Health Information and Privacy

Decision Information

HO-001

Collection	Health Information and Privacy
Date	2005-10-31
File Numbers	HI-050032-1
Adjudicators	Ann Cavoukian
Type	Order - PHIPA
Applicable Legislation	PHIPA; PHIPA - 2; PHIPA - 3(1); PHIPA - 12(1); PHIPA - 13(1); PHIPA - 4(1)

Summary:

• Records containing personal health information found scattered on the streets, as part of a movie production set.

• Section 2 - definition of agent. The paper disposal company was found to be an agent of the health information custodian.
Section 3 - definition of health information custodian. The corporation that operates the Toronto Clinic is a health information custodian.
Section 4 - definition of personal health information. The records found scattered on the street contained personal health information.
Section 12(1) - protection of personal health information against loss, theft, unauthorized use or disclosure. The Toronto Clinic failed to take steps to ensure that personal health information in its custody or control is protected against theft, loss and unauthorized use or disclosure.
Section 13(1) – maintenance, transfer and disposal of records of personal health information in a secure manner. The Toronto Clinic failed to ensure that the records were disposed of in a secure manner.

• Section 17(1) – use of agents. The Toronto Clinic failed to comply with section 17(1), which requires it to be responsible for the proper handling of personal health information by its agents.

• Section 17(2) – obligations of agents. The paper disposal company failed to comply with section 17(2) by forwarding the records of personal health information to a recycling facility instead of shredding them.

• The health information custodian was ordered to review its information practices to ensure compliance with PHIPA and to enter into written contracts with its agent(s) to ensure the secure destruction of personal health information, which is the irreversible destruction of the records.

• The agent was ordered to enter into written contracts with any third parties that handle personal health information to ensure compliance with PHIPA and to ensure that records containing personal health information are kept separate from records that are designated for recycling.

Decision Content

Information and Privacy Commissioner / Ontario

ORDER HO-001 Ann Cavoukian, Ph.D. Commissioner October 2005

NATURE OF THE INCIDENT: On October 1, 2005, I was contacted by a newspaper reporter from the Toronto Star who advised me that patient health records were being blown around the streets of downtown Toronto. The intersection of Wellington and York streets was serving as the location for a film shoot about the September 11, 2001 terrorist attack on New York’s World Trade Center.

The seriousness of such an incident, coupled with the potential devastating impact on patient privacy, prompted the need for immediate action. As a result, after speaking with the reporter, I felt that I had to conduct an immediate site visit and personally attended at the film location. However, when I arrived, the medical records had been retrieved, as the reporter indicated might be the case. I found no evidence of patient health records on the streets, although I did retrieve a one page memo that, while containing no personal health information, did involve some sensitive information. I immediately alerted the Executive members of my office and advised them of the situation.

The next day, the Toronto Star ran a story describing the incident, along with a picture of the film set littered with what appeared to be patient records. A close-up picture of one patient health record from an X-ray and ultrasound clinic appeared with the story. The patient’s name had thankfully been removed from the photograph of the record.

In addition, on the morning of Monday, October 3, a member of the public called my office and indicated that he had picked up a patient’s health record from the film set and wanted to alert us.

Based on the information provided, I immediately initiated a review pursuant to section 58(1) of the Personal Health Information Protection Act, 2004 (the Act).

THE REVIEW: The Information and Privacy Commissioner/Ontario’s (IPC) “privacy breach protocol” was immediately implemented. The protocol involves an initial meeting with key staff members to review the known facts, the development of an action plan, and the assignment of responsibilities to carry it out.

The first priority when personal health information is disclosed in an unauthorized manner is containment. Efforts must be made to locate any personal health information that is outside the custody or control of the responsible health information custodian or their authorized agent and then retrieve it. In general, anyone who has obtained personal health information is contacted and asked to confirm that they have turned over all the records in their possession. They are also asked to indicate whether or not they have shared the records with anyone and whether they have made any copies. Inquiries are also made into how the person or organization obtained the personal health information. This helps to assess the potential that any other person or organization may have had unauthorized access to the records. This tracing process

also helps to determine the original source and the cause of the unauthorized disclosure so that steps can be taken to limit the exposure of personal health information and prevent similar incidents from occurring in the future.

On the first day of the review, I instructed two investigation teams to attend relevant sites to recover any personal health information and to start the process of determining how this incident could have occurred. The teams were in regular contact with me throughout the day, and with one another, as we undertook the first step of containment and began our investigation.

