIC or has the
authority to bind the HIC.
• HIC remains responsible for PHI collected, used, disclosed, retained or disposed of by an agent.

8. What are the Requirements for HICs?
• In Section 3(1) (11) (iv) of the Long-Term Care Homes Act, 2007, S.O. 2007, CH. 8 (“LTCHA”),
every resident under the Bill of Rights has the right to have his or her PHI kept confidential,
and to have access to his or her records of PHI, including his or her plan of care.
• Under Section 6(12) of the LTCHA, a LTCH licensee shall ensure that the resident, the
resident’s SDM and any other persons designated by the resident or SDM are given an
explanation of the plan of care; however, under Section 6(13) of the LTCHA, this does not
require the disclosure of information if access to a record of the information could be refused
under PHIPA except for a plan of care for a resident under Section 6(14) of the LTCHA.
• Under PHIPA, a HIC must safeguard PHI in their custody or control by taking steps that are
reasonable in the circumstances to: (i) ensure that PHI is protected against theft, loss and
unauthorized use or disclose; (ii) ensure that PHI records are protected against unauthorized
copying, modification or disposal; and (iii) ensure that PHI records are retained, transferred
and disposed of in a secure manner.
• Resident/patient/client or SDM must be given notice of theft, loss or unauthorized access
under Section 12 of PHIPA 12 (e.g. social media, USB keys, etc.).

9. What are the Requirements for HICs?
• In general, a HIC should not collect, use or disclose PHI unless the consent of the individual has
been obtained. PHIPA sets out the three types of consent: (1) express, (2) implied and (3) assumed
implied consent.
• (1) Express consent is commonly understood as consent that has clearly and unmistakably been
given orally or in writing, and is required to: (i) disclose PHI to a person that is not a HIC; (ii) disclose
PHI to a HIC for a purpose other than the provision of health care; (iii) collect, use or disclose PHI
for marketing; and (iv) collect, use or disclose PHI for fundraising (if using more than the name and
address of the individual).
• (2) Implied consent is commonly understood as a consent that a HIC concludes has been given
based on an individual’s action or inaction in particular factual circumstances.
• (3) Assumed implied consent (under Section 20(2) of PHIPA) also known as the “Circle of Care”
(although the term “circle of care” does not appear in PHIPA) occurs when a HIC that receives PHI
for the purpose of providing health care or assisting in the provision of health care, is entitled to
assume implied consent to collect, use or disclose PHI for the purposes of providing health care or
assisting in providing health care, unless the HIC is aware that the resident / patient / client has
expressly withheld or withdrawn consent.

10. Dealing with “Circle of Care” Uncertainties for HICs
• In developing some collaborative clinical care models in elder care, some uncertainties with
the "circle of care" could cause anxiety which may undermine such care.
• Section 20(4) of PHIPA provides that where a patient /resident /client provides information
about his or her religious affiliation, the facility is entitled to assume that it has the
individual’s implied consent to provide his or her name and location in the facility to a
religious representative as long as the HIC has “offered the individual the opportunity to
withhold or withdraw the consent and the individual has not done so.”
• Although residents/patients/clients have the right to withhold or withdraw consent to the
disclosure of their PHI for health care purposes by providing express instructions to HICs not
to use or disclose PHI (e.g. Section 37(1) (a) of PHIPA where the “individual expressly
instructs otherwise”), HICs must act reasonably and explain to the resident/patient/client
that only persons involved in his or her care would have PHI disclosed to them, e.g. a
physiotherapist.

11. Key Areas of Concern for Privacy Breaches
• Snooping, e.g. “intrusion upon seclusion” is a new tort or action recognized by the
Ontario Court of Appeal. On the other hand, under Section 71(1)(a) and (b) of the
Health Care Consent Act, 1996, S.O., c.2 (“HCCA”) may provide immunity to a HIC
from an action for damages where anything done in the exercise of any of their
powers or duties was in good faith and reasonable in the circumstances.
• Common use of unencrypted data storages devices such as USB keys, laptops and
handheld tablets could create unwanted risks. Also, with digital clinical
management systems, e.g. EMR systems that store PHI on an unencrypted basis to
the Internet, i.e. “cloud software” with servers in another jurisdiction outside of
Ontario.
• New LTCH use of Telemedicine carts. Reference: OTN Privacy Toolkit (Privacy in a
Telemedicine Environment at Page 8) located at http://otn.ca/en/telemedicine-
resources/privacy-toolkit.

