S4-Episode 10: Lessons in health privacy: Key takeaways from 2024
In this episode, Commissioner Patricia Kosseim delves into significant health privacy cases of 2024 with her colleagues from the IPC. The conversation highlights challenges, practical takeaways, and lessons learned from recent cases and investigations under Ontario's Personal Health Information Protection Act. Whether you're a health care provider, privacy professional, or legal expert, this episode is packed with actionable insights you won’t want to miss.
Notes
In this episode, Commissioner Patricia Kosseim delves into significant health privacy cases of 2024 with her colleagues from the IPC. The conversation highlights challenges, practical takeaways, and lessons learned from recent cases and investigations under Ontario's Personal Health Information Protection Act. Whether you're a health care provider, privacy professional, or legal expert, this episode is packed with actionable insights you won’t want to miss.
Episode Highlights:
Ransomware attack on a medical imaging clinic and its implications for privacy and operations [2:28]
LifeLabs cyber attack: joint investigations and key legal outcomes [8:55]
Unauthorized access to patient files: training gaps and remedies [16:39]
Abandoned health records: risks, regulatory actions, and preventative steps [26:02]
Obligations under PHIPA when abandoned records are discovered [31:41]
Key Lessons:
- Proactive approaches to data breaches, including secure backups and notification protocols
- Monitoring dormant accounts and implementing least-privilege access policies
- Importance of privacy training for all staff, including physicians, on an annual basis
- Clear policies on patient privacy and deemed uses of personal health information
- Succession planning to ensure records aren’t abandoned in events like closures or retirements
Resources:
- PHIPA Decision 249
- PHIPA Decision 260
- PHIPA Decision 221
- PHIPA Decision 230
- LifeLabs 2020 Investigation Report
- How to Protect Against Ransomware
- Responding to a Health Privacy Breach: Guidelines for the Health Sector
- Succession Planning to Help Prevent Abandoned Records
- Stamping out snooping once and for all (blog)
- Artificial intelligence in health care: Balancing innovation with privacy (Info Matters podcast episode with Dr. Devin Singh)
- Unmasking digital threats: How to guard against cyber crime (Info Matters podcast episode with Jason Besner, Director of Partnerships at the Canadian Centre for Cyber Security)
- From the bedside to the board: Building a culture of privacy and security in health institutions (Info Matters podcast episode with The Ottawa Hospital’s Chief Information Officer, Shafique Shamji, and Chief Privacy Officer, Nyranne Martin)
- IPC Strategic Priorities 2021-2025
Info Matters is a podcast about people, privacy, and access to information hosted by Patricia Kosseim, Information and Privacy Commissioner of Ontario. We dive into conversations with people from all walks of life and hear stories about the access and privacy issues that matter most to them.
If you enjoyed the podcast, leave us a rating or a review.
Have an access to information or privacy topic you want to learn more about? Interested in being a guest on the show? Post @IPCinfoprivacy or email us at @email.
Transcripts
Patricia Kosseim:
Hello, I'm Patricia Kosseim, Ontario's Information and Privacy Commissioner, and you're listening to Info Matters, a podcast about people, privacy, and access to information. We dive into conversations with people from all walks of life and hear real stories about the access and privacy issues that matter most to them.
Hello listeners, and welcome to another episode of Info Matters. In this episode, we're diving deep into the realm of health privacy. We'll be reviewing a number of key challenges and lessons learned from recent IPC investigations and decisions under the Personal Health Information Protection Act, or P-HIPAA for short.
Health information custodians play a critical role in safeguarding personal health information, but navigating privacy rules in a complex and dynamic health system can sometimes be daunting. From cybersecurity breaches and ransomware attacks to snooping and abandoned health records, these cases highlight the risks and responsibilities at the heart of health privacy.
Our goal in this episode is to provide practical takeaways for health information custodians to strengthen their privacy practices and ensure compliance with the law. Whether you're a health provider, a health lawyer, a chief privacy officer, or a chief information officer in either the public or private sector, this episode is packed with practical insights you won't want to miss.
My guests for this episode are all colleagues who work with me here at the IPC. Jennifer Olenick is an Adjudicator in our Tribunal and Dispute Resolution Division. Linda Chen is a Lawyer in the IPC's Legal Services Department specializing in administrative law and litigation. Alana Maloney is a Mediator and Investigator with the IPC's investigation Team, and Fida Hindi is a lawyer in the IPC's Legal Services Department specializing in health privacy law. Welcome to the show, colleagues.