Toronto Star Newspaper Reporter On October 3, IPC investigators met with the newspaper reporter from the Toronto Star who first reported the incident to the IPC and retrieved the patient health records he had obtained from the film set and which had appeared in the newspaper. The reporter also provided staff with nine other records of personal health information. All ten records related to patients who had received services at the same Toronto X-ray and ultrasound clinic (the Toronto Clinic).

Member of the Public IPC investigators also met with the member of the public who had contacted us to retrieve the patient health record he had obtained from the film set. This record related to a patient who had received services at the Toronto Clinic.

Film Production Company In addition, IPC investigators spoke to the film’s producer who provided the following infor-mation:

• on the day in question, the production company used what it believed was scrap paper for special effects during filming on city streets;

• a special effects company had obtained the paper from a recycling company for the film production company;

• when the crew learned that the paper included patient health records, they quickly began collecting it and the recycling company that had provided the paper was contacted and asked to come immediately to the set to assist in retrieving the paper from the streets;

• the Vice President of the recycling company attended at the site and personally assisted in retrieving the patient records.

• the producer had expected his crew to retain the records; however, he later discovered that the records had been taken away by the recycling company;

• concerned that they would be needed for any investigation that would be conducted, the producer immediately contacted the Vice President of the recycling company to alert him not to destroy the records;

• the producer provided IPC staff with the name and telephone number of the Vice President of the recycling company.

On the morning of October 3, IPC investigators attended at the film set location and confirmed that no patient health records remained on the streets. Filming at the location had also finished by that time.

I would like to thank the film producer at the production company for taking immediate action in containing this incident – calling the recycling company to retrieve the medical records, and assisting my staff with our investigation.

Paper Recycling Company IPC investigators contacted the Vice President of the recycling company on October 3 rd , to confirm that the records had been retrieved, and specifically that the personal health information had not been destroyed. The Vice President confirmed that the records had not been destroyed and would be provided to the IPC.

The Vice-President of the recycling company then met with IPC investigators on the same day and provided the following information:

• the recycling company had provided paper to the special effects company for use on the film set;

• the producer of the film was very upset that the paper included patient health records; • the recycling company was contacted by the producer of the film directly on the day it had learned that the scrap paper included patient health records;

• the Vice President of the recycling company personally attended with his staff to retrieve the documents from the film set;

• when they went to the film set to retrieve the paper, the original box provided to the special effects company was almost full of paper and was sitting underneath two large bags of paper that appeared to have been used on the set;

• the recycling company took away the box and the two bags and their contents; • it appeared to the Vice President that all the paper had been picked up from the streets and no other health records appeared to be on the film set;

• the recycling company moved the paper from the two bags and placed it into one very large garbage bag;

• the box containing documents that was provided to the special effects company was retrieved from the set, and was confirmed not to have included any patient health records, so the decision was made not to retain it;

• the paper from the box included newspaper, file folders and other paper and was returned to the warehouse for recycling; it could not be located;

• the Vice President looked through the documents in the large garbage bag and observed that they were all patient health records from the Toronto Clinic;

• the Toronto Clinic was not a client of the recycling company. The patient records were believed to have been delivered to the recycling company by a third party initially retained by the Toronto Clinic;

• the recycling company had no way to trace who had dropped off the patient records to their warehouse.

With respect to the question of how paper from a recycling company could have ended up on a film set, the Vice President provided the following information:

• the recycling company is approached from time to time to provide paper and other props for film sets;

• in this case, the recycling company was approached by a special effects company retained by the producer of this film and asked to provide a large box of paper;

• the request was filled by staff in the recycling company’s warehouse from one of the several piles of paper that routinely sit in large piles on the warehouse floor prior to pro-cessing;

• the large piles of paper would contain paper from many different sources consisting of clients who had dropped off various paper;

• warehouse staff would not have selected any paper in particular when selecting it from various piles and placing it into the box for the special effects company;

• none of the warehouse staff recalled filling the paper request for the special effects com-pany;

• warehouse staff would not have known what to do had they suspected that the paper selected actually consisted of patient health records.

The recycling company turned over the large bag of documents containing actual health records to the IPC investigators. The Vice President confirmed that he was turning over all the patient health records he had been able to locate. The Vice President also confirmed that he had looked through the entire facility and had not located any other paper resembling patient health records. He advised that if any other patient records from the clinic had been at the recycling warehouse at one time, to the best of his knowledge, they would have been processed

by now with the rest of the paper designated for recycling. This is accomplished by forwarding the materials to another company that processes the paper into pulp.