12. Managing PHI in the Context of Resident/Patient/Client Capacity
• Capacity (and related tests to determine capacity) are applicable to LTCH residents including
on admission. Specific health professionals known as “evaluators” may initially determine
capacity and include: SLPs, RNs, OTs, MDs, PTs and psychologists; however, there are no
specific requirements regarding capacity assessments.
• HCCA applies to treatment plans and admission to “care facilities” (and PSW services), where
“Care facility” under Section 2(1) of HCCA means a LTCH, home for the aged and charitable
home.
• In general, compelling evidence is required to override the presumption of capacity found in
Section 2(2) of the Substitute Decisions Act, 1992, S.O. 1992, CH. 30 (“SDA”) and Section 4(1)
of the HCCA. Mental capacity exists if a resident/patient/client is able to carry out his or her
decisions with the help of others.
• Evaluator must maintain meticulous files and be “alive to” third parties harbouring “improper
motives”. The resident / patient /client should be made aware of the significance and effect
of a finding of incapacity. The warning is a requirement under Section 78(2) (b) of the SDA.
Failure to warn rendered the evaluator and assessor’s findings of incapacity a nullity - Re Koch
(1997).

13. When it Comes to PHIPA, When is a Resident/Patient/Client Capable?
• The Supreme Court of Canada has outlined a two-part capacity test in interpreting the use
“capacity” with respect to consenting to collection, use and disclosure of PHI. A person is
capable if that person is able to: (a) understand the information that is relevant to making a
decision; and (b) appreciate the reasonable foreseeable consequences of a decision or lack
of decision (similar to Section 4 HCCA test for capacity to consent to treatment) - Starson v.
Swayze [2003] S.C.R. at 722:
• “The presumption of capacity [under Section 4.2 of the Health Care Consent Act, 1996, S.O.,
c.2] can be displaced only by evidence that a patient lacks the requisite elements of capacity
provided by the Act. Capacity involves two criteria [under Section 4.1 of the Act]: first, a
person must be able to understand the information that is relevant to making a treatment
decision and second, a person must be able to appreciate the reasonably foreseeable
consequences of the decision or lack of one.
• As capacity is presumed, a person may rely on a presumption of capacity unless there are
reasonable grounds to believe that the person is incapable. Moreover, in M. N. v. Klukach,
(2004) O.J. No. 394, the Court noted that the second branch of the test for capacity assesses
the ability to evaluate, not just understand information, i.e. the ability to evaluate
information as it relates to him or her, not just understand information.

14. Practical Tips for Maintaining Health Records
• HICs should be aware that a health provider’s notion of “best
interests” is not always relevant; that is, it is the role of the
Consent and Capacity Board (“CCB”) to ultimately determine
whether a “treatment plan” is in a resident/patient/client’s
“best interests”.
• If the patient is capable, then he or she has the right to make
whatever decision he or she wishes. The
resident/patient/client is entitled to disregard the clinical
advice and/or make an “unwise” decision. Also, please
consider that the mere failure to make decision is not the
same as inability to make decision.

15. What is the Role of a Substitute Decision-Maker?
• In terms of “who” is an SDM, a SDM may be: a POA for personal care, a
representative appointed by the CCB, a spouse/partner, adult child, parent, person
lawfully entitled to provide consent, access parent, brother or sister, any other
relative or Public Guardian and Trustee (“PGT”) but not a non-relative.
• If person is incapable, a SDM must be capable and not prohibited by Court Order /
separation agreement from having access and must be available (i.e. to
communicate within reasonable time).
• If there is an SDM for treatment under the HCCA, that person also makes related
PHIPA information decisions. If, however there is no SDM, then you must go to the
ranking order in PHIPA - which is similar to Section 20(1) of the HCCA dealing with
ranking for consent.

16. List of SDMs - What is the Ranking Order?
• An SDM only has authority once the resident/patient/client is incapable.
• Therefore, a HIC should know the Section 20 “ranking” of SDMs in HCCA.
• Under Section 20(1) (1) to (8) of the HCCA, the list is as follows: (1) Guardian of the person;
(2) attorney for personal care; (3) personal representative; (3) spouse or partner; (4) child or
parent; (5) access parent; (6) brother or sister; (7) other relatives; and (8) Public Guardian
and Trustee (SDM of last resort).
• It is also important to understand in the context of treatment plans, which the SDM must act
in accordance with the resident / patient / client’s prior capable wishes taking into account a
series of “personal interests”; that is, values and beliefs and quality of life while balancing
risk and benefit.

