Lost and found: Preserving abandoned health records

Case of Note: PHIPA Decision 221 (interim) and PHIPA Decision 230 (final)

Background 

The Information and Privacy Commissioner of Ontario (IPC) was contacted about a case of potentially abandoned medical records at a storage facility. The report came from a property management company that was acting on behalf of a creditor of a medical clinic. The medical clinic had previously operated at a property that the creditor sold to a new owner. The IPC later learned that the property management company had taken possession of the property and the records (on behalf of the creditor) and moved the records from the property to the storage facility.  

The IPC began a review under the Personal Health Information Protection Act (PHIPA). During the review, the IPC urged the medical clinic, who was the health information custodian (HIC) in this case, to retrieve and secure the records. The HIC was unable to do this because the HIC could not pay the storage facility. Meanwhile, the property management company threatened to destroy the records.

The IPC issued an interim order (PHIPA Decision 221) on an urgent basis against the creditor, the storage facility, the property management company, and their agents, to preserve the records and prevent their destruction. The parties complied with the order.  

Findings

The IPC completed the review and issued the final order, PHIPA Decision 230, including the following findings and orders:

• The adjudicator found that the use and/or disclosure of the records by the creditor, the property management company, the storage facility, and the new owner is governed by section 49(1) of PHIPA that sets out the obligations of “recipients” of personal health information.
• The adjudicator found that the storage facility and the property management company contravened section 49(1) of PHIPA by withholding some of the records from the HIC, and ordered them to return these records to the HIC.  
• The adjudicator ordered the HIC to retrieve and secure the records in fulfillment of its obligations under section 12 (security) and 13 (handling of records) in PHIPA.  
• The adjudicator made other orders against some of the respondents, needed to preserve and secure the records until the HIC retrieved them. 

Key takeaways

1. When personal health records are found abandoned, the individual who finds them should take measures to preserve them. People who discover abandoned records may be found to be “recipients” of personal health information, which triggers some important responsibilities under sections 7(1)(b)(ii) and 49 of PHIPA. Chiefly, individuals who find abandoned records must not use or disclose any personal health information without authorization.  
2. HICs and their agents must take all reasonable steps to ensure that personal health information under their custody or control is safeguarded against theft, loss, and unauthorized use or disclosure, as per section 12(1) of PHIPA. This includes making contingency plans well in advance to ensure the secure preservation of records in the event of bankruptcy, retirement or death. This also includes ensuring that any contractual arrangements between HICs and vendors, such as storage companies, reflect their responsibilities to manage and safeguard records of personal health information.
3. If records containing personal health information must be moved or disposed of, HICs and their agents must ensure that the records under their custody or control are retained, transferred, and disposed of in a secure manner, and in accordance with prescribed requirements. This is in keeping with section 13(1) of PHIPA.
4. If an individual finds abandoned records, they should see if they can identify the HIC from the records. If they can, they should contact them and arrange to securely return the records.  

For more information, please see the IPC’s guidance on Avoiding Abandoned Health Records and the IPC’s fact sheet on Succession Planning to Help Prevent Abandoned Records.