Jennifer Olenick:
Thanks for having us.
Linda Chen:
Thank you. It's good to be here.
JO:
Great.
PK:
Well, Jennifer, let's start with you. You rendered a decision known as P-HIPAA Decision 249 that involved a privacy breach at a medical imaging clinic. Can you provide a bit of background about what happened in that case?
JO:
Sure, happy to. So this is a situation that is sadly becoming all too common, because what we were dealing with in this case was a ransomware attack. So this was a medical imaging clinic who were hacked, and this hacking group encrypted the files on their electronic record servers and their file sharing servers so that the clinic couldn't access them. They also exfiltrated, or took those records as well. The hacker also deleted the backup systems, so the clinic wasn't able to just sort of simply restore from backup.
The result of this was that about a little over a half million patient records were taken by the hacker, the contact information names, part of the health card number, and dates of birth, so information that's significant to people. The other result was that the clinic was essentially not able to function for about two weeks while it worked to resolve the situation, which it eventually did by actually paying the ransom, getting a decryption key from the hackers, as well as assurances that they wouldn't do anything further with that personal health information.
PK:
So quite serious, indeed. Can you tell us what did the clinic do in terms of immediate steps in response to the breach?
JO:
The first thing they did was they contained it. That meant that they took the affected servers off the internet. They also severed their connection to their other servers via their virtual private network. In addition to that, they actually shut down their critical servers. So they basically removed everything and made it inaccessible.
They also engaged breach investigators to find out what happened here. And what they found out was that the hacker gained access to the system using a dormant account. So this was an account that had been used by a previous employee of the medical imaging clinic. The employee was actually an app developer, so he had significant access privileges to the systems. And they think that the hacker somehow gained access to those credentials, whether that was through guessing the password or another method, and logged in that way. And because the account had so many privileges associated with it, the hacker was able to sort of go where they wanted and do as much damage as they did.
In addition to that, they also notified the public that this had happened by describing the incident, the information that was taken, and they put this information both as a pop-up on their website and posted it within the clinic's offices.
PK:
So all these steps they took clearly following the incident in terms of containing the breach, notifying individuals, investigating what happened. And when the dust settled on all of this, what did the clinic do to reduce the chances of a privacy breach like this from happening again in the future?
JO:
They put in place some additional policies, especially regarding the dormant accounts and the privileges associated with accounts. If it's dormant for 90 days or more, you get one warning and then the account gets deleted. They put in place a least privileged policy, which means that only the employees who need additional privileges for their accounts actually have them. And at this point, that's only two employees at this medical imaging clinic that have the highest level of administrative privileges.
They also importantly put in place a different backup system. So the reason that the hacker was able to delete the backups in this case was that both were connected to the system. While they couldn't go into the backups and see what was happening, they were able to go in and delete them entirely. What they have in place now is one backup is always offline. So no matter what happens, the hacker shouldn't be able to get into that backup. And while that doesn't eliminate a breach happening or a ransomware attack happening, it does allow for the clinic to get up and running, potentially without having to pay a ransom again.
PK:
So what are some of the key takeaways that other institutions listening to this can learn from this particular case?
JO:
I think the key takeaway here is you have to pay attention to the basics, so things like monitoring for those dormant accounts. You can't just lose track of them because something can happen in future. Make sure that all the accounts that you have in place are actually being used by people. Are they necessary? Make sure of that. Also, make sure that only those who need the privileges actually have them. So don't have regular staff having more privilege to the systems than they actually need. That can reduce the effect of a breach that occurs. And finally, you need to keep an eye on those passwords. So you need to have proper policies in place so that employees understand that they need strong passwords, they need passwords that can't be easily guessed. They need passwords that they haven't used before in other circumstances.
Another lesson here is that you should keep an eye on your backup systems and ensure that you always have one that a hacker won't be able to access. You can set up the system how you want, but you have to make sure that the backup at the end of the day serves its purpose.
PK:
Which in this case would have allowed the clinic to continue on with its operations, had it had access to a backup system offline.
JO:
Certainly to resume them much more quickly than they were able to, yes.
PK:
Well, thank you so much for that. And I'm going to switch gears for a moment and turn to you, Linda, to talk about a case that made headlines across Canada. In 2019, a cyber attack on LifeLabs' computer systems affected the personal health information of approximately 8.6 million customers located primarily in Ontario and British Columbia. Our investigation investigated the cyber attack jointly with the Information and Privacy Commissioner for British Columbia. We finalized our joint report back in June, 2020, and all of our orders and recommendations from that report have since been complied with by the company.
