Complaint
The custodian shared the complainant’s highly sensitive personal health information (PHI) with their parents who were not listed as their emergency contacts.
The complainant pointed out that, unless there is consent, under section 59 of HIPMA a release of PHI to an immediate family member is limited to their name, general health condition and location. The complainant alleged that the PHI disclosed by the custodian far exceeded this information.
Investigation
We substantiated the privacy breach as the custodian had disclosed the complainant’s PHI without authority under HIPMA.
Decision
Non-compliant. This privacy breach resulted from a lack of staff training about their obligations under HIPMA and consent requirements. This finding is common with privacy breaches.
Recommendations
Accepted. The custodian accepted our recommendation to implement staff training on HIPMA consent provisions.