Many hospitals are receiving requests under the Freedom of Information and Protection of Privacy Act (FIPPA) for contracts that they have entered into with third party vendors. Not surprisingly, third parties tend to be highly protective of their commercial information and may be shocked to learn that their contracts with the hospital are at risk of being disclosed. A recent case involving a regional municipality and a bus service company shows that the Information and Privacy Commissioner/Ontario (IPC) will disclose final contracts, including ones that contain a vendor’s hourly rates and other financial incentives.
Order MO-2738 involved a request for access to a contract between the region and a company that operated the region’s transit services. The region denied access to parts of the contract under the mandatory third party exemption. The information at issue included schedules that contained financial information consisting of a summary of billable hours, hourly rates and certain incentive and disincentive payments applicable under the contract.
While the IPC found that the information qualified as being commercial, financial and technical information, it ordered the region to disclose the contract. The IPC held that the contract did not contain information that was “supplied” by the bus company to the region within the meaning of the third party exemption. In particular, it found that the information incorporated into the contract was mutually generated or the subject of negotiation. The IPC referred to other cases in the Request for Proposal context where the proposal of terms by a third party that is then transferred into a final contract indicates that the contents of the contract were subject to negotiation and will not qualify for the exemption.
Key messages for hospitals and health care organizations subject to FIPPA or MFIPPA: While many hospital vendors are aware that hospitals are now covered under FIPPA, they may not appreciate that their contracts with hospitals are at risk of being disclosed if a request for access is made.
- Hospitals may consider being pro-active in communicating with their vendors about this risk in order to avoid vendor surprise when a FIPPA request comes in.
- Hospitals should also keep in mind that when a request is made for a vendor’s contract, notwithstanding the IPC’s tendency to order disclosure in these situations, they should notify the vendor and provide them with an opportunity to provide representations regarding disclosure. Not only is the threshold for requiring the hospital to notify third parties low under FIPPA, it is best practice in order to maintain good vendor relations.