17. Is Consent Required When Withdrawing Treatment?
• The Supreme Court of Canada, in Cuthbertson v Rasouli [2013] S.C.R., has recently
decided the process to be followed where it is not possible to achieve consensus
as between a physician and a patient’s SDM with respect to a medical
recommendation to withdraw life-sustaining treatment. Please see Appendix A –
Six Steps in Withdrawing Life-sustaining Treatment.
• In terms of medical records, you may wish to amend practices/policies to
underscore the proposition that an SDM must provide consent for the withdrawal
of life-support. You should also have policies and practices in place regarding
disagreements between HICs and SDMs on other “health-related” matters (e.g.
Emergency Department transfers for residents).
• Section 2(1) of HCCA extends specifically to cases involving the withholding of
treatment as per the definition of “plan of treatment”, i.e. the “withholding or
withdrawal of treatment” – EGJW v MGC, 2014 CanLII 49888 (ON HPARB)

18. Sharing PHI When Families Are Disputing
• Section 38(4) of PHIPA states that a HIC may disclose PHI about a resident/patient/client who is deceased,
(a) for the purpose of identifying the individual, (b) for the purpose of informing any person whom it is
reasonable to inform in the circumstances of (i) the fact that the individual is deceased or reasonably
suspected to be deceased, and (ii) the circumstances of death, where appropriate; or (c) to the spouse,
partner, sibling or child of the individual if the recipients of the information reasonably require the
information to make decisions about their own health care.
• Key question is who makes decisions to share the health record after the client dies? As there is no longer
an SDM, the Estate Trustee or “person responsible for the administration of the estate” makes the
decision.
• However, what if an SDM, e.g. adult child of resident instructs LTCH not to share PHI with other family
members including at end of life care? In this case, a HIC should try to negotiate a resolution and failing
which you may take the SDM to CCB on a Form G (to determine whether the SDM is acting in “best
interests” under subsection 37(1) and subsection 21(2) of the HCCA.
• Should also remind the SDM of his or her duty to seek to foster regular personal contact between the
resident and family members as per Section 32(4) of the Substitute Decisions Act, 1992.
• You should always advise a SDM to retain counsel unless there is a risk of harm in doing so.

19. Sharing PHI When Families Are Disputing (Continued)
• Section 40(1) of PHIPA states that a HIC may disclose PHI about a resident/patient/client if
the HIC believes on reasonable grounds that the disclosure is necessary for the purpose of
eliminating or reducing a significant risk of serious bodily injury to a person or group of
persons (i.e. public interest disclosure). You should be ready to use it!
• Section 38(1)(c) of PHIPA states that a HIC may disclose PHI about a resident/patient/client
for the purpose of contacting a relative, friend or potential substitute decision-maker of the
individual, if the individual is injured, incapacitated or ill an unable to give consent personally.
• SDM is entitled to have the entire PHI that person would have in order to make decision.

20. Health Research Involving Residents/Patients/Clients – Are there Issues?
• When seeking consent from vulnerable clients/patients/residents, a common law duty exists that if there is a
potential risk, then you should not proceed without a reasonable assurance of safety.
• HIC may use PHI about a resident/patient/client under Section 37(1)(j) of PHIPA for the purpose of research (e.g.
input or data sharing between organizations) conducted by the HIC but only if the HIC prepares a research plan
under Section 44(2) of PHIPA and has a research ethics board approve it (or re-approve it) in writing as per
Section 44(3) of PHIPA and Section 15 of ONTARIO GENERAL REGULATION 329/04 under PHIPA. When determining
whether or not to approve a research plan, an ethics board must consider under Section 44(3) whether the
objectives of the research can reasonably be accomplished without using the PHI that is to going to be
disclosed.
• In terms of the collection, use and disclosure of PHI in health research where a health provider is an investigator
(or co-investigator) in a “live” funded study, there is no implied or assumed implied consent (not within the “circle
of care”) and is usually not protected quality of care information.
• Exemptions for certain “prescribed entities” in Ontario (e.g. Institute for Clinical Evaluative Sciences which is a
prescribed entity under Section 45(1) ("Disclosure for planning and management of health system") of PHIPA and
Section 18(1)(3) of O. Reg 329/04 under PHIPA for the purposes of disclosure for planning and management of the
health system.
• As a practical matter, when in doubt, you should obtain express consent from the SDM. When it comes to the
elderly such as LTCH residents, they are more likely than not to consent; however, you should emphasize choice. A
non-care giver / provider should obtain consent.

