When a patient sues a doctor for medical malpractice, the doctor is entitled to defend himself or herself, including by reviewing the relevant medical records. The records production happens through the Rules of Civil Procedure, which require both sides to disclose relevant documents. Defence counsel obtains a copy of the hospital chart through that process and shares the relevant material with the defendant physician. That is the proper channel.
What the proper channel does not include is the defendant physician logging into the hospital’s electronic medical records system, on his own initiative, to look up his former patient’s chart. That is a different category of access, and it raises issues under the Personal Health Information Protection Act, 2004 (PHIPA) regardless of how legitimate the underlying purpose may be.
Martin (Estate) v Health Professions Appeal and Review Board, 2023 ONSC 2993 is a Divisional Court decision that addresses that distinction. The court found that the College of Physicians and Surgeons of Ontario, in dismissing a complaint about a defendant physician’s unilateral access to his former patient’s hospital records, had misapplied PHIPA. The matter was sent back to the Health Professions Appeal and Review Board (HPARB) for reconsideration.
The facts
Robert Martin attended the emergency department of St. Thomas Elgin General Hospital with a left-leg tibial fracture. Dr. Amit Shah saw him for approximately four hours during that single visit and ultimately transferred him to another hospital. The treating relationship between Dr. Shah and Mr. Martin ended at that point.
Mr. Martin’s leg subsequently developed compartment syndrome, leaving it severely deformed and disabled. He commenced a medical malpractice action against Dr. Shah for failing to diagnose the compartment syndrome during the ER visit.
In the course of pursuing his claim, Mr. Martin discovered that Dr. Shah had accessed his hospital records on several occasions over a four-year period, despite no longer being part of his circle of care. The hospital records in question were held by London Health Sciences Centre, the hospital that took over Mr. Martin’s care after the transfer. They were not Dr. Shah’s own records and were not held by St. Thomas Elgin.
Mr. Martin filed a complaint with the College of Physicians and Surgeons of Ontario.
The CPSO and HPARB decisions
The Inquiries, Complaints and Reports Committee of the CPSO dismissed the complaint. It found that Dr. Shah’s access to the records was authorized under section 37(1)(h) of PHIPA, which permits a “health information custodian” to use personal health information for the purpose of a proceeding to which the custodian is, or is expected to be, a party or witness. Because Dr. Shah was a defendant in the malpractice action, the ICRC found that he was permitted to access the records to defend himself.
HPARB upheld the ICRC’s decision as reasonable on review.
Mr. Martin, and after his death his estate, sought judicial review at the Divisional Court.
The Divisional Court’s decision
The Divisional Court allowed the application and remitted the matter back to HPARB for reconsideration. The reasoning turned on a fundamental misapplication of PHIPA.
PHIPA distinguishes between “health information custodians” (typically hospitals, public health authorities, and certain other organizations that hold personal health information) and “agents” of custodians (individuals such as physicians who have access to information on behalf of, and under the direction of, a custodian).
In the circumstances of Martin, the custodian of the records was London Health Sciences Centre, the hospital that held them in its electronic medical records system. Dr. Shah was not a custodian; he was an agent of LHSC for the purpose of accessing those records.
Section 37(1)(h) of PHIPA authorizes a custodian to use personal health information for the purpose of a proceeding. It does not, by its terms, authorize an agent to make unilateral use of records held by a custodian. The agent’s access is governed by section 17(1) of PHIPA, which requires the agent to act on behalf of the custodian and within the limits of the custodian’s authorization.
In addition, the CPSO’s policy on protecting personal health information requires physicians who are agents of a custodian to contact the custodian to determine whether release of a former patient’s information is permitted. Dr. Shah did not do that. He accessed the records directly, using his hospital credentials.
The ICRC, the Divisional Court found, had treated Dr. Shah as a custodian rather than as an agent. By focusing exclusively on section 37(1)(h) and not considering section 17(1) or the CPSO policy, it had not adequately considered whether Dr. Shah’s access was lawful.
Two further facts were relevant to the analysis. First, Dr. Shah had already received copies of the relevant records through document production under the Rules of Civil Procedure, supplied to him by his counsel. The documents he needed for the litigation were already in his counsel’s hands. Second, Dr. Shah’s unilateral access continued over a four-year period and on multiple occasions. The pattern was not consistent with discrete inquiry related to a specific litigation step.
The Divisional Court did not decide whether Dr. Shah’s conduct breached PHIPA. It decided only that the ICRC’s analysis was incomplete and that the matter required reconsideration with the proper framework.
The doctrinal context
Martin sits at the intersection of three areas: privacy law (PHIPA), regulatory discipline (the CPSO complaints process), and medical malpractice litigation. The case clarifies that:
- PHIPA distinguishes meaningfully between custodians and agents, and the analytical path for each is different
- Section 37(1)(h) is a custodian-side provision and does not, by itself, authorize unilateral access by an agent who is a defendant in litigation
- Defendant physicians who need records for litigation must obtain them through proper channels: through their counsel, who in turn obtains them through document production under the Rules of Civil Procedure
- The CPSO’s policy on protecting personal health information imposes additional requirements that the ICRC must consider in any complaint about physician records access
The case is a relatively rare example of the Divisional Court intervening in a CPSO disposition. The intervention is doctrinally narrow but practically significant.
Why this case matters
For plaintiffs and their counsel. Martin establishes that defendant physicians in malpractice cases cannot simply access their former patients’ hospital records on their own initiative. If a physician is found to have done so, particularly on multiple occasions over an extended period, that conduct may itself form the basis of a regulatory complaint. The audit trails maintained by hospital electronic medical records systems provide a clear record of who accessed what and when. Counsel investigating a malpractice claim should consider, where appropriate, requesting an audit log to determine whether the defendant physician accessed records outside the ordinary course. Where the audit log shows a pattern of unilateral access, the conduct may also be relevant to credibility and to the assessment of the physician’s conduct in the underlying litigation.
For defendant physicians and their counsel. The case is a clear instruction that records needed for litigation should be obtained through document production, not through direct access to the hospital’s electronic system. Where access is required outside the document production framework, for example to refresh recollection on the original encounter, the physician should contact the hospital’s privacy officer to obtain authorization, document the request and the basis for it, and proceed with the custodian’s permission. Self-help is not the answer.
For hospitals. Martin is a reminder of the importance of audit trails and of the privacy office’s role in mediating physician access to former patients’ records. The case did not turn on a hospital failing in its obligations, but the analysis assumes that hospitals will have policies, audit functions, and authorization procedures in place. Maintenance of those systems is now reinforced by the regulatory consequences for physicians who bypass them.
For more on physician compliance and the broader regulatory framework, see Should I File a CPSO Complaint Against My Doctor? For other Ontario decisions on records and privilege in medical malpractice litigation, see Algarawi v Berger: Quality Review Records Privileged at Common Law and Salamaszynski v Michael Garron Hospital: Litigation Privilege Holds Despite a Late-Emerging Recollection. For practical information about obtaining medical records, see How to Get Your Medical Records in Ontario.
Decision Date: May 18, 2023
Jurisdiction: Divisional Court of the Ontario Superior Court of Justice
Citation: Martin (Estate) v Health Professions Appeal and Review Board, 2023 ONSC 2993 (CanLII)
