Health Information and Privacy

Decision Information

HO-003

Collection Health Information and Privacy
Date 2006-12-11
Adjudicators Ann Cavoukian
Type Order - PHIPA
Applicable Legislation PHIPA; PHIPA - 2; PHIPA - 3(1); PHIPA - 55(12); PHIPA - 12(1); PHIPA - 12(2); PHIPA - 13(1); PHIPA - 4(1)
Summary:



• Records containing personal health information were abandoned by a walk in medical clinic when it closed its practice.

• Section 3 – definition of health information custodian. The person who operated the medical clinic was a health information custodian.

• Section 4 – definition of personal health information. The abandoned records contained personal health information.

• Section 10(1) – information practices must be in place and comply with PHIPA. The health information custodian did not have practices in place that comply with PHIPA, in contravention of Section 10(1).

• Section 12(1) – protection against theft, loss and unauthorized use and disclosure of personal health information. The health information custodian contravened Section 12(1).

• Section 12(2) – notification requirement. The health information custodian was not required to notify the affected individuals, as there was a remote possibility that their personal health information was lost or accessed by unauthorized persons.

• Section 13(1) – ensure retention, transfer, disposal of records of personal health information in a secure manner. The health information custodian contravened Section 13(1).

• Section 15(2) – designated contact person. The health information custodian did not have a designated contact person.

• Section 15(3) – ensure agents are informed of duties under PHIPA. The health information custodian did not ensure that its agents were informed of their duties under PHIPA.

• The health information custodian was ordered to retain, transfer or dispose of the records in a secure manner, to enter into a written contract if a storage company is used to ensure the secure retention, transfer and disposal of the records and to ensure that access is provided to the affected individuals.

• The health information custodian was also ordered, if operating a group of health care practitioners now or in the future, to put practices and procedures in place to safeguard records of personal health information, to designate a contact person to facilitate compliance with PHIPA, to enter into written contracts with its health care practitioners setting out the obligations of both parties regarding records of personal health information and to make available to patients, in the event of a closure, how the records of personal health information will be retained or disposed of and how to obtain access to those records.