The IPC investigators took the patient health records obtained from the recycling company to the IPC office in order to secure them. The bag contained two types of documents. The vast majority of the documents were patient records from the Toronto Clinic, which were in various states of repair. Some were intact and the patients to whom they related were clearly identifiable. Others were ripped apart and torn. Documents taken from the bag that related to the Toronto Clinic filled three regular sized document boxes. The patient records related to services that had been provided to patients over three years – 1992, 1993 and 1994.

The second type of document taken from the bag was comprised of a limited number of records and memoranda relating to an identifiable company. This company was not a provider of health care services and the records did not contain personal health information.

The Toronto Clinic A team of IPC investigators attended at the Toronto Clinic on the morning of October 3 and advised the staff person in charge that a review was being conducted to determine how records from the Toronto Clinic could possibly have ended up on a film set. The investigators were referred by the staff person to the management team of the company that operated the Toronto Clinic (the Head Office), located at a separate site.

The IPC investigators immediately attended at the Head Office and met with the management team. Throughout this investigation, the management team provided total cooperation to the IPC in all respects including containment of records and determining how their records could have ended up on the set of a film shoot.

A staff member at the Toronto Clinic recalled that a number of boxes of patient records for the years 1992, 1993, 1994 had recently been removed from the Toronto Clinic’s storage area and transferred to another clinic located in Richmond Hill. The staff member worked at both clinics.

The staff member indicated that the Toronto Clinic was asked to remove their boxes from the designated storage area by the building’s landlord. The staff member went to retrieve the records and was shocked to find that the landlord had removed the boxes from their locked storage area. The boxes were found just outside the locked storage area in a crawl space adjacent to the building’s common parking area. The staff member indicated that she checked with other Toronto Clinic staff and confirmed that the landlord had never provided notice that the boxes were being removed from the storage area. The staff member, taking appropriate action, loaded the boxes into her van and took them to the Richmond Hill clinic where she knew there was room to store them. She recalled there being 10 to 20 boxes of various sizes.

The Head Office provided the following information: • they currently engage only one paper disposal company for the disposal of patient health records through the shredding of these records;

• this company began providing services in approximately July, 2004; • the relationship began because management was disposing of a large volume of archived patient records that they were no longer required to retain;

• after this was completed, the Paper Disposal Company began providing regular shredding services including placing its own shredding container at the Richmond Hill Clinic;

• it had been made clear at the beginning of the relationship, through verbal discussions with the owner of the Paper Disposal Company, that shredding services were the only type of paper disposal being requested;

• however, there was no written contract for shredding service and the only documentation relating to the service was the invoices provided by the Paper Disposal Company;

• the invoices for the services provided by the Paper Disposal Company referred exclusively to “shredding services;”

• prior to its arrangement with this Paper Disposal Company, a large volume of patient records had been shredded by another company that had attended at the Richmond Hill Clinic location and had shredded materials on-site;

• the higher cost of the on-site shredding had been a factor in deciding to discontinue this service; there had been no written contract with the service provider.

The IPC advised the Head Office that all the patient health records recovered from the film set related to the Toronto Clinic and to services provided in the years 1992, 1993, and 1994. This corresponded with the boxes that the staff member from the Toronto Clinic reported having transferred to the Richmond Hill Clinic.

The Head Office had just received an invoice in the mail indicating that boxes had been picked up for “shredding services” on September 26, 2005. The number of boxes taken for shredding was not recorded on the invoice nor could the Head Office confirm how many boxes were removed from the Richmond Hill Clinic that day.

As a result of our investigation, the Head Office contacted all its clinics and advised that materials should not be sent out for shredding until further notice.

The receptionist at the Richmond Hill Clinic recalled that a staff member from the Toronto Clinic had delivered some boxes and indicated that they should be given to the “shredding

company.” The receptionist also recalled the day the driver had picked up these boxes and her interactions with him. The receptionist provided the following information:

• the driver had attended at the Richmond Hill Clinic a few days before he picked up the boxes to retrieve the shredding bin;

• she could not recall the exact date, but she did recall that on this day, she showed the driver the boxes from the Toronto Clinic and he indicated that he had not been made aware of the boxes before he arrived and did not have room on his truck to take them that day;

• the driver indicated that he would return to the Richmond Hill Clinic the following week to pick up the boxes;

• the driver returned a few days later and, as he usually did, came to the reception area and said he was from the “shredding company;”

• she went with the driver to point out the boxes from the Toronto Clinic; • to the best of her recollection there was no discussion at all about what he was to do with the boxes or about “shredding” or “recycling;”

• the driver had a trolley and she saw him place several of the boxes onto the trolley, although she wasn’t sure how many;

• she recalled that after removing these boxes from the trolley, the driver came back with an empty shredding bin and dumped the rest of the boxes into this bin and took them away.