21. Best Privacy Information Practices: Tips
• There is no general right of access to PHI - you should ask patient/resident/client who they
want involved in and informed about the services they receive from you.
• As a rule of thumb, you should not provide information over the phone if you cannot
confirm who is on the telephone. However, you may give general information to families; that
is, you may use PHI to sort out who is the patient/resident/client’s SDM but take care when
making assumptions about which family member should have this role - especially when
there are disputing adult children.
• Statement / policy as to reasons and in what circumstances where you will disclose
resident/patient/client’s PHI.
• Check all third party requests carefully as to who is making the statement and be very diligent
regarding requests from “family” members, friends and volunteers.
• Anyone calling a LTCH can be told that resident/patient is there and general status.
• Under PHIPA, a HIC must ensure that PHI records are securely stored, e.g. health information
residing on a portable device (laptops, memory sticks, tablets, etc.) must be encrypted.
• In terms of best practices, you should use PHI only for the purposes for which it was collected
and intended and consider why PHI information is being collected, used and/or disclosed.

22. Best Privacy Information Practices: Tips
(Continued)
• In the event of a transfer of a PHI record to a successor or predecessor, Section 42(2) of
PHIPA requires a HIC to make reasonable efforts to contact the patient before transferring
records to another health care provider, or if that is not possible, as soon as possible after the
transfer.
• Please consider that you (as a HIC) will usually be in a better position to respond to breaches
(and complaints and civil litigation concerning breaches) if you are able to demonstrate that
you have policies and practices in place that are appropriate with staff training on those
policies and practices.
• One of the most significant protective measures is the establishment of a “culture of privacy”
meaning that every staff member must understand the importance of safeguarding PHI
records, e.g. be aware of a HIC’s obligations and realize the consequences of a breach or loss
of PHI while ensuring that all stakeholders understand their rights and choices.
• In terms of privacy best practices, you should implement all required privacy management
tools (privacy policies, fact sheets, confidentiality agreements, service agreements, data
access forms (internal and external) and templates for consents.

23. HOT TOPIC # 2: Optimizing Health Records in Quality Improvement in 2014 –
Whose “Secret” Is It Anyway?
• “Be a yardstick of quality. Some people aren’t used to an environment
where excellence is expected” ~ Steve Jobs (1991–2011)

24. HOT TOPIC # 2: Optimizing Health Records in Quality Improvement in 2014 –
Whose “Secret” Is It Anyway?
Quality of CareQuality of CareQuality of CareQuality of Care
PerformancePerformancePerformancePerformance
ManagementManagementManagementManagement AccountabilityAccountabilityAccountabilityAccountability

25. Update on QCIPA
•The general rule is “once quality of care, always quality of care”
• Information prepared by or for a designated committee under QCIPA, the Quality of Care
Information Protection Act, 2004, S.O. 2004, CH. 3, Schedule B, (formerly Bill 31 - Health
Information Protection Act, 2003 (“HIPA”) is shielded from disclosure. This rule is subject to a
right of appeal to the Information and Privacy Commissioner of Ontario (“IPC”) on any “decision”
made by a health facility or to a right of action in the Ontario courts.
•10-year anniversary of QCIPA. However, there is a recurrent contentious theme in media
coverage of a “secrecy enabling law” which appears to question the variability of use across
health settings in Ontario, e.g. 2014 Brampton Civic Hospital suicide case.
•The current Ministry of Health and Long-Term Care (“MOHLTC”) review of Ontario quality
improvement legislation is being co-led by Health Quality Ontario (“HQO”) and the Li Ka Shing
Knowledge Institute (St. Michael’s Hospital) and they will report back to the MOHLTC towards the
end of 2014 – The Star (August 14, 2014).
•There are two sides of the debate, i.e. patient rights (QCIPA enables health facilities to “hide”
information from families, etc.) vs. community rights (Ontario health care system should allow for
a “limited” class of protected information used to improve quality of care (e.g. infection
prevention and control, medication errors and the recognition and management of various
“adverse events”).