Decision Content

Information and Privacy Commissioner / Ontario ORDER HO-003 Ann Cavoukian, Ph.D. Commissioner December 2006
BACKGROUND OF THE COMPLAINT On September 22, 2006, a staff member of the College of Physicians and Surgeons of Ontario (CPSO) notified the Office of the Information and Privacy Commissioner/Ontario (IPC) that a medical and rehabilitation clinic, the Martin Grove Medical and Rehab Centre (the Clinic), located in Etobicoke, had closed its operations and left behind records containing personal health information. The CPSO had been contacted by the landlord of the building (the landlord) where the Clinic was located. The landlord informed the CPSO that a tenant who had been operating a medical and rehabilitation clinic known as Martin Grove had abandoned the property prior to the expiration of the lease and had left boxes of medical records behind. A staff member of the CPSO attended the location where the Clinic had been located and confirmed that, in fact, records containing health related data were on the premises that were otherwise vacated. She then placed the call to the IPC to inform us of this incident. Based on this information, the IPCs Registrar immediately contacted the landlord. The landlord informed the Registrar that he required the immediate removal of the records due to impending renovations. In the event that the IPC did not retrieve the records, which he advised were presently stored in three grocery carts, the landlord indicated he would be forced to dispose of them. The Registrar made arrangements with the landlord to personally attend at the Clinic the next day to retrieve the records, which are currently secured in a locked file room at the IPC. The IPC provided the landlord with a written determination, with reasons, under section 60(13) of the Personal Health Information Protection Act (the Act), indicating that it was reasonably necessary to inquire into and inspect the records located at the Clinic without the consent of the individuals to whom the personal health information relates. This was required, not only in order to carry out the review, but also in light of the public interest involved. The majority of the records retrieved from the Clinic consisted of files detailing the provision of physiotherapy and massage therapy services to individual patients. Other records included: invoices for physiotherapy and massage therapy services; a small number of consultation notes and operating room notes relating to patients; financial records comprised of lists of patient names, physician names and the type of medical service provided by the relevant physician to the relevant patient; physiotherapy sign-in sheets; physiotherapy and massage therapy appointment books; insurance carrier information in which patients are identified as having received insurance benefits; and various job applications. 
THE IPC INVESTIGATION The IPC conducted a corporate search for Martin Grove Medical and Rehab Centre and determined that it was owned and operated by 1436251 Ontario Limited. The sole Director of 1436251 Ontario Limited is Dr. Shervin Eshraghi. On October 5, 2006, the mediator assigned to the file interviewed the landlord of the building in which the Clinic was located. The landlord explained that he owned the building located at 2200 Martin Grove Road in Etobicoke, Ontario. The landlord had entered into a written lease dated November 21, 2000 with Dr. Shervin Eshraghi, on behalf of the Clinic. On April 28, 2006, the Clinic closed its operations, without notice, prior to the expiration of the lease. The landlord further advised the IPC that he had written to the Clinic on three occasions, regarding the abandonment of the premises. On August 2, 2006, the landlord made arrangements to take possession of the Clinic and had the locks changed. By way of a letter dated August 2, 2006, the landlord advised the Clinic of this fact, and requested that a representative of the Clinic contact him should it wish to claim any property located on the premises. The landlord also indicated that he called the Clinics representative in September, 2006 and instructed him to remove the contents located on the premises; otherwise they would be disposed of. The landlord provided copies of the lease and the above noted letters to the IPC. I have carefully reviewed them. There is no provision in the lease that refers to the storage and/or retention of records of personal health information. The landlord also provided copies of photographs that were taken at the Clinic on August 24, 2006. One of the photographs shows the front desk at the Clinic. Affixed to the front desk was a notice developed by the IPC and the Ontario Bar Association for use by health information custodians entitled Health Information Privacy in our Office.” This notice states that individuals have the right to know how they can access their personal health information and explains that health information custodians are required to keep personal health information safe and secure. CONDUCT OF THE REVIEW On October 10, 2006, the IPC called the telephone number provided by the landlord and spoke to Mr. Shahin Eshraghi. Mr. Eshraghi advised that he is Dr. Shervin Eshraghis brother and that Dr. Shervin Eshraghi, although the sole Director of 1436251 Ontario Limited, did not participate in the day-to-day operation of the Clinic because he lives in the United States. Shahin Eshraghi further advised that the day-to-day operation of the Clinic was conducted by Mr. Ehsan Eshraghi, who is the father of Dr. Shervin Eshraghi, and to a lesser extent, by Shahin Eshraghi himself. Shahin Eshraghi was interviewed both by telephone on October 10, 2006, and in person on October 13, 2006. Mr. Eshraghi indicated that the Clinic, which opened in either 2000 or 2001, was a medical and rehabilitation centre, where patients could be treated by way of appointment or on a walk-in basis. He also advised the IPC that the Clinic was not an independent health 
