Review under PHIPA into Abandoned Records Finds Files are Secure
Earlier this year, we blogged about an interim order issued by the Information and Privacy Commissioner of Ontario (“IPC”) to ensure the security of abandoned health records pending the completion of an ongoing IPC review. The IPC commenced the review, which was conducted under the Personal Health Information Protection Act, 2004 (“PHIPA”), after receiving information that records of personal health information (“PHI”) had been abandoned following the bankruptcy of three corporations who owned and operated health services clinics in the Greater Toronto Area. These circumstances raised concerns about potential breaches of patient privacy. The review is now complete and the IPC released a decision finding that no orders were necessary in the circumstances, on the basis that the security of the health records was assured and individuals would be able to exercise their right to access their PHI.
On November 24, 2015, the IPC issued a Notice of Review to the three bankrupt corporations, their trustee in bankruptcy, the landlords of the four clinics leased by the bankrupt corporations and four directors and/or officers of the bankrupt corporations (collectively, the “respondents”) to advise them that a review had been commenced. The primary purpose of the review was to determine which, if any, of the respondents were responsible for ensuring: (1) the security of the abandoned health records; and (2) that individuals would be able to access their health records, in order to limit the potential for privacy breaches.
None of the respondents claimed responsibility for the abandoned health records. However, during the review the IPC spoke to various other parties and was advised that steps had been taken to secure the records as follows:
Members of Health Regulatory Colleges: Certain members of health regulatory colleges (“Colleges”) retrieved the health records of the individuals to whom they had provided health services at the clinics. The IPC received the names of these members and wrote to each one of them explaining the IPC’s expectation that the members would comply with all of the obligations imposed on them under PHIPA with respect to the confidentiality, security and provision of access to the records. In addition, the IPC stated that it expected the members to notify their patients that they now held their health records.
New Health Information Custodian: A new health information custodian (“HIC”) re-leased the premises of one of the former clinics. This HIC undertook to comply with the obligations imposed on it under PHIPA with respect to the records that had been abandoned at this location and to notify patients that their records were now in its possession.
Health Regulatory Colleges: All individual patient files that were not retrieved by members of the Colleges were secured by each of the relevant Colleges. The IPC explained in its decision that it understood that the Colleges would either facilitate patient access to the records or would provide the records to the members who previously provided services to the patients before the bankruptcies. The IPC also noted that the Colleges would establish a process for advising individuals that their PHI records were being maintained by the College and that College staff members were subject to confidentiality obligations under the Regulated Health Professions Act, 1991.
In light of these arrangements and undertakings, the IPC was satisfied that all abandoned patient records had been retrieved by individuals with a legal obligation to keep the records secure and provide individuals with a right to access their own PHI records. The IPC therefore concluded the review without issuing any orders.
This decision serves as an important reminder to all HICs and regulated health professionals that their legal obligations with respect to patient health records survive the dissolution of, or departure from, a health services clinic.
If you have any questions or concerns regarding your obligations as a HIC or a health care professional with respect to the ownership and protection of health records, whether in the context of the dissolution of a business or otherwise, please contact us.
