A source contacted the Information and Privacy Commissioner of Ontario to report that a multi-disciplinary health clinic was disposing of records of personal health information in an unsecured manner in contravention of the Personal Health Information Protection Act, 2004 (the Act or PHIPA). The investigator finds that the clinic, as the health information custodian in this matter, was not in compliance with sections 10(1) (Information practices) and (2) (Duty to follow practices), 12(1) (Security) and 13(1) (Handling of records) of the Act. However, considering the measures applied in response to the breach, including the creation and implementation of privacy and security policies, practices, procedures and training, the investigator finds that an order is not warranted.
PHIPA DECISION 266
Collection
Health Information and Privacy
Date
File Numbers
HI22-00028
Adjudicators
Alexandra Madolciu
Decision Type
Decision - PHIPA
Applicable Legislation
PHIPA - 1(a)
PHIPA - 3(1)
PHIPA - 4(1)
PHIPA - 4(2)
PHIPA - 4(3)
PHIPA - 10(1)
PHIPA - 10(2)
PHIPA - 12(1)
PHIPA - 13(1)