facility, as defined under the Independent   Health   Facilities   Act ,   R . S . O .   1990 ,   c .   I . 3 . Mr. Eshraghi further advised that the Clinic closed in late April 2006, because it was not financially sustainable. He also indicated that the staff and health care practitioners who worked at the Clinic were provided with at least two months notice of the closure. In addition, Mr. Eshraghi advised that he thought that a notice may have been posted at the Clinic notifying patients that the physician would be leaving in two weeks time, but that he was not sure. Shahin Eshraghi freely acknowledged to the IPC that the Clinic was responsible for the records. Mr. Eshraghi confirmed that there were no provisions in the lease entered into with the landlord of the building that addressed the security or storage of Clinic records. Mr. Eshraghi also advised that the health care practitioners who worked at the Clinic, primarily physicians, physiotherapists, chiropractors and massage therapists, were independent contractors and did not have written agreements with the Clinic setting out responsibility for the security of the health records. However, there was a verbal, mutual understanding that the Clinic was responsible for the records in its possession, as the records were considered to be the Clinics property.” My office independently contacted a number of physicians who had worked at the clinic who confirmed that they did not have a written agreement with the Clinic and that their understanding with respect to the records was the same as described by Mr. Eshraghi. Mr. Eshraghi also advised that the health care practitioners did not have independent access to the Clinic because they were not provided with keys to the premises. Shahin Eshraghi further advised that at the time of the Clinics closure, he had made arrangements for approximately 6000-7000 medical files to be transferred to and stored at a professional storage company in Etobicoke. Mr. Eshraghi described the remaining files as non-active physio files,” which were files relating to patients who had, but were no longer receiving, physiotherapy and/or massage therapy services. Mr. Eshraghi indicated that he had contacted the College of Physiotherapists of Ontario to ask what he should do with the non-active physio files,” but that he had not received a straight answer from them. He was unable to recall who he spoke to. As a result, Mr. Eshraghi stated that he was unsure what to do with the non-active physio files.” Mr. Eshraghi indicated that he understood the Clinics obligations regarding medical records,” that is, those records created by physicians. However, he did not realize that the Clinic would also be responsible for records created by other health care practitioners or other types of records that contained personal health information. Mr. Eshraghi also stated that he has no knowledge of the Act and was accordingly unaware of the Clinics obligations under it. The IPC contacted the College of Physiotherapists of Ontario and was advised that there is no record in its database or independent recollection by staff of having received an inquiry from Mr. Eshraghi or anyone from the Clinic regarding the issue of the disposal and/or storage of non-active physio files.” Shahin Eshraghi advised the IPC that he had received three letters from the landlord of the building following the Clinics closure. Two of the letters dealt exclusively with the issue of outstanding rent. The third letter, which was sent to advise that the landlord had taken possession of the property, also asked the Clinic to contact the landlord if there was any property it wished to claim. Mr. Eshraghi stated that little thought was given to the records that had been left behind, 
mainly due to a lack of knowledge of the Act and of what constituted records of personal health information. As a result, records containing personal health information were left behind, and their whereabouts were unknown to Mr. Eshraghi until he was contacted by the IPC. Following our investigation, I sent a Notice of Review to Dr. Eshraghi and Mr. Shahin Eshraghi, which set out the issues identified as a result of our investigation and invited their representations. The representations received from both Dr. Shervin Eshraghi and Mr. Eshraghi are brief and consist of an admission that the Clinic failed to meet its obligations under the Act. They provided no further pertinent information. ISSUES ARISING FROM THE REVIEW I identified the following issues, which will be discussed in turn, as arising from this review: (A) Are the records at issue records of personal health information as defined in sections 2 and 4 of the Act? (B) Is 1436251 Ontario Limited a health information custodian as defined in section 3(1) of the Act? (C) Did 1436251 Ontario Limited, as the health information custodian, comply with section 13(1) of the Act? (D) Did 1436251 Ontario Limited, as the health information custodian, comply with section 10(1) of the Act? (E) Did 1436251 Ontario Limited, as the health information custodian, comply with section 12(1) of the Act? (F) Is 1436251 Ontario Limited required to notify patients whose records were abandoned on the vacated premises pursuant to section 12(2) of the Act? RESULTS OF THE INVESTIGATION Issue A: Are the records at issue records of personal health information as defined in sections 2 and 4 of the Act? Section 2 of the Act defines a record as: a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record. 