Paper Disposal Company The owner of the Paper Disposal Company provided the following information to the IPC about the matters under review:

• the company was contracted to provide shredding services by the Toronto Clinic’s man-agement;

• the company does not engage exclusively in shredding services – it also provided paper recycling and records management services to a variety of large and small clients;

• on September 23, 2005 a staff member (the driver) attended at the Richmond Hill Clinic to pick up paper from the designated shredding bin at that location;

• the driver was advised that there were some additional boxes to be removed from a back room;

• the driver told the receptionist that he could not remove these boxes and said he would return the following week to pick them up;

• on September 26, 2005 the driver returned to the Richmond Hill Clinic to pick up the boxes;

• the driver specifically recalled picking up the 10 boxes on September 26, 2005; • he recalled that he removed some boxes to the truck directly and dumped others into a shredding bin before removing them from the clinic;

• the driver could not be certain as to how many boxes were dumped into the shredding bin before leaving the clinic and how many he removed with the boxes intact, directly to the truck;

• the driver recalled that the boxes were of varying sizes and had recorded in his logbook that a total of 10 boxes were picked up;

• the driver assumed that the boxes were to be taken away for recycling based on a short conversation with the receptionist which he could not recall in detail, and based on the fact that the boxes were not contained within the designated shredding bin.

The owner of the Paper Disposal Company confirmed that the driver’s decision on that day to mark the boxes for “recycling” was not in accordance with their agreement with the Head Office of the clinics, which provided that all documents collected from the clinics must be shredded. The owner agreed that recycling had never been requested in the past for any of the clinics and to the best of his recollection, the Head Office had always been invoiced for shredding of documents, including those picked up on September 26, 2005.

The owner of the Paper Disposal Company provided the following information about his Com-pany’s handling of the boxes once they had been removed from the Richmond Hill Clinic:

• the driver placed the boxes in his truck and transported them back to the Paper Disposal Company’s facility;

• the material from the boxes that was dumped into a shredding bin at the Richmond Hill Clinic would have been removed at the Paper Disposal Company’s facility and shredded, but the driver could not specifically recall whether this was done;

• the boxes that were removed from the Richmond Hill Clinic are believed to have been left on the truck based on the driver’s mistaken belief that they were to be disposed of via recycling;

• the driver delivered these boxes to a recycling depot the next day; • the driver could not recall which recycling depot he had delivered them to but could narrow it to two depots, one of which was the depot of the recycling company that had provided the paper to the film set;

• there was no record to indicate which recycling depot the records had been delivered to.

The owner of the Paper Disposal Company provided the following general information about its processes:

• if the boxes retrieved from the Richmond Hill Clinic had been designated for shredding as provided for in the arrangement with the Head Office, they would have been removed from the truck on the day they were picked up and shredded at the company’s prem-ises;

• at its shredding facility, a cross-cut technique is used which shreds paper to a size recommended by industry standards, which ensures that documents cannot be reconstructed and that a single piece will not contain any readable data;

• the owner always explains the shredding standards that will be used to potential clients and to those that retain his company;

• clients are offered the opportunity to view the shredding facility; • there was no arrangement in place with the Head Office to provide them with confirmation of shredding services when completed;

• the recycling company was one of several companies where the Paper Disposal Company dropped off paper it had collected from clients who had designated paper for “recy-cling;”

• the expectation of the Paper Disposal Company was that any paper left at the recycling company would be used only for recycling purposes and would not be resold, though there was no written agreement in place with the recycling company;

• in some cases, the Paper Disposal Company contracts shredding to another shredding facility, but the owner would always inform any client of his intention to do so, and the client would have the option of viewing this shredding in person or through a web cam over the Internet.