So this case is kind of old news, but until recently it was no news, and that's because the company challenged our ability to publish our joint investigation report, claiming that some of the information contained in the report was the subject of solicitor, client, or litigation privilege. The company's claims prevented our ability to release the report until very recently, that is. So Linda, can you describe what were the kinds of documents that LifeLabs was claiming privilege over?
LC:
Thanks, Patricia. Yes. There were a number of documents that LifeLabs was claiming privilege over. These documents included a forensic report from an IT consultant about the causes of the cyber attack, what systems were affected, and essentially how to remediate the problem and prevent cyber attacks of this nature in the future. There was also the internal LifeLabs data analysis. This was done by LifeLabs in order for them to figure out which of their customers, and as you mentioned, it was 8.6 million Canadians who were affected by this particular data breach. They also claimed privilege over the correspondence that their consultant company had directly with the cyber attackers. So these were negotiations with respect to the ransom, and they claimed privilege over these as well.
In addition, there were a couple of documents that were responses to questions to LifeLabs put to them by the commissioners. But because LifeLabs routed them through lawyers, they took the position that these documents were also subject to privilege. And for those who are not familiar with these concepts generally, solicitor/client privilege is in general terms confidential communications between clients and their lawyers made for the purpose of giving or receiving legal advice. And litigation privilege in general terms protects documents where the dominant purpose for the creation of the documents is to prepare for litigation. And LifeLabs claimed both solicitor/client privilege and litigation privilege over all of these documents.
PK:
And what did the commissioners originally decide in regard to these privilege claims?
LC:
The commissioners originally decided that LifeLabs had simply not provided enough evidence to establish that the legal tests for these kinds of privileges were met. The commissioners noted that some of the facts from these documents existed outside of the documents themselves, and a number of these facts existed, for example, in public reports. The Saskatchewan Information and Privacy Commissioner released their report into the LifeLabs cyber attack a month before the commissioners in BC and Ontario finalized their report. And in the Saskatchewan report were a number of facts over which LifeLabs claimed privilege over with respect to the Commissioners' investigation in BC and Ontario.
PK:
The company then applied to the court to judicially review the Commissioner's decision regarding these privilege claims. And what did the Ontario Divisional Court ultimately decide?
LC:
The Ontario Divisional Court ultimately decided that the claims of privilege made by LifeLabs with respect to the facts that were ultimately included in the Commissioner's investigation report were not supported by evidence. And the court noted that solicitor/client privilege does not extend to protect facts that are required to be produced by the regulated party, in this case LifeLabs, pursuant to a statutory duty or obligation, in this case, under P-HIPPA and under the Personal Information Protection Act in British Columbia. LifeLabs was required to investigate and remediate the cyber attack. They were required by law to do that. And so, this information that was related to that investigation and remediation could not be privileged with respect to the Commissioner's investigation.
The court also found that LifeLabs couldn't just avoid these responsibilities by placing facts about the privacy breaches inside documents and then claiming privilege over them. So simply giving a document to a lawyer or having one's lawyer request a document does not on its own make the document or facts that are inside the document privileged.
PK:
Now, the company also challenged our ability to issue a joint decision with our BC colleagues claiming we had no authority to exchange information, and that doing so would somehow affect our impartiality. What did the court have to say about that argument?
LC:
The court also dismissed that argument. They found that firstly, LifeLabs was well aware of the fact that the Commissioners were acting jointly, both in the investigation and the proposed joint investigation report. The court also found that both regulators, both the BC and IPC, had a statutory authority that allowed them to share investigations and coordinate investigations into privacy matters. And that there's ample precedence for these kinds of joint investigations that have occurred between different Canadian privacy regulators.
And this is incredibly important, because obviously with things like cyber attacks and Jennifer mentioned how these are becoming more and more common, they don't observe provincial boundaries. They don't observe federal boundaries. So it's really important that the court affirmed the fact that the IPC could undertake these joint investigations and joint decision-making with other regulators.
PK:
Indeed, very important finding. Now the Ontario Court of Appeal dismissed LifeLabs' request for leave to appeal the lower court decision, which means that the decision of the Ontario Divisional Court stands as the last word on this matter. So going forward, Linda, in terms of key takeaways, what does that decision mean for privacy investigations in the future?