Section 4(1) of the Act states, in part, that personal health information means identifying information about an individual in oral or recorded form, if the information: (a) relates to the physical or mental health of the individual, including information that consists of the health history of the individuals family, (b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, […] (d) relates to payments or eligibility for health care in respect of the individual, […] (f) is the individuals health number, or […] Identifying information is defined in section 4(2) of the Act as information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be used, either alone or with other information, to identify an individual. As discussed above, the following categories of records were recovered at the abandoned premises of the Clinic by an IPC staff member: records detailing the provision of physiotherapy and massage therapy services to individual patients by identified health care practitioners; invoices for physiotherapy and massage therapy services setting out the type of health care services provided to patients and identifying the provider of the services; consultation notes and operating room notes relating to the physical or mental health of patients; financial records comprised of lists of patient names, physician names and the type of health care services provided by the physician to the relevant patient; physiotherapy sign in sheets signed by the patients; physiotherapy and massage therapy appointment books containing the names of the patients; and insurance carrier information in which the patient is identified as having received insurance benefits for identified health care services provided by identified health care practitioners. 
These records relate either to the physical or mental health of patients of the Clinic, to the provision of health care to patients of the Clinic, outline payments and eligibility for health care or contain the health number of Clinic patients. I therefore find that these records are records of personal health information as defined in sections 2 and 4 of the Act. Issue B: Is 1436251 Ontario Limited a health information custodian as defined in section 3(1) of the Act? The term health information custodian is defined in section 3(1) of the Act which states, in part: health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the persons or organizations powers or duties or the work described in the paragraph, if any: 1. A health care practitioner or a person who operates a group practice of health care practitioners. Section 2 of the Act defines a person to include a partnership, association or other entity. As noted above, the IPC conducted a corporate search in order to determine the identity of the owner of the Clinic. The search revealed the owner to be a corporation named 1436251 Ontario Limited, which listed Dr. Shervin Eshragi as the sole director, effective August 25, 2000. I am therefore satisfied that 1436251 Ontario Limited owned and operated the group practice of health care practitioners carrying on business known as Martin Grove Medical and Rehab Centre. Accordingly, I find that 1436251 Ontario Limited is a health information custodian as defined in section 3(1)1 of the Act. For the purposes of this Order, I will refer to 1436251 Ontario Limited as the Custodian. Although there were a number of individal health care practitioners working at the Clinic such as physiotherapists, massage therapists and physicians, it is my opinion that 1436251 Ontario Limited operated a group practice of health care practitioners. This finding is supported by the statement of Shahin Eshraghi that it was understood by the health care practitioners who worked at the Clinic and by the Clinic that the Clinic owner was responsible for the health care records on the Clinic premises and that the health care practitioners working at the Clinic did not have independent access to the Clinic and were not provided keys to the Clinic. 
Issue C: Did the Custodian comply with section 13(1) (record retention, transfer and disposal) of the Act? The Act requires a health information custodian to ensure that records of personal health information in its custody or under its control are handled in accordance with the Act. Section 13(1) of the Act requires that: A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any. Based on information gathered during the investigation, and by the Custodians own admission, I am satisfied that the Custodian did not ensure that the records of personal health information in its custody and control were retained, transferred or disposed of in a secure manner. While the records were locked in the premises occupied by the Clinic, the records were scattered about the premises and were not contained in a locked filing cabinet or any other secure location/ container. One can only draw the conclusion that the Custodian, having vacated the premises, was not concerned about the fate of these records. Further, the landlord of the building and the property manager had the keys to the premises and therefore they, or any other person acting on their behalf, would have been able to access these scattered records. In addition, when provided with an opportunity to do so by the landlord of the building, the Custodian did not remove the records and transfer them to a secure location. It is clearly unacceptable for a health information custodian, when closing its business premises, to leave behind records containing personal health information and other sensitive information. In this case, the Custodian did recognize the need to secure certain health records. According to the representative of the Custodian, thousands of files, containing primarily the records created by physicians at the Clinic, were transferred to secure storage. It remains inexplicable why the records created by other health care practitioners were treated differently. The failure of the Custodian to meet its obligations under section 13(1) is exacerbated by the fact that the landlord had contacted the Custodian and brought to its attention the fact that there was property that had been abandoned at the vacated premises. Although the landlord did not explicitly state that the property was health records, the Custodian was most certainly aware of what had been left behind. If not for the action of the landlord in calling the CPSO and the consequent visit to the premises by my staff, the health information records of Clinic patients could have ended up in the garbage, or perhaps worse, in unauthorized hands. As a result, I find that the Custodian did not ensure that the records of personal health information in its custody or under its control were retained, transferred or disposed of in a secure manner and, therefore, the Custodian did not comply with section 13(1) of the Act. 