Summary: When all the information from the various parties involved is considered together, the likely chain of events that led to the patient health records appearing on the set of the Toronto film shoot is as follows:

• archived patient health records relating to services provided at the Toronto Clinic in the three years of 1992, 1993 and 1994 were stored in boxes that were moved from the Toronto Clinic’s storage area by its landlord;

• the landlord informed the Toronto Clinic’s staff that it should remove the boxes from the storage area but did not inform them that he intended to remove the boxes from the storage area himself;

• when an employee of the Toronto Clinic went to retrieve the boxes, she found them sitting outside the storage area in a crawl space within the building’s public parking area. She transported them to the Richmond Hill Clinic where they were designated for disposal;

• the boxes had been in storage for a long period of time – they were old and dirty and of various shapes and sizes;

• the records were too numerous to fit inside the designated shredding bin at the Richmond Hill Clinic;

• the Paper Disposal Company’s driver attended to empty the shredding bin at the Richmond Hill Clinic and was advised about the boxes but told the receptionist he could not fit them onto the truck;

• the driver returned a few days later to retrieve the boxes which were in a back room of the Richmond Hill Clinic on the floor;

• the driver was directed to the boxes and asked to remove them; • the driver and the receptionist at the Richmond Hill Clinic had a brief conversation which neither recall directly addressing the issue of “shredding” vs. “recycling;”

• the driver assumed that it was not necessary to shred the documents because they were not inside the shredding bin when they were shown to him;

• the driver placed some of the boxes intact onto a trolley and removed the rest by dumping them into an empty shredding bin before leaving the Richmond Hill Clinic;

• the driver, acting on his assumption that it was not necessary to shred the materials, did not deliver the intact boxes he removed from the Richmond Hill Clinic to his employer’s premises for shredding and instead left them on the truck;

• the materials that he dumped from some of the boxes into a shredding bin were taken off the truck and shredded;

• the next day, the driver transported the intact boxes he had left on the truck to the warehouse of a paper recycling company and left them on the warehouse floor;

• staff at the paper recycling company were in the midst of responding to a request from a special effects company for a large volume of documents needed to serve as scrap paper on a film set;

• staff at the paper recycling company gathered paper from the piles where the health records had been left earlier and gave them to the special effects company, in a single large box;

• the special effects company delivered the large box of paper including the health records, to the set of a film shoot relating to the attacks on New York’s World Trade Center on September 11, 2001;

• the film set was in downtown Toronto and the health records from the box were blown and scattered around the streets during filming to create a special effect for a scene in the movie;

• the IPC retrieved the equivalent of three regular sized document boxes of patient health records from the recycling company, which it had retrieved directly from the set of the film shoot.

Throughout this investigation, the staff of all parties involved have been extremely cooperative and have worked closely with the IPC to contain the damage from the original incident, to investigate the facts, and to prevent a similar incident from occurring in the future.

Notification of Affected Patients: The IPC worked closely with the Head Office to develop a plan to carry out notification of the affected patients. Given the age of the records and the potential that patient addresses may now be inaccurate, it was determined that the best approach under these circumstances would be to post a notice at the Toronto Clinic where the health services described in the records were provided. The notice sets out exactly what happened and the chain of events leading to the loss of their records. The notice also refers to the involvement of the IPC and indicates that the Toronto Clinic will be reviewing its information practices in order to avoid a similar loss from occurring in the future.

THE DECISION: I began this review on October 3, 2005 by issuing a Notice of Review to the Toronto Clinic. Subsequently, a Notice of Review was provided to the Paper Disposal Company on October 6, 2005. On October 13, 2005, I sent both the Toronto Clinic and the Paper Disposal Company a letter setting out my understanding of the facts of the case and my preliminary views as to potential orders that I was considering. The letters also solicited representations from both parties. The Paper Disposal Company provided written representations on October 17, 2005. Written representations were received from the Toronto Clinic on October 20, 2005.

PERSONAL HEALTH INFORMATION Personal health information is defined in section 4 of the Act, which reads in part as follows: “personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information,

(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,

(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,

(d) relates to payments or eligibility for health care in respect of the individual, (e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,

(f) is the individual’s health number, or (g) identifies an individual’s substitute decision-maker. The information at issue in this review consisted of documents describing X-ray and ultrasound services provided to patients. A typical patient record involved in this case included a test requisition form accompanied by a form recording the results of the X-ray or ultrasound, which in some cases included a diagnosis and written summary of the results. Each patient record also indicated when the patient had attended at the clinic, the patient’s name, address, telephone number, date of birth, and Ontario health card number.

I find that the information in these records qualifies as “personal health information” as defined under section 4 of the Act.

HEALTH INFORMATION CUSTODIAN A health information custodian is defined in section 3 of the Act, which reads in part as fol-lows:

“health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:

... 4. A person who operates one of the following facilities, programs or ser-vices:

i. A hospital within the meaning of the Public Hospitals Act, a private hospital within the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Act, an institution within the meaning of the Mental Hospitals Act or an independent health facility within the meaning of the Independent Health Facilities Act.