26. Update on QCIPA
(Continued)
• Quality of Care Information (“QCI”) protection has been recommended for many years in Ontario
(e.g., Ontario Steering Committee, Into the 21st Century: Ontario Public Hospitals Report of the
Steering Committee, Public Hospitals Act Review, (February 1992)).
• QCIPA is not hospital-specific.
• QCIPA recognizes that the best possible care requires commitment to continuous improvement and
risk reduction. In the wider context, QCI forms part of a larger ‘ecosystem’ of health data (e.g. the
calculation of the Case Mix Index or CMI for Long-Term Care Homes (“LTCHs”) from Canadian
Institute of Health Information (“CIHI”) data generated from RAI-MDS input for each LTCH) which
inform quality standards (e.g. balanced scorecards) and evidence-based practices for care plans,
program design and decision tools, etc..
• Legislation protecting QCI is found in most other provinces and the U.S..
• In the absence of QCI under QCIPA, one may arguably rely on solicitor-client privilege or common-
law privilege (i.e. the “Wigmore” test); however, this must be determined on a case by case basis
and is not always reliable enough to foster open discussions.
• The current health regulations for quality improvement involves continuous evaluation to measure
health outcomes, ensure accountability, track performance and assure quality (e.g. Quality
Improvement Plans (“QIPs”) in LTCHs which are voluntary in 2014/2015 and will be required in
2015/2016 (e.g. pressure ulcers, falls, ED transfers and physical restraints).

27. Update on Current 2014 MOHLTC Review of the QCIPA
Health Quality Ontario Patient, Family, and Public Consultation closed on November 17, 2014.
Key HQO Survey Questions
•"# 4 Some quality incidents are very complex, and understanding their causes requires open discussion and
speculation amongst health care staff. Like most other jurisdictions, Ontario has legislation (QCIPA) that allows
hospitals and other health care organizations to keep confidential the discussions that health care staff have
about quality incidents. Many people who have investigated quality incidents report that without this
confidentiality, staff will not speak openly about what happened, speculate freely about what could have
been done to prevent the incident or share ideas about how similar incidents could be avoided. (Under QCIPA
the facts about a quality incident are not kept from patients, but speculations and opinions are kept
confidential). In light of this, do you have suggestions about how Ontario can strike the right balance between
harm prevention on the one hand and disclosure to patients, families, and the public on the other?"
•"# 5 Many people affected by a quality incident hope that what is learned from the investigation of that
incident will be used to prevent similar incidents from occurring in the future. In your view, what are the best
ways for health care organizations to share what they have learned from investigations of quality incidents
with each other and the public, while at the same time respecting patient confidentiality?“
•Reference: Patient, Family, and Public Consultation at http://www.hqontario.ca/about-us/quality-of-care-information-protection-
act-review (Section 10(1)(d), QCIPA - Lieutenant Governor in Council shall not make any regulation unless the Minister has
considered whatever comments and submissions that members of the public have made).

28. Quality Assurance – Key Regulatory Framework
• Section 4 of the Excellent Care for All Act, 2010 (“ECFAA”)
provides that a quality committee oversee the preparation
of quality improvement plans. These plans must be
developed having regard to aggregated “critical incident”
data as compiled based on disclosures of adverse incidents.
A “health care organization” includes an entity in the
Regulations that receives public funding.
• Section 84 of the Long-Term Care Homes Act, 2007, S.O.
2007, CH. 8 (“LTCHA”) provides that every LTCH shall
develop and implement a quality improvement and
utilization review system that monitors, analyzes, evaluates
and improves the quality of the accommodation, care,
services and programs provided to residents of the LTCH.

29. Which Organizations Can Designate a Quality of Care Committee (“QCC”)?
• The following health care providers can designate QCCs: hospitals,
independent health facilities, psychiatric facilities governed by the
Mental Health Act (1990), LTCHs, licensed medical laboratories
and specimen collection centres. In addition, “health care
improvers” can designate Quality of Care Committees (“QCCs”)
namely, Ontario Medical Association, in respect of its quality
assurance activities with licensed medical laboratories and
specimen collection centres and Canadian Blood Services, in respect
of its laboratories and specimen collection centres.
• Section 1, QCIPA of Regulation 297/04 outlines the definition of
“Quality of Care Committee” and specifically includes under ss. (1) –
“A long-term care home” within the meaning of the LTCHA.

30. Why Do We Need QCIPA?
• To enhance patient safety.
• To encourage health professionals to share information, speculations and opinions through open
discussions within a quality review to improve patient care, without fear that the information will
be used against them.
• Develop recommendations for quality improvement (including the level of skill, knowledge and
competence of the persons who provide health care).
• QCIPA has supremacy over other laws in Ontario, e.g. personal health information (“PHI”) can be
revealed to QCC but cannot be used as evidence in a legal proceeding (e.g., Court, Coroner or
Colleges)
• Disclosure of QCI in contravention of the QCIPA is an offense as is retaliation against someone who
participated in review process. A committee member of a QCC who discloses information in good
faith or under the harm reduction provision under QCIPA will be granted immunity.
• No action may be taken against a QCIPA committee member and retaliation against someone who
participated in such a process is an offence.