Issue D: Did the Custodian comply with section 10(1) (information practices) of the Act? In order to meet its obligations under the Act, a health information custodian that has custody or control of personal health information is required to have information practices in place that comply with the Act. Section 10(1) of the Act states: A health information custodian that has custody or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations. Information practices are defined in section 2 of the Act to mean the policy of the custodian for actions in relation to personal health information.” The definition refers to the when, how and the purposes for which the health information custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information and the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information.” [emphasis added] A representative of the Custodian has admitted that there was a lack of knowledge of the Act and its obligations under the legislation. This was clearly demonstrated by the abandonment of the health records when vacating the Clinic premises and the failure to retain, transfer or dispose of the records in a secure manner. When given an opportunity to provide representations to me during this investigation, the Custodian provided no evidence that information practices were in place to ensure compliance with the Act. I find, therefore, that the Custodian did not have information practices in place that complied with the requirements of the Act pursuant to section 10(1). Issue E: Did the Custodian comply with section 12(1) (security) of the Act? The Act requires a health information custodian to take reasonable steps to ensure that personal health information in its custody or control is protected in accordance with section 12(1). Section 12(1) of the Act states: A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodians custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. Consistent with the discussion under Issue C above, it is clear that the Custodian did not take reasonable steps to ensure that the health records were protected in accordance with section 12(1). In fact, the Custodian surrendered all responsibility for the records by abandoning them on the vacated premises. As such, the records could have been acquired by anyone with access to 
the premises, including the landlord, the property manager or any other person acting on their behalf. As already noted, because of the actions of the Custodian, the records were in danger of being discarded by the landlord. This could have resulted in the loss of the information in the records to the patient, and the potential misuse of that information by anyone who may have stumbled across them. Based on these circumstances, I therefore find that the Custodian did not take reasonable steps to ensure that the records were protected in accordance with section 12(1). Issue F: Is the Custodian required to notify the individuals whose records were abandoned pursuant to section 12(2) of the Act? I have found that the Custodian failed to take reasonable steps to protect the records of personal health information from theft, loss or unauthorized use or disclosure as required by section 12(1). I must now consider whether the custodian had the duty to notify the individuals whose records were abandoned as set out in section 12(2) of the Act. Section 12(2) reads as follows: Subject to subsection (3), and subject to the exceptions and additional requirements, if any, that are prescribed, a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost or accessed by unauthorized persons. Section 12(2) of the Act only imposes an obligation to notify the individual to whom the personal health information relates if personal health information is stolen, lost or accessed by unauthorized persons. Although the records were abandoned by the Custodian in the vacated premises of the Clinic, there is no evidence that any of the records were stolen or lost. I note that, based on the evidence of the landlord, access to the premises was restricted to the landlord and the property manager. The landlord himself did not remove any of the records from the premises and was unaware of any of the records having gone missing. It is also important to note that the records were retrieved by the IPC and have been held in a secure, locked area at the IPCs office. It is true that the landlord and the staff member from the CPSO may have looked at some of the records in order to verify that they contained personal health information or, in the landlords case, to help him determine who he should contact about the records. However, there is no evidence to suggest that either individual connected the health information to a particular individual. Notification in this case would be based on a remote possibility of unauthorized access rather than a probability. In the absence of evidence that any records were lost or stolen, in my view, 
