Recent changes to the Freedom of Information and Protection of Privacy Act (FIPPA) have placed additional requirements on hospitals with respect to the protection of privacy and, more significantly, the disclosure of information. Although hospital foundations are not directly subject to FIPPA, FIPPA has a significant impact on foundations and their relationships with hospitals.
Background to FIPPA: Application and Exclusions
Application of FIPPA to Hospitals
As of January 1, 2012, FIPPA applies to Ontario hospitals. FIPPA has two purposes:
- FIPPA establishes a freedom of information regime that requires institutions (including hospitals) to respond to requests for access to records in that institution's custody or control (subject to certain exclusions and exemptions) – this can include any hospital records that are about a foundation, and any foundation records that are held by a hospital or by another party on a hospital's behalf.
- FIPPA establishes a privacy protection regime that applies to the collection, use, disclosure, retention and destruction of (non-health) personal information by institutions – this applies to the sharing of personal information by hospitals with foundations, such as for fundraising activities.
Although FIPPA's application to hospitals is a recent change, the Act applies retroactively: FIPPA encompasses records that came into the custody or control of hospitals from 2007 onward.
See our previous bulletin FIPPA and Ontario Hospitals: Implementing Change for more information.
Exclusions Relevant to Foundation Information
Recognizing the sensitive nature of many hospital records, legislators have provided that certain types of records are excluded from the scope of FIPPA (and therefore not subject to its requirements). Some of these exclusions are specific to hospitals, while others are of a general nature. Exclusions that are relevant to the records of a hospital foundation or about a hospital foundation include exclusions for the following records:
- "ecclesiastical records" of a church or religious organization that is affiliated with a hospital;
- records relating to the operations of a hospital foundation; and
- records relating to charitable donations made to a hospital;
Although the above may seem to encompass all foundation records, these exclusions are new. It remains to be seen how the Information and Privacy Commissioner will interpret them. For example, it seems clear that the foundation's financial statements constitute a record relating to the operations of a hospital foundation; however it seems less clear that an agreement between the hospital and its foundation regarding office space or administrative support is a record that entirely relates to the operations of a hospital foundation. Furthermore, even if a record is excluded from FIPPA, a hospital may still choose to disclose the record (subject to any other legal or contractual obligations).
As a result, it is advisable that foundations work with their associated hospital to develop (or revisit and potentially revise) policies and procedures for the sharing of foundation information generally, as well as the exchange of records between foundations and hospitals. Such procedures can help to clarify and standardize information-sharing practices and minimize the risk that potentially sensitive foundation records will be unnecessarily or unintentionally disclosed.
Foundations should also acquaint themselves with their hospital's FIPPA-related policies and procedures.
In addition to FIPPA, foundations should also be alert to the fact that compliance with FIPPA, as well as the Broader Public Sector Accountability Act ("BPSAA") (of which the changes to FIPPA were one part), will result in greater public disclosure of information about the hospital's financial and other practices, including:
- freedom of information requests under FIPPA;
- disclosure of the use of consultants on hospital websites (BPSAA);
- disclosure of expense rules on hospital websites (BPSAA); and
- disclosure of compliance with the BPSAA on hospital websites.
This increased public access is expected to bring about many benefits, including enhanced public accountability and transparency for the health sector. It is important for foundations to consider how they will manage potentially contentious issues in light of their ongoing fundraising initiatives. For example, foundations should work with their associated hospital to establish processes for keeping informed of the above-noted hospital disclosures in order to be able to respond to donor queries in a forthright manner consistent with that disclosure. Foundations may also consider developing or revisiting contingency management plans in the event that sensitive or contentious hospital information is disclosed which may be damaging from a fundraising perspective.
Use of Personal Information
In the context of fundraising, hospitals and their foundations must be aware of and compliant with FIPPA requirements concerning the use of personal information. FIPPA restricts the use of personal information to purposes set out in that Act. Section 42 of FIPPA provides that a hospital may use personal information for fundraising purposes if the use is "reasonably necessary" for its fundraising activities. FIPPA outlines certain requirements that the hospital must abide by in using personal information for fundraising purposes, including certain notice requirements. Where a hospital foundation is using personal information originally collected by the hospital for fundraising purposes, the foundation will need to comply with these requirements. FIPPA also requires that hospitals have fundraising agreements with any persons to whom personal information will be disclosed for a fundraising purpose (including a hospital foundation). If not already completed, foundations should ensure that they have entered into a fundraising agreement with their hospital. According to FIPPA, these agreements must include certain specific provisions restricting the use of personal information.
Note that foundations may collect and store personal information independently from the hospital and, as such, the collection, use and storage of such personal information will not be subject to FIPPA (though it may, in certain circumstances, be subject to other privacy legislation).
Conclusion: What FIPPA Means for Foundations
Although FIPPA does not directly apply to hospital foundations, it is important for foundations to address the indirect effect of FIPPA on their relationship with hospitals. Specifically:
- Foundations should work with their associated hospital to establish or revisit procedures and policies for the sharing of information and records with hospitals and for keeping foundations informed of ongoing disclosure by hospitals for fundraising and donor inquiry purposes.
- Foundations should consider developing or revisiting plans for handling possible disclosure of contentious or sensitive hospital information through these new disclosure processes.
- If not already completed, foundations should ensure that they have a fundraising agreement with their hospital in order to permit the hospital to share personal information with the foundation for fundraising purposes.
- Foundations must abide by the notice and other requirements of FIPPA regarding use of personal information while engaging in fundraising activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.