31. What is the Relationship between QCIPA and PHIPA?
• Under Section 37(1) (d) of Personal Health
Information Protection Act, 2004 (“PHIPA”), PHI
can be used without consent for risk (e.g.,
significant risk of bodily harm) and error
management and quality of care purposes.
• It is important to note that QCI is not necessarily
information that identifies any resident / patient
/ client once the subject health information has
been “properly” de-identified.

32. How Does a Quality of Care Committee Work?
• The “centrepiece” of QCIPA is the “Quality Committee”. It is noteworthy that this is not a Medical Advisory
Committee which committee is hospital-specific. Please refer to Appendix A – Steps to Be Taken For
Serious Incident Reviews: Simplified Flowchart.
• Under Section 3 of Ontario Regulation 297/04 of QCIPA, a QCC must be formally designated in writing by
the authorized entity and be conferred with a range of quality of care functions. The designation is
typically by way of resolution of the Board of Directors, QCC or senior management, consistent with the
health entity’s underlying governing structure (e.g. Terms of Reference, By-Laws, Articles, “Membership”
under Letters Patent, Operational Resolutions, Policies based on Level of Care Funding, Strategic Plan,
etc.).
• In terms of composition, at least one-third of the members of the QCC must be voting members of the
health care organization’s board. Every QCC shall report to its responsible body, e.g. Board of Directors.
• Terms of Reference of the QCC must be available to the public on request (Ontario QCIPA Regulation
297/04, Section 3(1)). This means that non-QCIPA reviews will not be protected, i.e. when they are
conducted by individuals or groups that have not been designated as a QCC. Do your Terms of Reference
require updating?

33. How Does a Quality of Care Committee Work?
Multi-purpose Committees
• A multi-purpose quality assurance committee or QCC is not uncommon in many health settings and
performs quality of care functions possibly along with other operational functions.
• From a governance point of view, quality of care functions must be kept separate as per the definition of
“functions” under Section 4 of the ONTARIO GENERAL REGULATION 330/04 of QCIPA, i.e. “to carry on
activities for the purpose of studying, assessing or evaluating the provision of health care with a view to
improving or maintaining the quality of the health care or the level of skill, knowledge and competence of
the persons who provide the health care.”
• If a multi-purpose QCC structure is typically adopted, then the quality functions must be kept separate
from other functions such operational matters. This separation may involve a designated time period or
formal declaration, as well as separate minutes or notes. QCC minutes may reflect a limited quality review
• e.g. “Before we open the case for our review, I wish to remind everyone here of the intent of this quality
review. We are here to review the facts, circumstances surrounding the case, influencing factors, system
issues, or any contributing causes. It is an opportunity for us to examine our process of providing care to
see what we can do better in the future. As such, I wish to remind everyone what is discussed here is
confidential.”

34. How Does a Quality of Care Committee Work?
• When reporting to a QCC, health providers and custodians should seek to avoid stating any
causal connections (e.g. “while we did not conclude that our policy contributed to...we have
now implemented…”).
• Measures to separate the functions of a multi-purpose QCC may sometimes be difficult to
maintain as a practical matter.
• In turn, a QCC may delegate certain quality functions to another “sub-committee” and retain
the required protection under QCIPA as per Section 3 of the ONTARIO GENERAL REGULATION
330/04 of QCIPA, i.e. "every person who participates or assists with the committee’s
functions" as set out in the definition of “quality of care committee” in Section 1 of QCIPA is
protected because it is engaged in the review as a delegate of the QCC.
• Delegates typically include experts, administrative staff, and ad hoc “sub-committees” which
assist the main QCC in achieving its quality functions.
• The scope of QCC functions would typically include related oral facts, conclusions,
evaluations, assessments, reports, speculation and expert advice under QCIPA.
• In some instances, a health facility does not wish to shield information from future uses, e.g.
making use of a quality “peer” review for recommendations on staff appointments or
discipline.