notification of the potentially thousands of patients whose records were abandoned but later recovered by the IPC, would serve no useful purpose. Based on the specific facts of this particular case, I find that the Custodian is not required to notify the individuals whose health records were abandoned pursuant to section 12(2) of the Act. Other Matters I have found that the Custodian did not meet the obligations and responsibilities set out in a number of sections of the Act. These include the requirement to ensure the secure retention, transfer and disposal of health records, to have information practices in place that comply with the requirements of the Act and to take reasonable steps to ensure that the health records are protected. In my view, the Custodian should have taken the following additional steps to meet these obligations and to be compliant with the Act. Contact Person This incident highlights a number of issues that custodians in similar circumstances must address. Shahin Eshraghi, on behalf of the Custodian, admitted to being unaware of the Act. As a result, it is understandable that the Custodian was unable to meet its obligations and responsibilities. I note that section 15(2) of the Act requires a health information custodian to designate a contact person whose responsibilities include facilitating the custodians compliance with the Act, ensuring that agents of the custodian are informed of their duties under the Act, and fulfilling other duties and responsibilities in section 15(3) of the Act. Had such a contact person been designated for the Clinic, it is possible that health information records would not have been abandoned when the business was closed. Notice to Patients According to the representative of the Custodian, staff of the Clinic were provided at least two months notice of the Clinics closure. However, he thought that a notice may have been posted at the Clinic notifying patients that the physician would be leaving in two weeks time. In my view, given the realities of this type of clinic, such a notice, if in fact it was given, which is certainly questionable, was insufficient and likely served no purpose. Only a small fraction of Clinic patients would have become aware of the Clinics closure with such a late posting, given the nature of the notification and the frequency with which most individuals attend such clinics. Thus, the vast majority of patients would have been unaware of the closure and therefore unable to request access to their records of personal health information, as is their right, or to request a transfer of their records to another health information custodian. Similarly, most patients, upon learning that the Clinic had closed, after the fact, would have been unaware of where to make a request to access or transfer their records. This is completely unacceptable. Patients must 0
have sufficient notice that their health care practitioners are ceasing or closing their practices in order to seek access to, or request the transfer of, their records, if they so wish. In this regard, I note that the CPSO recently released a policy entitled Practice Management Considerations for Physicians Who Cease to Practise or Take an Extended Leave of Absence.” The policy is designed to explain practice management measures physicians should take when they cease to practise or will not be practising for an extended period of time. Among the steps recommended to be taken by physicians to minimize the impact of ceasing to practice on their patients care, is patient notification. As the policy states: The physician should provide his or her patients with notification of practice closure or restrictions as soon as possible after it becomes apparent that he or she will be leaving or restricting practice, in order to allow patients an opportunity to find another physician. Acceptable methods of notification are: In person, at a scheduled appointment; Letter to the patient; and/or Telephone call to the patient. Supplementary methods of notification the physician may also wish to use include: Printed notice, posted in the office in a place that is accessible even when the office is closed; Newspaper advertisement; and/or Recorded message on the office answering machine. When providing this notification, the physician should remind patients where they can go to obtain emergency or urgent care. Where, because of the nature of the physicians practice or the care being provided, there is no expectation of an ongoing physician-patient relationship (e.g., walk-in clinic physicians, emergency room physicians, and/or some specialists), the physician is only expected to notify those patients to whom they are actively providing care. In my view, this policy sets out a minimum standard for patient notice in cases such as the present case, where clinics are ceasing to operate. Providing notice to patients to whom health care professionals are actively providing care is a basic requirement. On the facts of this case, first, it is highly questionable whether any notice was posted, given the feeble recollection of this fact and the inability to produce a copy of the said notice and second, posting a notice at the Clinic two weeks before its closure was not sufficient in any event, particularly given the evidence that the health care practitioners at the Clinic were notified of the impending closure at least two months in advance. In addition, in order to notify patients where there was an on- 
going relationship at the earliest possible moment, the Custodian should have considered various alternative methods of notice, as outlined in the CPSO policy: a newspaper advertisement or a recorded message on the answering machine of the Clinic. We should note that the IPC has met with representatives of the CPSO to suggest that they consider amending their policy. In our view, physicians should inform their patients, not only of the fact that the physician will be ceasing to operate or will not be practising for an extended period of time, but also of the following: Who will have possession of their health records; Where a request for access to their records under the Act can be made; Where a request to transfer the records to another health care practitioner can be directed. Written Contract with Health Care Professionals I have already concluded that the owner of the Clinic, 1436251 Ontario Limited, was the health information custodian who had custody and control of the records of