Case of Note

Ensuring secure disposal of health records: Out of sight is not out of mind!

February 3, 2025

Case of Note: PHIPA Decision 266

Background

A complaint was brought to the Information and Privacy Commissioner of Ontario (IPC) alleging that a health clinic had failed to securely dispose of records of personal health information (PHI). To support the allegations, photographs of patient records found discarded in an unsecured recycling bin were provided.

The IPC wrote to the clinic to inquire into the allegations. The clinic provided a report to the IPC which raised additional concerns and the IPC initiated an investigation into the matter.

The IPC investigator took custody of the records retrieved from the recycling bin. Despite many of the records being shredded or torn by hand, the investigator was able to recover some sensitive information. This included dates of patient visits, a self-reported health history, a patient’s date of birth, and six other complete patient names associated with the clinic.

During the investigation, the clinic explained that staff began disposing of records to make more space. Some records were shredded, others were hand torn to avoid noise from the shredding machine that might disturb patients during appointments. The discarded records were picked up by cleaners biweekly and placed in a dumpster in a locked garage area of the plaza where the clinic is located. From there, the garbage would be picked up weekly by the local garbage collector.

The clinic acknowledged that the cleaners would have had access to the insecurely destroyed material. It recognized that further steps should have been taken to ensure secure disposal of this information. The clinic also advised that it lacked written policies or procedures for record retention and secure record destruction or disposal. Instead, staff relied on verbal instructions, which the clinic admitted were insufficient.

The clinic notified affected patients of the breach by sending an initial notification letter to affected individuals. Subsequently, the clinic sent another notification letter to nearly 500 patients who may have also been affected.

Findings

The investigator found that at the time of the breach, the clinic was not in compliance with several sections of the Personal Health Information Protection Act (PHIPA). These include legal requirements for health information custodians to:

take reasonable safeguards to protect personal health information (s. 12(1)),
securely handle and dispose of records (s. 13(1)),
have proper information practices in place (s. 10(1)), and,
follow those practices (s. 10(2)).

The investigator concluded that the clinic’s lack of measures and safeguards resulted in its failure to ensure that records of PHI in its custody or under its control were retained and disposed of in a secure manner.

To address the investigator’s concerns, the clinic created and put in place policies and training. This included a new privacy policy to address how the clinic routinely collects, uses, modifies, discloses, retains or disposes of PHI. The clinic also created a client records policy outlining specific measures to be taken to safeguard and securely dispose of client records.

All staff were required to review the new policies and submit a written acknowledgement of their understanding and willingness to comply with them. Two training sessions were also held to familiarize staff with the updated privacy practices and the clinic committed to conducting biannual training going forward. The clinic also updated its employee handbook with additional resources related to its obligations under PHIPA, including a PHIPA training video and links to the entire statute and other resources.

The investigator concluded that these remedial steps brought the clinic into compliance with PHIPA.

Lastly, the investigator found that the unsecured disposal of PHI constituted a loss of PHI, triggering the obligation to notify all affected individuals. While the clinic did provide notice, the investigator found a deficiency with the initial notification letter (which was remedied) and found that notice should have been provided more quickly. However, overall, the investigator was satisfied that the clinic provided the notification required by section 12(2) of PHIPA.

Key takeaways

Health information custodians (HICs) must ensure that PHI of their patients is secure at all times, including during the record disposal process.
HICs must have privacy policies in place that address how they collect, use, modify, disclose, retain or dispose of PHI. These policies should specifically address measures to be taken to protect the security of patient records and the secure disposal of these records.
Procedures for secure record disposal depend in part on the storage media used. If dealing with paper, as in this case, records should not simply be torn by hand. They should be properly shredded using a cross-shred or micro-cut shredder to ensure that the records cannot later be reconstructed. This can be done on-site, or, if using an outside agency, a formally signed contract or agreement should be in place. The agreement should address the need to ensure security and confidentiality of records during the disposal process and indicate the specific disposal method to be used.
HICs should provide all staff with regular training on privacy policies and practices and the secure disposal of client records. Staff should receive training annually and be required to submit signed attestations acknowledging that they have read and understand the privacy policies.
HICs must notify affected individuals when personal health information in its custody or control is stolen or lost or used or disclosed without authority. Unsecured disposal of PHI constitutes a loss of PHI, triggering the obligation to notify affected individuals.

Additional Resources

Topics

Health

Privacy and Transparency in a Modern Government

Trust in Digital Health