A 2024 investigation report from the Office of the Ontario Information and Privacy Commissioner (OIPC) highlights the tension between the desire of researchers to access health data on the one hand, and the need to protect patient privacy on the other. The protection of personal health information (PHI) is of great practical importance as misuse of such information can have serious consequences for individuals. Yet there is also a significant autonomy and dignity dimension as well. As patients, we are required to share very personal health information with physicians in order to be treated. The understanding is that when we provide that information, it will be appropriately cared for, and that it will not be used for other purposes without our express consent unless it falls within carefully constrained legislative exceptions.
In Ontario, the Personal Health Information Protection Act (PHIPA) provides the basic framework for the protection of PHI. Under PHIPA, those who collect PHI from patients are custodians of that information and have significant legal duties. Custodians must obtain appropriate consent for the collection of PHI; they are obliged to use it only for consented purposes; and they must keep it secure. Because of the strong public interest in medical research – for which good data is essential – PHIPA provides several avenues to support medical research. The first is consent. For research studies that require identifiable individuals to participate and to share their data, researchers can recruit participants and seek their informed consent to the collection and use of their data. Consent is not required if researchers use de-identified data, but they must request access to such data, and must complete a research ethics protocol, which is evaluated by a hospital or university research ethics board (REB). The Ontario government has also created “prescribed entities” under PHIPA. A prescribed entity has authority under the legislation to collect health administrative data as well as other data, to secure and administer it, and to use it for analytic purposes. Pursuant to PHIPA, they have the lawful authority to disclose the PHI to researchers under conditions that also involve research protocols and ethics review. ICES is the leading example of a prescribed entity for analytics and research using and disclosing Ontarian’s PHI. Prescribed entities amass significant quantities of PHI but do so under strict regulatory control. Their privacy and security practices are reviewed every three years by the OIPC, and they must comply with any recommendations made by the OIPC. However, prescribed entities do not meet all needs for health data for research, in spite of their growing patient chart datasets. In addition, there have been concerns raised that access to data in the hands of prescribed entities is cumbersome, although this is in part due to the added requirement for a privacy impact assessment (in addition to a research ethics protocol) as mandated by the OIPC. .
It is within this context that the complaint that fueled this investigation into the University of Toronto’s Practice-Based Research Network (UTOPIAN) must be understood. Created and overseen through the Department of Family & Community Medicine at the University of Toronto, UTOPIAN was essentially framed as a research project. The “research” described by the University in its REB application involved the creation of a database of “anonymized patient data from EMRs of primary health care providers”, providing “accessible data options for research and public health surveillance”, and devising “algorithms or other processes to enable automated EMR data collection, data de-identification, and other data processes” (at para 150). The University of Toronto (the University) sought and received ethics approval from its Research Ethics Board (REB). It then collected PHI on a regular and ongoing basis from clinicians in primary care practices in Ontario affiliated with the University of Toronto to create a pool of health data. To obtain the data, UTOPIAN sought the agreement of individual physicians to provide regular downloads of their patient electronic medical record (EMR) data to UTOPIAN. It then provided access to this data for health research to members of the broader U of T health research community.
Not just the volume, but also the type of information collected by UTOPIAN increased over time. The investigation report notes that in 2020 the University “significantly increased the extent of the information it uploaded from physicians’ electronic medical records (EMR) systems” (para 5). The information collected included full chart and identifying information although the identifying information was stored separately.
An initial complaint to the OIPC was filed by doctors who were aware of but uncomfortable with UTOPIAN. They raised several concerns with the OIPC but sought to remain anonymous out of fear of retribution within the university health network. The OIPC therefore proceeded with the investigation as if it were a commissioner-initiated complaint. The issues for investigation were whether UTOPIAN was properly “research” within the meaning of PHIPA; and if it was, whether it complied with the requirements for research under s. 44 of PHIPA.
The investigator began by considering whether, assuming UTOPIAN was research, it had complied with PHIPA requirements. Research projects that use patient data without consent must have a research plan approved by a Research Ethics Board (REB). They must also enter into a research agreement with the REB, and they must comply with all conditions set by the REB. A copy of the research plan and the REB decision approving the plan must be shared with the custodian who is asked to provide data for the project. PHI obtained under such a research plan must only be used for the specified purposes approved by the REB. Researchers must also notify the custodians who provide the data if there has been any breach of the research agreement.
The investigator found that the University was in breach of several of its obligations. First, it did not share its research plan with data custodians, nor did it provide copies of updated research plans as the project progressed. Instead, it provided a letter that summarized the project, and that the custodian could sign to indicate agreement. Although the University maintained that copies of the other documentation was available on request, the letter did not specify this. The investigator found that the letter lacked important details, including the end date of the project. While she found the idea of providing a high-level summary commendable, she also found that the other documents should have been appended to the letter, and it should have been clear to custodians that these documents contained additional information.
The investigator also found that the UTOPIAN project was changed over time, and while new custodians were asked to sign an updated version of the Provider Letter, there was no new letter sent to existing participant custodians. Instead, they received email notices about changes to the project. Some of these, such as the extraction of the full patient chart, were significant. The investigator found that email notices did not suffice – there had to be express agreement with the new changes. Further, she found that notice was only provided of what the University considered to be the most significant changes. The investigator found that it was not reasonable to consider that sending out emails and assuming consent if no objections were raised was sufficient to constitute agreement. She noted that emails can be overlooked by busy physicians or can even be lost in spam filters. She also disagreed with the University’s characterization of some of the changes as ‘minor’. She found that the University need to ensure that custodians “clearly, unambiguously and unequivocally communicated their acceptance of the proposed amendment to the Provider Agreement rather than relying on silence.” (at para 101).