personal health information that were abandoned when the Clinic closed. As Custodian, the company had the responsibility to ensure that the records were secure and handled in accordance with the Act. As noted, these records were generated by a number of health care practitioners, including physicians, physiotherapists, massage therapists and chiropractors. It should be noted that the representatives of the Custodian have consistently recognized their responsibility for the records in this case. Although the health care practitioners who provided services at the Clinic were not responsible for the secure storage, retention or disposal of the records, they clearly had an interest in ensuring that the records were handled appropriately. This is particularly true in the present case, where the Custodian was not a regulated health professional or an independent health facility, as defined under the Independent   Health   Facilities   Act . A written contract between the Custodian and the individual health care practitioners that clearly set out their responsibilities for records management, including the responsibility for secure storage of the records should the Clinic cease operation, would have gone a long way to avoiding the situation that eventually unfolded. This point is made in an excellent publication produced by the College of Physiotherapists of Ontario. Although directed to physiotherapists, we would recommend it to any health care practitioner providing services in a group practice. Workplace Obligations for Physiotherapists reminds members of the College that it is the members responsibility to ensure that he or she is able to maintain the standards of the College in his or her practice setting. It states: To accomplish this, members must be aware of the standards of the College and obtain agreement from the employer that the physiotherapist shall be able to practice in a manner that is in compliance with these standards. 
It is recommended that members carefully consider obtaining this agreement in the form of a written contract before accepting any employment. Members are reminded that all aspects of practice must comply with College standards including advertising, billing practices, use of support personnel and record keeping. [emphasis added] In my view, a written contract, as described in this guideline, between health care practitioners providing services to a clinic and the clinic itself is a necessary requirement to ensure the safety and security of all health records. I have identified deficiencies in the information management practices of the Custodian that led to the unfortunate results of this case. Unfortunately, these issues cannot be addressed by this Custodian for the records abandoned at the Martin Grove Clinic, given that the Clinic is now closed. However, to the extent that the Custodian operates similar clinics or practices at other locations, I will address these issues in the order provisions. SUMMARY OF FINDINGS I have made the following findings in this review: 1. The records at issue are records of personal health information as defined in sections 2 and 4 of the Act. 2. 1436251 Ontario Limited is a health information custodian as defined in section 3(1) of the Act. 3. 1436251 Ontario Limited, as the health information custodian, did not comply with section 13(1) of the Act in that it did not ensure that the records of personal health information in its custody or under its control were retained, transferred or disposed of in a secure manner. 4. 1436251 Ontario Limited, as the health information custodian, did not comply with section 10(1) of the Act in that the Custodian did not have information practices in place that comply with the requirements of the Act. 5. 1436251 Ontario Limited, as the health information custodian, did not comply with section 12(1) of the Act in that the Custodian did not take steps that were reasonable in the circumstances to ensure that personal health information in its custody or control was protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing personal health information were protected against unauthorized copying, modification or disposal. 6. 1436251 Ontario Limited, as the health information custodian, is not required to notify the individuals whose health records were abandoned pursuant to section 12(2) of the Act. 
ORDER: 1. I order the Custodian, 1436251 Ontario Limited, pursuant to section 61(1)(c) of the Act, to retain, transfer or dispose of the records in a secure manner in accordance with section 13(1) of the Act. Further, the Custodian must document the manner in which the records are retained, transferred or disposed of. The Custodian should contact the IPC as the records are currently being secured by my office. 2. If the Custodian uses a record storage company to retain the records, I order the Custodian, pursuant to section 61(1)(c) of the Act, to ensure that the records of personal health information are retained, transferred and disposed of by the record storage company in accordance with section 13(1) the Act and to ensure that the individuals to whom the records of personal health information relate will be provided access to the records in accordance with Part V of the Act. This must be set out in a written agreement with the record storage company. 