LC:
One of the things it means is that a simple claim by a health information custodian that something is privileged or a document is privileged won't be enough. They should be expecting to provide sufficient and clear proof to support those privilege claims to support the idea that those documents are protected and meet the legal test for those privileges. And health information custodians should be aware that facts that are required to be produced to a regulator in the course of an investigation would likely not be protected by privilege, and health information custodians should be prepared to produce those facts in the course of a regulatory investigation.
And this is especially true when these facts have an independent existence outside the document over which the health information custodian is claiming privilege. And that doesn't mean that a health information custodian can never prove that a particular document is privileged. They just have to provide sufficient evidence to show that that's the case. And even where a document may be privileged, that doesn't undermine the fact that a regulator has access to certain facts that are relevant to the inquiry with respect to the privacy breach. So health information custodians should be aware that just because a document is privileged doesn't mean every single fact in that document will also be subject to privilege.
PK:
Thank you, Linda. I know many organizations in Ontario were very interested in the outcome of this decision, as were regulators in other jurisdictions across Canada. So a very important case, and thank you for all the work that you did in advancing the jurisprudence on this matter. Alana, I'd like to turn to you now. You investigated another health privacy case this year, P-HIPAA Decision 260, that involved a patient accessing patient records without authorization. Now, the hospital that discovered the breach contacted our office to report it. What were the facts of this case?
Alana Maloney:
Thank you, Patricia. So the hospital had explained to us that a doctor who was working at the hospital noticed a blank note in a patient chart by another physician who had not been working on that particular day. Once they noticed this, they alerted hospital staff. So hospital staff initiated an investigation. This investigation included completing and reviewing targeted audits of the physician's accesses, and also interviewing the doctor.
At the end of this investigation, the hospital determined that the physician had accessed just under 4,000 patient files without authorization. And these unauthorized accesses were brought to the physician's attention by the hospital. And he actually admitted to accessing the patient files that the hospital had identified as unauthorized. And what he explained was that he was doing it for educational purposes. So he believed that accessing the hospital's electronic health records of patients to educate himself was an authorized use of personal health information.
And in this case, the physician had recently moved to the community in the middle of Covid-19 pandemic to start working at the hospital and was trying to learn and educate himself. So as part of the investigation, the hospital determined that his accesses weren't targeted. He didn't search for the patients, and the physician didn't have a personal affiliation with the patients that he accessed. The physician ended up providing an apology. He was retrained by the hospital, required to sign confidentiality agreements, and his access was monitored by the hospital. They found no further accesses by this doctor after this breach for individuals that he did not provide care to.
PK:
So clearly, this was a situation of perhaps a well-meaning physician who thought he had the authority to do what he did, but as it turned out, these were unauthorized accesses. Can you tell us what your investigation ultimately found in this case?
AM:
What we found was that there were a number of issues at the time of the breach that were in violation of the Personal Health Information Protection Act. So one of the main issues we identified related to concerns about a lack of privacy training for physicians and a lack of annual signing of confidentiality agreements by physicians. In fact, we found that the hospital did not provide annual privacy training for its physicians at all or require them to sign confidentiality agreements on an annual basis. So although the hospital had a policy that required privacy training and signing of confidentiality agreements for all staff, they were not actually providing this for its physicians. They had mechanisms in place for their staff members to do privacy training and sign confidentiality agreements on an annual basis, but they did not have that for the physicians, and they actually weren't tracking them.
In addition to that, we also determined that there was no policy or guidance provided about the use of personal health information for education purposes. So this was the explanation that the physician had provided as to the reason why he was using the personal health information or accessing it, patient records, that he had not been provided any guidance or training. And there was no policy that set out what the hospital's expectations were for its staff members when they wanted to use personal health information for education purposes.
PK:
So a number of important findings. No policy on use of personal health information for education purposes. There was no training or signing of confidentiality agreements for physicians, no mechanisms in place for tracking how many had actually done so in practice, so very important findings. Now you intervened and you worked really hard with the institution to remedy many of these issues to great results.
AM:
So by the end of our investigation, the hospital did a lot of great work and they have a mechanism in place for physicians to be provided with privacy training and signing confidentiality agreements on an annual basis. And in 2024, 100% of physicians had completed the privacy training and signed confidentiality agreement for this year, which is a great improvement from where they were at before the breach had occurred.
In addition to that, the hospital has also updated its policies to provide direction on the use of personal health information for education purposes. So now all staff will have somewhere to look at to provide them with guidance on how to use personal health information for education purposes that is authorized under the act.