I am satisfied, after having reviewed the independent health facility licence, that the corporation (Head Office) that operates the Toronto Clinic, an independent health facility within the

meaning of the Independent Health Facilities Act, is a health information custodian within the meaning of section 3(1)4(i) of the Act. Although the corporation that operates the Toronto Clinic is the health information custodian, for the purposes of this Order, I will make reference to the Toronto Clinic as the health information custodian.

As already noted in the summary of the facts, the records containing personal health information that were used by the film production company originated with the Toronto Clinic. However, the records were moved from the Toronto Clinic to the Richmond Hill Clinic prior to being picked up by the Paper Disposal Company. Although the two clinics are operated by different companies, I have been advised that the owners of the companies are the same.

Based on the facts before me, I have concluded that responsibility for the security and secure disposal of the records rests with the Toronto Clinic. The records originated at the Toronto Clinic, had been stored at that site for a lengthy period of time and were in its custody and control. The records were moved to the Richmond Hill premises only as a result of the actions of the Toronto Clinic’s landlord and the astute actions of an employee of both clinics. I find that there was never any intent on the part of the Toronto Clinic to transfer custody or control of the records to the Richmond Hill Clinic. The records were stored at the Richmond Hill Clinic only as a temporary measure pending their disposal by the Paper Disposal Company. In this regard, the Richmond Hill Clinic was acting as an agent of the Toronto Clinic. As a result, for the purposes of this Order, I will consider the Toronto Clinic to be the responsible health information custodian.

AGENT The term “agent” is defined in section 2 of the Act as follows: “agent,” in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated;

The Paper Disposal Company picked up personal health information from the Richmond Hill Clinic pursuant to a verbal agreement with the Head Office. The Paper Disposal Company placed bins inside the Richmond Hill Clinic, retrieved documents from these bins and removed them from the Richmond Hill Clinic with the understanding that they would be shredded at the Paper Disposal Company’s own facility.

As will be discussed, the Toronto Clinic, as a health information custodian, has a responsibility under section 13(1) of the Act to dispose of personal health information in a secure manner. The Toronto Clinic entered into a relationship with the Paper Disposal Company specifically for the purpose of fulfilling this responsibility. The Paper Disposal Company was therefore, acting on behalf of the Toronto Clinic for this purpose and not its own purposes.

As a result, I find that the Paper Disposal Company is an “agent” of the Toronto Clinic as defined in section 2 of the Act.

SECURITY The Act requires a health information custodian to take reasonable steps to ensure that personal health information in its custody or control is protected against theft, loss and unauthorized use or disclosure, and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

Section 12(1) of the Act reads as follows: A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the health information cus-todian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

Representations from the Toronto Clinic On October 20, 2005, the Toronto Clinic provided the following representations: 1) they considered the storage area in their parking garage to be part of their premises under their lease, and believed it was solely for their use. The lease states that the landlord must give 48 hours notice before entering their premises, and no notice was provided;

2) as the storage area was initially considered to be for their sole use, they did not consider it necessary to specifically detail what was contained therein;

3) the Toronto Clinic has a Policy and Procedure manual which is read by all staff and each staff member is required to sign it annually to indicate they have read it;

4) they have a Privacy Policy which is included in the manual and was written with the assistance of the Ontario Association of Radiologists;

5) adequate information practices are in place to ensure that the location of all patient information is documented and that personal health information is adequately se-cured.

The lease between the Toronto Clinic and the landlord reads as follows: “The tenant acknowledges and agrees that the storage areas in the basement of the building form part of the Common Areas and Facilities and may be utilized by the Tenant, at the sole discretion of the Landlord, only with the prior written consent of the Landlord and subject to the imposition of such rules and regulations in re-

spect thereof as the Landlord shall determine, acting reasonably. There shall be no additional charge in respect of such storage area.”

The section of the lease relating to “Right of Access by the Landlord” provides as follows: “The landlord or its representatives shall have the right to enter the Leased Premises upon forty eight (48) hours’ written notice at all reasonable times to examine them, to show them to prospective purchasers, lessees, mortgagees or others with whom the Landlord has business relations; to make any repairs, alterations, improvements or additions to the Leased Premises as the Landlord may be required to perform pursuant to this Lease; and to view the state of repair of the Leased Premises; and the Tenant shall not in any way interfere with such entry or the exercise of the Landlord’s right in that regard.”