3. To the extent that the Custodian operates a group practice of health care practitioners, now or in the future, I order the Custodian: Pursuant to sections 61(1)(c) and 61(1)(g) of the Act, to put in place practices and procedures to ensure that records of personal health information are safeguarded at all times as required pursuant to sections 12(1) and 13(1) of the Act; Pursuant to section 61(1)(c) of the Act, to appoint a staff member to facilitate compliance with the Act including the provisions relating to the secure retention, transfer and disposal of records of personal health information pursuant to sections 12(1) and 13(1) of the Act; Pursuant to section 61(1)(g) of the Act, to enter into written contracts with health care practitioners acting as independent contractors of the group practice owned and operated by the Custodian that clearly outline the obligations of both parties regarding records of personal health information in order to achieve compliance with sections 12(1) and 13(1) of the Act; and Pursuant to section 61(1)(c) of the Act, in the event of an impending closure of the group practice of health care practitioners, make available to individuals, in a manner that is practical in the circumstances, a written statement that describes how their records of personal health information will be retained or disposed of on a going forward basis and that describes how an individual may obtain access to or transfer of their records of personal health information. 4. In order to verify compliance with this Order, I require that the Custodian provide me with proof of compliance by March 8, 2007. 
POSTSCRIPT Changes in the practices of health information custodians may occur in a variety of circumstances bankruptcy, insolvency, retirement, relocation or cessation of practice and revocation or suspension of a license to practice to name a few. The failure to adequately address privacy and security issues with respect to the treatment of records of personal health information in the event of a change in practice may have harmful consequences for the individuals to whom the personal health information relates. Inadequate records management policies and procedures following a change in practice may not only lead to breaches of privacy, but may also deprive individuals of their right to access and correct records of personal health information. Furthermore, the failure to adequately address records management issues in the event of a change in practice has the potential to compromise the continuity of care of the individuals to whom these records relate. With limited exceptions (e.g., where a custodian dies or sells a practice and transfers records to a successor), the persons or organizations described in subsection 3(1) of the Act who served as custodians immediately before a change in practice, continue to be the custodians after the change in practice. As custodians, these persons and organizations continue to be responsible for complying with the duties and obligations imposed on custodians under the Act. In particular, custodians have a duty to ensure that records of personal health information are retained, transferred and disposed of in a secure manner, throughout their life cycle. In the present case, unbelievably, records of personal health information were simply abandoned when the practice in question ceased its operations. This situation is both regrettable and unacceptable; worse, it could easily have been avoided. The custodians failure to adequately notify individuals when the practice ceased its operations and to ensure that all records of personal health information were retained, transferred or disposed of in a secure manner demonstrated a flagrant disregard for the privacy rights of the individuals to whom the records related. I will take this opportunity to remind custodians that when a custodian ceases its operations, it is important to recognize that the obligation to retain the records of personal health information in a secure manner does not cease it continues, in no uncertain terms. This obligation may either be fulfilled by the custodian personally, or through an agent of the custodian, such as a record storage company. Should a custodian choose to use the services of a record storage company, the custodian must provide the following notice to the individuals to whom the records relate: that the custodian is ceasing to practice, that their records of personal health information will be stored at a record storage company and the contact information for the record storage company, and the procedure to be followed by individuals in requesting access or correction of their records of personal health information in accordance with the Act, and in requesting a transfer of their records of personal health information to another custodian. 
The custodian should also enter into a written agreement with any record storage company that it employs, setting out the requirements that must be met in order to allow the custodian to continue to meet its obligations under the Act. Given that the situation described in this Order does not appear to be unique, I would strongly encourage all health information custodians to think proactively about how they will continue to meet their obligations under the Act, in the event of a change in practice. First and foremost, a basic understanding of the requirements of the Act is essential to enable custodians to implement privacy protective practices on a day-to-day basis, and in the event of a practice change. In group practice settings, there must be a clear understanding of who the custodian is and formal agreements about the obligations of each person involved in the group practice, with respect to records of personal health information, in the event that the practice closes. In formalizing such agreements, all health care practitioners should bear in mind that they may have professional obligations with respect to the handling of records of personal health information, regardless of whether or not they are considered to be a health information custodian under the Act. Finally, the development of written policies and practices with respect to the handling of records of personal health information, in the event of changes in practices, will help custodians to avoid future unfortunate situations. Let us work together to avoid future cases where scenarios such as the one reported in this Order can arise. They are easily avoidable. December 11, 2006 Ann Cavoukian, Ph.D. Date Commissioner 
 You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.