REB approvals for research projects are time-limited and can be renewed. In this case, the REB approval expired in November 2022, but the University continued to collect PHI after that date (a date which had not been provided in the letter to custodians). This collection of PHI was therefore not authorized under PHIPA. The University sent a letter in January 2023 to custodians informing them that there had been an inadvertent uploading of patient data after the expiry of the agreement. Although it destroyed this data, the investigator nevertheless found that this was a significant breach of PHIPA. The investigator also found that there had been an earlier period where the REB approval had been allowed to expire and where data had been collected during the two-month period between its expiry and a new REB approval. That too was a breach of PHIPA. The investigator declined to characterize these breaches as administrative oversights, noting instead that they were “deeply concerning from both a legal and ethical perspective.” (at para 80). She also found that although the University had provided notice of the breach caused by collection of data after the expiry of the agreement in 2022, it had failed to provide notice of the breach that occurred when the agreement lapsed for two months in 2018. This failure to provide notice violated s. 44(6) of PHIPA.
The REB had required the University to de-link collected data from identifying information. The investigator reviewed the University’s deidentification practices and found no evidence to suggest there were problems with it. However, she nonetheless recommended that, considering the volume and sensitivity of the data collected, the University should conduct a re-identification study of its UTOPIAN database.
The REB had also required the University to conduct site visits to custodians’ offices to ensure that notices were properly provided to patients of the custodians. The investigator found that although site visits had been constrained by the COVID-19 pandemic, the University had not resumed these visits post-pandemic. The REB had required “regular” site visits, and she found that this failure to resume visits did not meet this requirement. Further, she raised concerns about the adequacy of notices posted in physician waiting rooms in a context in which doctors used virtual technologies with many patients. This shift in practice should have prompted a variation to the research plan.
The complainants had also raised concerns that deidentified patient data was being sold. The investigator was satisfied that this was not the case. However, she found that these concerns – raised by doctors who had been invited to participate in the project – highlighted a lack of adequate transparency. She noted that the abbreviated form of notice provided by the University “may have contributed to the suspicion and distrust on the part of at least some of the custodians” (at para 135).
At the time of the investigation and report, the University had put on hold all its activities in relation to UTOPIAN. Although it had no plans to collect new data, it was developing an REB application in relation to the use of the existing data in the database. The investigator made a series of recommendations to the University to correct its practices in the event that it sought to use the archived UTOPIAN database for research purposes.
Up to this point, the investigator’s report raises serious concerns about a project that operated on a large scale. UTOPIAN was a substantial pool of data – the investigator noted that it contained the health data of almost 600,000 Ontarians. However, the most significant issue from a public policy point of view is whether this type of project – which essentially creates a “data safe haven” to use the University’s own words – qualifies as “research” under PHIPA. In other words, the fundamental issue was whether this was an appropriate statutory basis to leverage so as to engage in this type of data sharing.
In addition to its research exceptions, PHIPA contains provisions allowing for the creation of “prescribed entities” who are empowered under the legislation to pool data from different sources and to make it available for analytics. Prescribed entities are also permitted to disclosure these data to researchers for research purposes. However, prescribed entities must meet the requirements of s. 45(3) of PHIPA, which mandate close supervision by the OIPC. The investigator noted that UTOPIAN performed functions similar to ICES, a prescribed entity for health data in Ontario, but did so without the same levels of oversight. She observed that using the research provisions of PHIPA “to authorize large-scale research platforms that operate as an ongoing concern, such as UTOPIAN, can lead to many practical difficulties given the awkward fit” (at para 155).
Since UTOPIAN was no longer operating at the time of the decision, the investigator ultimately reached no conclusion as to whether it constituted “research”, and she declined to send the matter to adjudication. This is unfortunate given the University’s plans, acknowledged in the report, to seek REB approval to use the data already collected for further research studies. The investigator also noted in a postscript to her report that Queen’s University had applied for and received REB approval to create a similar project Ontario-wide project, called the Primary Care Ontario Practice-based Learning and Research Network (POPLAR). She noted that she had forwarded her decision on the UTOPIAN file to Queen’s University, highlighting for them her reservations about whether this type of project qualified for PHIPA’s research exception. She noted that the OIPC was open to consultation by Queen’s on this issue.
The conclusion of the UTOPIAN investigation is thus rather inconclusive. If UTOPIAN was ‘research’, it clearly breached several PHIPA requirements. What is less clear is whether it was ‘research’. If it was not, then there was no legal basis for the collection, hosting and sharing of this data. The investigator avoided making a call on the fundamental legitimacy of this data pooling project because it had ended at the time of the report, even though there appeared to be plans to make use of the already-collected data, and even though the concept had been embraced by another institution with plans for an even larger data pool. As a result, serious issues regarding the pooling of health data for research in Ontario remain unresolved.
Seen one way, the OIPC’s invitation to Queen’s University to consult with them regarding POPLAR signals the OIPC’s willingness to explore whether and how complex new proposals designed to enhance health research in Ontario can be reconciled with existing legislation. Seen another way, leveraging the research exception in this way seems to create a clearly inadequate framework for data sharing on this scale. This is evident when compared with the considerable safeguards for privacy and security protection in the case of prescribed entities. If prescribed entities are not meeting the needs of researchers, then perhaps the solution lies in law reform rather than privacy law hacks. What the decision lacks (and could not have been expected to provide) is an analysis of the landscape for health data research in Ontario, an assessment of the existing frameworks and any shortcomings they might have, and proposals to address any issues in a manner that both furthers research goals and protects privacy. This should be the role of government. The investigation report into UTOPIAN – situated within this public policy vacuum – leaves Ontarians with ongoing uncertainty and no clear path forward.