35. How Does a Quality of Care Committee Work?
• From a governance point of view, unless there is a “good system” for reporting on “critical incidents” (and
“near misses”) in the first instance, and bringing them into the quality review process, the information
generated will not be properly protected under QCIPA.
• Any ad hoc review in the immediate aftermath of a “critical incident” may not be protected under QCIPA.
As a result, any information generated outside of a QCC will only be privileged under uncertain
“traditional” categories of privilege at law.
• It is important to note that “boiler plate” Terms of Reference and Policies are not recommended.
• Your health setting is unique. You should create its own quality review and improvement process based
on its governance structure.
• QCCs typically make recommendations to the responsible body (e.g. Board of Directors) regarding quality
improvement initiatives, QIPs, policies and programs as required (e.g., Resident Falls Prevention Program,
Wound Care Program, Palliative Care Program, Resident Lifts/Transfers Program).
• In terms of best information practices, a QCC will ensure that health information is translated into
materials such as forms and contracts that are distributed to employees and relevant providers and will
then monitor the use of these materials and track performance for all stakeholders (e.g. LHINs).

36. Steps to Be Taken For Serious Incident Reviews: Simplified Flowchart
Incident
Occurs
QCC (or Board)
mandates / plans
quality review
Non-QCIPA Review
Refer back to
Program /
Administrator
YESNO
YES
QCC signs off
serious incident
as “closed”
Recommendations for Quality
Improvement to Administrator /
Appropriate Leadership (subject to
permitted disclosure rules)
Implement Quality
Improvement Workplan and
Annual QIP (e.g. s. 84 of the
Act requiring review program)
Report Submitted to
QCC
Review Implementation of Actions /
Performance Evaluation (e.g. LSSA,
Schedule D – Performance)
Post Review -
Share Learning /
Knowledge
Transfer with
Stakeholders
Inform Patient (or SDM), Director (statutory “Critical Incidents” under ss. 107(1) and (3) of Gen.
Reg. 79/10) & others (e.g. insurer, etc.)
Report to Quality Team / Sub-committee
(Administrator / Clinical Director / Program Director)
Undertake Investigation / QCIPA Review with
Protection (Single or Multi-function Quality
Committee)

37. What Are the Issues in Quality Assurance?
• Whether to proceed with a QCC review under QCIPA (to ensure absolute privacy protection subject
to permitted disclosure rules) or a quality improvement review or others such as a Medical
Advisory Committee (as required under the Public Hospitals Act, 1990 (“PHA”))?
• Consider how to structure the overall quality improvement process so that the protective rights
offered by QCIPA can best be applied.
• Once QCI has been designated as such, it cannot be disclosed or made admissible in a
"proceeding", which is defined under QCIPA as including: an Ontario court, tribunal, commission,
arbitration or a [discipline] committee of a College within the meaning of the Regulated Health
Professions Act, 1991.
• In practice, while QCI cannot be used in any proceedings against that health facility, it similarly may
not be used in any proceedings in which the health entity is seeking to vindicate its actions. In order
words, QCIPA is a like ‘double-edged sword’.
• If you are seeking to proceed under QCIPA should give careful consideration to any possible future
uses of the information including legal matters.
• The decision to seek QCIPA protection is often complex. You may also seek outside legal counsel to
ascertain the rights and interests of your health organization and stakeholders.

38. What Can a QCC Disclose?
• “Disclosure” is defined under Section 1 of QCIPA as making information available
to a person who is not a member of the QCC subject to permitted disclosures.
• QCI may be disclosed to the management of a facility if the QCC believes that the
disclosure is required for the purpose of maintaining or improving health care.
• Management may generally share QCI disclosed for the purpose of improving
quality under Section 4(3) of QCIPA; and to employees and agents for quality of
care purposes under Section 4(6) QCIPA; and to prevent serious bodily harm
under Section 4(4) of QCIPA.
• QCI retains its “privileged status” as such despite subsequent disclosures. More
specifically, under Section 4(1) of QCIPA, a person to whom quality of care
information has been disclosed, i.e. a recipient of QCI is restricted in his or her
subsequent use and disclosure of the QCI who may only use the information for
the purpose for which it was disclosed.

39. What is the Relationship between QCIPA and “Critical Incident” Reporting?
• It is noteworthy that there is varying language in quality assurance reviews (error,
adverse event, sentinel event, incident, critical incident, etc.). For example, PHA
Regulation 965 uses “critical incidents” and requires mandatory disclosure of
“critical incidents” to patients or SDM as soon as practicable.
• Subsections 107(1) and (3) of the Amendment to General Regulation 79/10 under
the Long-Term Care Homes Act requires reporting of statutory “critical incidents”.
More specifically, subsection 107(5) of Regulation 79/10 also requires LCTHs to
report an injury to a resident that results in “significant changes” to his or her
health condition to the “Director” within three (3) business days. Must report all
other “critical incidents” under General Regulation 79/10 in writing within ten (10)
days of the critical incident.
• It is important to note that facts are not protected under QCIPA and would be
allowable under the civil litigation discovery process, e.g. facts found in a
patient/resident/client health record generated as a requirement of law (e.g. facts
of Coroner’s report). Please refer to Appendix B – Summary of QCI.