PK:
I think those are great results and a good news story all around. So in terms of some key lessons for other health information custodians, what are the key takeaways you would say arise from this case?
AM:
So I think there are really four key takeaways that came out of this case. And I think for me, the most important one is that health information custodians must provide privacy training for all staff members, including physicians upon hire and on an annual basis. Whether it be a nurse, an administrative staff, a physician, they need to receive privacy training and sign confidentiality agreements upon hire and on an annual basis. It is inadequate for a health information custodian to have different expectations for privacy training and signing of confidentiality between its physicians and its other staff members.
My second takeaway that should be highlighted is that health information custodians really must provide clear guidance on the use of personal health information for education purposes. They must also have a privacy policy in place that provide clear guidance on expectations and requirements for privacy training and signing of confidentiality agreements. And finally, health information custodians really need to implement tracking systems that ensure that all of their staff, including physicians, complete the privacy training annually and sign and renew confidentiality agreements on an annual basis to make sure that they're in compliance with their policies and the expectations of P-HIPAA.
PK:
Great work, Alana. Now, in this incident, the physician recognized his error. The hospital updated its privacy training, confidentiality agreements and privacy policy, and the matter was resolved. However, this isn't always the case with some of our snooping incidents that we investigate. In fact, as part of its enforcement powers, our office now has the discretion to issue administrative monetary penalties, or AMPs, for violations of Ontario's health privacy law In more serious cases. And in the most egregious of situations, we can also refer snooping cases to the Attorney General of Ontario for prosecution. This has led to charges being laid under P-HIPAA and several successful convictions against individuals who faced steep fines as a consequence of their actions. The Ontario Provincial Police laid charges against three people in three separate privacy investigations that took place over the last year at three separate hospitals across the province. These three cases involved allegations of inappropriate access to electronic medical records related to P-HIPAA, and another pretty egregious snooping case just resulted in fact in a successful prosecution. Fida, can you tell us about that recent case?
Fida Hindi:
Yes, I can. We recently were informed that a person was convicted in October of this year of an offense under P-HIPAA related to snooping into patient's records of personal health information. That included other staff members of the custodian where this person was employed and the staff member's family and the Snooper's own family. That person was an employee of a hospital. They pled guilty to an offense under subsection 721-A of P-HIPAA, was fined $10,000, and in addition is required to take a victim fine surcharge in the amount of $2,500.
PK:
So that is no small matter by any stretch. Now, Fida, if I can continue with you for a moment to switch gears and talk about our next case that touches on the issue of abandoned health records. Now this can happen for a variety of reasons. For example, when a health information custodian retires or declares bankruptcy or even dies, this might result in health records being abandoned if there's no succession plan in place. And our office often gets involved when we get a call informing us of abandoned health records. And this is exactly what happened in P-HIPAA Decisions 221 and 230, which concerned health records left in limbo after a medical clinic closed up shop. Sophia, can you take us through the details of that case?
FH:
Yes, I can. It was a particular case where a medical clinic seized operation on a property due to the fact that a creditor took possession of the property and then sold the property. So there were abandoned records that were left on the property, some of which were moved to a storage company by the property management company that was hired by the creditor. And then, there were other records as well that were left on the property itself that then came into possession of the entity that purchased the property from the creditor. That's how the file started, and the property management company had notified our office of the abandoned records.
PK:
Wow. A whole constellation of actors involved there. So where was the health information custodian or the original medical clinic owner in all of this?
FH:
Yes. So the health information custodian in this particular case was in contact with our office and they had attempted to retrieve the records. However, the storage company had unpaid fees for the storage and wanted those fees to be paid before they would release the records back to the custodian.
PK:
Wow. So what did Adjudicator Jepson finally order in this case? What did she have to do in order to preserve the records?
FH:
So things got quite complicated in this file because the property management company during the investigation actually threatened that they would instruct the storage company to destroy the records if they weren't going to be picked up with a very tight timeline of 24 hours. And because of that, the adjudicator issued an interim order to preserve those records and to stop the property management company from directing the storage company to destroy them. And then, a final order was then issued, P-HIPAA Decision 230, where findings were made with respect to certain requirements that needed to be made under the act and to permit the custodian to go and retrieve those records.
