April 2010

On October 27, 2009, the Ontario Hospital Association ("OHA") called for the extension of Ontario's access to information legislation to the hospital sector.  Citing the need for increased accountability and to bolster public trust and confidence in hospitals, the OHA sent letters to the Ministry of Health and Long-Term Care (the "Ministry") and the Information and Privacy Commissioner of Ontario (the "Commissioner") advocating this significant change.

While this development has prompted both praise and criticism, it is important that stakeholders consider some of the legal issues that may arise should this change be implemented.  This bulletin is intended to contribute to that awareness, and to suggest some transition strategies for hospitals to consider and adopt.

It is possible that a freedom of information ("FOI") regime could be enacted in new legislation that is specific to hospitals.  However, the likely course of action (because it is the one called for by the OHA) is to extend the FOI regime to hospitals through amendments to Ontario's Freedom of Information and Protection of Privacy Act ("FIPPA").  Although not the only means of achieving what has been proposed by the OHA, FIPPA is a useful starting point in discussing the likely features of an FOI regime, its potential impact, and how hospitals can take a pro-active approach both to complying with the legislative changes and to shaping them.

FIPPA

FIPPA applies to Ontario government ministries, and to the agencies, boards, commissions, corporations and other bodies listed in the regulations to FIPPA, including local health integration networks or LHINs.  The underlying purpose of FIPPA is to ensure that Ontarians have the information necessary for meaningful democratic participation and to ensure that government personnel remain accountable for their actions.  FIPPA has two parts – one that deals with protection of privacy and another that deals with access to information.  The privacy part has the underlying principles that are similar to other privacy laws, like the Personal Health Information Protection Act, which already applies to hospitals.   The access part represents a significant change if applied to hospitals.  Under FIPPA, individuals have the right to request access to any records held by government organizations unless the information falls under an exemption or is otherwise excluded from that Act.

Basic Elements of an FOI Regime

If extended to hospitals, an FOI regime is likely to impose the following obligations:

1. a basic obligation that the hospital provide the public with access to all records not specifically exempted or excluded by law;
2. a set of administrative obligations as to how a hospital must handle a request for access (including a timeline to respond to the requestor); and
3. oversight of the FOI process by the Commissioner, who can hear and resolve appeals from affected parties.

Exemptions

Obviously not all records should be disclosable under a FOI regime; however, any exemptions to disclosure must be set out in the applicable statute.  Exemptions are necessary to achieve a balance between democratic values, on one hand, and control over certain aspects of hospital operations and confidential information, on the other.  Under FIPPA there are two kinds of exemptions: mandatory and discretionary.

Mandatory exemptions are those which require that the information be withheld from disclosure.  Mandatory exemptions include Cabinet records, draft legislation, advice to Ministers and personal information.  There is also a mandatory exemption for third party information if the information satisfies a rigorous confidentiality test.  Only if the third party can establish that the information was supplied to the government entity on a confidential basis and otherwise meets a strict harm analysis can the information be withheld from disclosure.  It is important to note that, in Ontario, it is difficult to shelter contracts with government organizations under this exemption.  Hospitals, and those who enter into contracts with hospitals may find that their agreements are generally disclosable unless another exemption is applicable – regardless of any confidentiality clause or agreement.

Discretionary exemptions are those which the government organization can choose whether or not to invoke and thereby withhold applicable information.  Generally, discretionary exemptions under FIPPA include:

• law enforcement information;
• information that is subject to solicitor-client privilege;
• information that is already published or will be published within 90 days;

and the most notable discretionary exemptions from the perspective of hospitals:

• information that would be a danger to safety or health;
• advice given by employees or consultants (but not factual material, final plans for a program, certain kinds of reports and any records that are publicly cited as the basis for a decision or policy); and
• information that would harm the economic interests or competitive position of an institution (including negotiation positions, procedures, criteria; management or administration plans that have not yet been put into operation or made public).