40. When Should You Not Seek QCIPA Protection?
• Seeking QCIPA protection is typically not necessary when the contributing
factors of the critical incident (e.g. environmental problems) are already
known and where it is believed that no further relevant information will
be forthcoming.
• Under a QCIPA review, care should be taken to ensure that only facts and
implemented steps are disclosed, not recommendations that have not or
will not be implemented, and without any causal “link” between the
disclosure and the opinions from the QCIPA review.

41. What Are the Alternatives to QCIPA?
• (1) Solicitor-Client Privilege applies where legal counsel
is employed or engaged by health facility to provide
legal advice including in contemplation of litigation.
• (2) Traditional Common Law Privilege is the broadest
and most “reliable” privilege.
• (3) “Litigation” Privilege protects health information
generated for the predominant purpose of litigation
and extends to information generated for this purpose.

42. What is Common Law Privilege?
• Quality reviews may be protected by traditional types of privilege using the
“Wigmore Test” (Slavutych v Baker [1976] 1 S.C.R. 254) which has four conditions
for establishing a privilege against the disclosure of a communication: (1) the
communication must originate in a confidence that it will not be disclosed; (2) this
element of confidentiality must be essential to the full and satisfactory
maintenance of the relationship between the parties; (3) the relation must be one
which in the opinion of the community ought to be sedulously fostered; and (4)
the injury that would inure to the relation by the disclosure of the communication
must be greater than the benefit thereby gained for the correct disposal of the
litigation.
• Common law privilege in oral discovery related to health provider’s obligation is
limited to disclosure of “material facts” only- Redman v Hospital for Sick Children
(2010) ONSC.
• Health facility is not required to disclose identity of health professionals who
participated in the quality review unless they were a material witness of fact to the
care at issue - Redman v Hospital for Sick Children (2010) ONSC.

43. How Does Redman Apply to Medical Records?
• Common law privilege attaches to QCI in both documentary disclosure and
in an oral discovery context.
• QCC reviews (and some quality “peer” reviews) are intended to be a
confidential process which permits hypothesis, opinion and speculation.
• A witness to a material fact who participates in a QCC should be aware
that his or her identity and contact details may have to be revealed in the
context of a lawsuit; however, what he or she says is generally protected.
• A report arising from a critical occurrence review is privileged and the
provider is not required to produce the report - Steep Litigation Guardian
Of) v. Scott et al [2002] 62 O.R. (3d) 173; Leone v. The Hospital for Sick
Children et al [2005] unreported - Toronto 70287/84).

44. How Do You Handle Certain Documents – Emails, Notes and Incident Reports?
• In general, what is not “privileged” are the recorded facts of a “critical incident”;
that is, any recorded facts of an incident involving the provision of health care
(prepared for the QCC) if these same facts are not in the patient’s chart. This may
include Incident Reports, notes, emails or other documents for a QCC.
• Rule 30.01(a) of the Rules of Civil Procedure describes “document” as a sound
recording, videotape, film, photograph, chart, graph, map, plan, survey, book of
account, and data and information in electronic form (e.g. emails on servers,
“smart phones” and other mobile devices). Therefore, all prior staff and provider
emails about a “critical incident” may be subject to disclosure in civil litigation.
• Except under QCIPA, you may not always be in a position to claim privilege when
you need to do so, e.g. where some documents contained elements of a quality
assurance review but were not prepared exclusively or for the dominant purpose
of a quality review, the Court found some documents to be privileged and ordered
others to be produced - Doyle v. Green (1996) CanLII 4853 (NB C.A.).

45. Some Practical Tips
Health organization should undertake a review of current practices
(and underlying corporate governance structures such as Terms of
Reference, By-Laws, Articles, “Membership” under Letters Patent,
Operational Resolutions, Policies based on Level of Care Funding,
Strategic Plan, etc.) with respect to QCIPA (and non-QCIPA) reviews.
Consider how all quality assurance activities are being carried out.
In particular, are there “isolated” activities done by individuals or
on an ad hoc basis without direction from management, a
committee or board?
Develop its own “standard” system of documentation of quality
reviews where you identify records as created for quality purposes.

46. THANK YOU!
Please send any questions to:
e.mancinelli@mancinelli.ca
For more information, please visit:
www.mancinelli.ca
mancinelli pc
A Professional Law Corporation