PK:
Wow, very serious. If I were a patient of that medical clinic, the idea that my file, my records could be permanently destroyed with no ability to reconstruct or access them is very scary when my whole personal health information history resides in those records. So this was very serious. And the good news, I hope from all of this is that the records were retrieved, were preserved and we saved them from being destroyed ultimately. Is that correct, Fida?
FH:
That's right. And I completely agree with you in terms of the seriousness of the issue that led the adjudicator to issue the interim order, given that if the records were destroyed, that that could seriously affect patients' provision of care and their ability to access that information. And so, that interim order ordered that the records not be destroyed, that the property management company not direct the storage company to destroy the records. And the order also required the storage company to actually secure the records and to not provide them to the property management company until our office had dealt with the matter in a final order, in a final decision.
PK:
So clearly, there are so many lessons to be learned from this case. So very practically then, what should a provider do to put a contingency plan together, some business continuity plan of some sort in advance to avoid abandoning records containing personal health information such as upon death or retirement or say bankruptcy?
FH:
Yes. I think it's very important for a health information custodian to have a succession plan in terms of whether there is a bankruptcy, there's a death, or they just wish to cease operation as to what will happen to those records of personal health information. And that will be dependent on a number of legal obligations that the health information custodian would need to consider. If you are a professional that is regulated by a college, there may be specific retention requirements that you would need to abide by with respect to those records. So speaking to legal counsel and determining how long records need to be retained for is very important. And then, once you have that understanding, then creating a succession plan in terms of how long will they be kept, who will the records be kept by, in what state, and how notice is going to be provided to the individuals so that they may retrieve the records or obtain a copy of them if they wish to do so.
PK:
Particularly say if they want to transfer to another provider and they want to take their record with them to ensure continuity of care. Now another important lesson that comes out of this is what a person should do if they come into possession of abandoned health records, because they too have obligations under P-HIPAA. So Fida, what's the lesson there?
FH:
So under P-HIPAA, we have Section 49 that deals with recipients of records of personal health information. So if you receive personal health information from a health information custodian, you may be found to be a recipient under the act. And if that is the case, there are certain obligations that would need to be met in terms of any use or disclosure of that information by the recipient.
PK:
So in other words, they can't use or disclose those abandoned health records that they find without authorization.
FH:
So there are certain parameters that are set out under Section 49 that restrict any use or disclosure of information that comes into the possession of a recipient within the meeting of Section 49.
PK:
And what are possible consequences if a person who comes into possession of abandoned health records, say a recipient under P-HIPAA, decides to intentionally destroy them?
FH:
Yeah, so the person may be charged with an offense under Section 72 of P-HIPAA if you contravene the ACT intentionally. So that may result in the charge of an offense, and if the person is convicted, they may be fined if they're an individual for a fine up to no more than $200,000 or to a term of imprisonment of not more than one year or to both.
PK:
So clearly, a very serious matter and very important takeaways for anyone who comes into possession of these abandoned health records or receives them under the terms of P-HIPAA. Thank you so much, Fida.
FH:
Thank you.
PK:
Well, my thanks to all of you for joining me on the show today and for all the great work you do in the area of health privacy every day.
LC:
Thank you, Commissioner.
JO:
Thank you.
AM:
Thank you.
FH:
Thank you for having us.
PK:
So for listeners out there, now you know all the amazing people I get to work with every day here at the IPC. We hope these noteworthy health privacy cases of 2024 have left you with actionable insights to strengthen your understanding of P-HIPAA obligations and help support your compliance efforts. Each case serves as a powerful reminder of the importance of being vigilant when collecting, using, and disclosing personal health information, taking appropriate steps to protect and safeguard the information, and assuming accountability when things go wrong. By learning from these examples, health information custodians can take proactive steps to revisit their own practices and reflect on any additional measures they might have to take to ensure compliance with the law.
For listeners who want to learn more about protecting personal health information, I encourage you to visit our website at ipc.on.ca. There are also links in the show notes to the decisions we discussed today, as well as several other related guidance documents. You can always call or email our office for assistance and general information about Ontario's access and privacy laws.
Well, we've come to the end of another episode, folks. Thanks so much for listening, everyone. And until next time, I'm Patricia Kosseim, Ontario's Information and Privacy Commissioner, and this has been Info Matters. If you enjoyed the podcast, leave us a rating or review. If there's an access or privacy topic you'd like us to explore on a future episode, we'd love to hear from you. Send us a tweet, @ipcinfoprivacy or email us at @email. Thanks for listening, and please join us again for more conversations about people, privacy, and access to information. If it matters to you, it matters to me.