While we do not know what exemptions will be available for hospitals, the exemptions under FIPPA discussed above are a helpful baseline for hospitals and other stakeholders to consider.

Operational Impacts

In whatever its form,  an FOI regime will drive changes at the operational and administrative level, and will require, at minimum, personnel training, and potentially for larger hospitals, dedicated personnel.  Hospitals should consider the following operational impacts.

Types of Requests.  Hospitals can expect to receive requests that focus on:

• procurement (e.g. vendors, costs, why a decision was made to hire certain consultant or implement a certain technology);
• major initiatives (particularly where there is a change in service);
• ex-employees looking for their employee files;
• patients inquiring about their medical file or decisions related to their care; and
• budgets (e.g. special interest groups seeking information related to their concerns).

Policy and Process.  Hospitals will need to implement FOI policies and processes that operationalize the statutory requirements (in whatever form they ultimately take).  The FOI process generally involves the following elements:

• establishing which office or personnel will handle requests and communicate with the requestor;
• developing a search and retrieval process, so that responsive records are gathered from across the organization;
• consulting internally about the disclosure of responsive records;
• consulting externally about the disclosure of responsive records that involve third parties;
• consulting with management or with legal advisors as to whether there are discretionary or mandatory exemptions that must be considered; and
• replying to the requestor and disclosing the responsive records within the time set by the law – and 'severing' or 'removing' any parts of the record that are subject to an exemption.

The process may also involve estimating costs, where the law or its regulations permits the recovery of costs.  Under FIPPA, there are a series of set costs that can be recovered, for example costs for copying records or for search time.

Training.  Training and education of all personnel is important.  Training helps to ensure that the hospital effectively searches its records, consults affected parties, and assists senior members of the FOI team to make accurate determinations of whether information should be exempted from disclosure.  All personnel need to be aware of how to refer an access request within the organization, how to properly retain and store records to facilitate responding to an access request, and to remember that records can take unexpected forms (e.g. emails, expense claims).  Hospital personnel already trained in personal health information and records management will likely transition to general access requests without difficulty.

Recommendations

Voluntary disclosure.  Pending the extension of FOI laws to hospitals, hospitals would be well served by initiating voluntary disclosure practices.  This serves to inculcate a culture of access (along with the corresponding sensitivity to preparing, circulating and storing records) in advance of any legislation.  It also provides experience that would allow hospitals to make meaningful contributions to any consultation process that may be held prior to enacting the legislation.

Triage disclosure.  If FOI laws are extended to hospitals, it would be advisable for hospitals to triage the disclosure process into informal and formal streams.  There is no requirement under FIPPA that every request for information be handled in a formal way, and by triaging disclosure, hospitals can avoid putting basic requests through the formal access process described above.  This results in a faster response time for the requestor, and conserves hospital resources by reducing the number of requests that require FOI resources to resolve.  We recommend that hospitals create separate processes for automatic, routine and non-routine disclosure. 

• Automatic disclosure involves an active dissemination strategy, where certain information or records are periodically released without any request.  This would be a continuation of any voluntary disclosure set up prior to the enactment of FOI legislation for hospitals.  Active dissemination could involve setting up a section on the hospital website for information such as board and management composition, policies and by-laws, reports and plans.  This anticipates basic requests and demonstrates transparency and openness. 
• Routine disclosure involves establishing a list of records that can be disclosed without any internal consultation.  This helps to streamline requests and frees FOI personnel to handle the non-routine requests.
• For non-routine disclosure, FOI staff would ensure that the necessary consultations are made, both internally and externally.  These requests would be handled formally under whatever legal regime is imposed.

Conclusion

It is important for hospitals and other stakeholders to consider how an FOI regime would affect them, and to do so sooner rather than later.  No draft legislation has been proposed, and so the time is ripe for hospitals and other stakeholders to have a say in any legislative developments as they evolve.