Analysis The facts gathered during the review indicate that boxes of patient records stored in a locked area in the basement of the Toronto Clinic’s premises were the source of the records that ended up on the film set. The staff at the Toronto Clinic did not appear to be aware that there were boxes of patient records in this storage area. The facts also indicate that the landlord had a key and had removed the boxes from the locked storage area and left them in the parking garage. The boxes were not easily visible as they were in a crawl space but nonetheless they were in an area used by other tenants and accessible to the public. The Toronto Clinic staff reported that the landlord had not told them that he had removed the boxes from their storage area.

Staff at the Toronto Clinic could not confirm and did not have any documentation to indicate how many boxes were originally held in the storage locker, how many were found in the underground parking area, or how many were ultimately moved to the Richmond Hill Clinic for disposal.

Under the lease, the storage area was considered to be a common area, not part of the Toronto Clinic’s premises. As a result, the requirement to give 48 hours notice arguably did not apply to this space. The lease provides that the storage area was considered to “form part of the Common Areas and Facilities and may be utilized by the Tenant, at the sole discretion of the landlord and subject to the imposition of such rules and regulations in respect thereof as the Landlord shall determine, acting reasonably.” This section of the lease suggests it was the landlord that was in control of this space, though he was required to act reasonably. In any event, regardless of the terms of the lease, the facts of this case show that the landlord was able to access the storage area and move boxes of personal health information records without the active involvement of the Toronto Clinic.

The circumstances under which these boxes were stored reveal a lack of adequate security to ensure their protection against theft, loss or unauthorized access. The absence of reasonable controls on the personal health information and the corresponding records led to the boxes being placed in a public area without the knowledge of the Toronto Clinic, thereby exposing personal health information to unauthorized disclosure.

It is incumbent upon health information custodians to ensure the security of all health information in their possession, throughout the entire lifecycle of the records. Custodians have a responsibility for ensuring that personal health information records in their custody or control are secure until the time of their disposal, and the form of that disposal must be permanent and irreversible.

Therefore, on the basis of the above, I find that the Toronto Clinic did not take reasonable steps to comply with section 12(1) of the Act.

HANDLING OF RECORDS and AGENTS AND INFORMATION The Act also requires a health information custodian to ensure that records of personal health information are handled properly in accordance with the Act. Section 13(1) of the Act requires that:

A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed require-ments, if any.

In this case, the Toronto Clinic relied on the Paper Disposal Company to dispose of their records. I have already found that the Paper Disposal Company was acting as an agent of the Toronto Clinic for this purpose. Where an “agent” is involved in handling personal health information on behalf of a health information custodian, section 17 of the Act applies.

Section 17 of the Act reads as follows: (1) A health information custodian is responsible for personal health information in the custody or control of the health information custodian and may permit the custodian’s agents to collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf only if,

(a) the custodian is permitted or required to collect, use, disclose, retain or dispose of the information, as the case may be;

(b) the collection, use, disclosure, retention or disposition of the information, as the case may be, is in the course of the agent’s duties and not contrary to the limits imposed by the custodian, this Act or another law; and

(c) the prescribed requirements, if any, are met. (2) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, an agent of a health information custodian shall not collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf unless the custodian permits the agent to do so in accordance with subsection (1).

Section 17(1) describes the steps a health information custodian must take when structuring its relationship with agents who will have access to personal health information. The health information custodian must ensure that the agent observes the same limits the Act imposes on them in terms of the collection, use, disclosure, retention or disposal of personal health informa-tion. The agent must only be permitted to collect, use, disclose, retain or dispose of personal health information if it is within the scope of the duties that the health information custodian has defined.

Section 17(2) imposes a corresponding obligation on agents to collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf only to the extent permitted by the custodian in accordance with the custodian’s responsibilities under section 17(1).

Discussion The Paper Disposal Company did not shred the records containing personal health information that it had retrieved from the Richmond Hill Clinic on September 26, 2005. A mistaken belief led the driver of the Paper Disposal Company to deliver personal health information records to a recycling company warehouse. From there, a large quantity of the personal health information was put into a box and sold to a special effects company. This personal health information ended up being strewn about public streets as part of the filming process, where it was easily accessible to passers by.

The facts of this case raise the question of how health information custodians can fulfill their obligations under section 13(1) of the Act, to dispose of personal health information in a secure manner. Similarly, responsibility is also placed on agents to ensure that they are acting within the authority granted to them by the health information custodian and in compliance with the Act, when disposing of records containing personal health information. Given that the sensitive health records of identifiable individuals ended up on the streets of downtown Toronto, these records were clearly not disposed of securely.

