Volume III

Issue : 19: November 3, 2005

• Groups Challenge New Wiretap Rule for Internet Calls
• Ontarios Privacy Commissioner Issues First Health Privacy Related (PHIPA) Order
• Ontario Court Rules Plaintiffs Electronic Self Help Remedy Improper
• French Government Bans Use of Skype at Research Institutes and Universities
• ICANN Settles Long Standing Dispute With VeriSign
• RIM Loses Last Minute Bid in Patent Infringement Proceeding

Home > Volume III > Issue 19: November 3, 2005 > Ontarios Privacy Commissioner Issues First Health Privacy Related (PHIPA) Order

Ontarios Privacy Commissioner Issues First Health Privacy Related (PHIPA) Order

On October 1, 2005 an Information and Privacy (IPC) commissioner was contacted and advised that patient health records were being blown around the streets of downtown Toronto during a film shoot. Based on this information, the commissioner immediately initiated a review pursuant to section 58(1) of the Personal Health Information Protection Act, 2004 (the “Act”). The review involved standard privacy breach protocol whereby an initial meeting was arranged with key staff members to review the known facts, an action plan was developed, and responsibilities were assigned for parties to carry out.

Once the known facts were reviewed, the likely chain of events that led to the patient health records appearing on the set of the Toronto film shoot became apparent. The events were initiated by a dispute with a landlord over stored boxes at a Toronto Clinic. Thereafter, the stored boxes were removed and taken to a Richmond Hill clinic where they were designated for disposal. The records were too numerous to fit inside the shredding bin and a Paper Disposal Company’s driver mistakenly assumed the boxes were being taken for recycling and not shredding. The staff at the Paper Recycling Company subsequently provided the boxes of paper to a special effects company who needed a large volume of papers for a film set.

The commissioner made the following findings:

• 1. The information in the records qualified as “personal health information”, that the corporation that operates the Toronto Clinic is a “health information custodian” and that the Paper Disposal Company was an “agent” of the health information custodian, as defined by the Act;
• 2. The Toronto Clinic failed to take reasonable steps to ensure that the personal health information in its custody or control was protected against theft, loss and unauthorized use or disclosure as required by section 12(1) of the Act;
• 3. The Toronto Clinic failed to ensure that the personal health information within its custody or control was disposed of in a secure manner as required by section 13(1) of the Act;
• 4. The Toronto Clinic failed to comply with the requirements of section 17(1) of the Act which requires it to be responsible for the proper handling of personal health information by it and its agents; and
• 5. The Paper Disposal Company’s action in forwarding the records to a recycling facility instead of shredding them was not in accordance with section 17(2) of the Act.

As a result, the commissioner made the following order:

• 1. The Toronto Clinic must review its information practices to ensure that records of personal health information in its custody or control are securely stored and protected against theft, loss and unauthorized use or disclosure;
• 2. The Toronto Clinic must enter into written contractual agreement with any agent it retains to dispose of personal health information records;
• 3. The Paper disposal Company must put into place a written contractual agreement with any health information custodian for whom it will shred personal health information that includes the obligation for it to shred securely and irreversibly;
• 4. The Paper Disposal Company must ensure that any handling of personal health information by a third party company be documented in a written contractual agreement that binds the third party; and
• 5. The Paper Disposal Company must put into place procedures that prevent paper records containing health information designate for shredding from being mixed together with other paper being disposed of through the recycling process.

Although the circumstances of the case deals specifically with paper records, the commissioner noted that it is equally important to apply the same principles regarding the destruction of records to “personal health information” in electronic form. This means that “health information custodians” who are disposing of electronic records must ensure that those records are permanently destroyed or erased in an irreversible manner that ensures that the information cannot be reconstructed in anyway.

For a copy of the Order, visit:

http://www.ipc.on.ca/docs/ho-001.pdf