When it comes to the disposal of personal information, particularly something as sensitive as personal health information, recycling documents or selling intact documents for recycling is not an acceptable option for disposal. To guarantee the protection of personal health information, the information must be physically destroyed in an irreversible manner prior to being disposed of, sold or recycled. To ensure that information is properly disposed of, recognized standards and practices for the physical destruction of information must be followed.

Let there be no mistake – recycling does not equal secure disposal. In the recycling process, paper is collected based on its specific type and stored in warehouses for lengthy periods of time until enough has been accumulated to make a sale. Often, the paper is sold while still intact, where it is then again stored for long periods of time until it is used to produce new paper products. The greatest danger here lies in the fact that there is no control over the outcome. Once an organization has discarded or sold its documents to a vendor, or a vendor has sold those documents to a processing plant, there is no way to guarantee how those documents will be handled or who to contact in case of a breach.

The National Association for Information Destruction, or NAID, is a national association that represents companies that specialize in secure information and document destruction. The mission statement of NAID Canada, the Canadian arm of NAID, is to raise awareness and understanding of the importance of secure information and document destruction. As such, NAID Canada offers programs and services based on a set of best practices for the proper management and destruction of sensitive documents. Their position on secure disposal of sensitive information is particularly relevant to health information custodians and their responsibilities for secure disposal under section 13(1) of the Act.

NAID Canada makes the vital point that every organization has information that requires secure destruction. Clearly, this is the case for health information custodians when disposing of personal health information records. NAID Canada states that the only acceptable method for disposing of records is to destroy them by a method that ensures the information is completely obliterated, for example, by irreversible shredding of the documents. This highlights the crucial distinction between destroying documents through shredding vs. recycling of documents. Recycling is not viewed as an adequate alternative to shredding. Only through shredding or permanently destroying documents can an organization be assured of the fact that the information contained in these documents is obliterated and placed beyond any possible further use.

Equally important for a health information custodian is to obtain concrete assurances from the disposal company that the secure shredding and destruction of personal health information has been successfully completed. NAID Canada recommends that, after the destruction process has been completed, a signed certificate of destruction be sent from the shredder to the organization from whom the records originated, confirming that the specific records sent from the organization to the shredder have in fact been destroyed. Further, the exact date, time and location of where the documents were destroyed, and the name and signature of the operator who performed the destruction, must also be provided.

A health information custodian’s responsibility to securely dispose of personal health information can only be met through the permanent destruction of those records, for example through irreversible shredding such as “cross-cut” shredding. The personal health information contained in these records must be obliterated to render them irreversible and to ensure that reconstruction of the information is virtually impossible. Further, if the health information custodian is entrusting the secure disposal function to an agent, such as a shredding company, the agent must provide the health information custodian with a written attestation confirming the fact of the destruction, as well as, the date, time and location of destruction, and the name and signature of the operator.

In order to ensure that a health information custodian’s obligations under section 13(1) are met, the health information custodian, when engaging an agent to dispose of records, must enter into a written contractual agreement with that agent. The agreement should clearly spell out the responsibilities of the agent to securely destroy the personal health information records, how the destruction will be accomplished, under what conditions, and by whom. The agreement should also require the type of attestation of destruction described above.

Since an agent is carrying out functions on a behalf of a custodian, any obligations of the custodian are similarly required of the agent in order for it to carry out the duties of the custodian. Thus, to the extent that the Paper Disposal Company provides disposal services to other health information custodians, the company should have such a written contract in place with those custodians as well.

The need for a written agreement or contract between organizations handling sensitive personal information and third parties providing services with regard to that information is widely rec-ognized. Under Article 17 of the European Union’s Directive on Data Protection, 1 when one person or body retains another to process personal data (including the destruction of such data) on its behalf, it must choose one that provides “sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out,” and it must ensure compliance with those measures. Further, such processing of personal data must be governed by “a contract or legal act” that stipulates, among other things, that the person or body processing the data shall act only on instructions from the person or body that retained it. The parts of the contract or legal act relating to data protection must be “in writing or in another equivalent form.”

Similarly, the United States Department of Health and Human Services has issued the Standards for Privacy of Individually Identifiable Health Information (also known as the “Privacy Rule”), 2 which implement the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule establishes a set of national standards for the protection of health information, and it addresses the use and disclosure of such information by certain health-related service-providers (“covered entities).” Among other things, the Privacy Rule requires a covered entity to “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” In addition, it creates certain obligations on the part of a covered entity that retains a “business associate” (generally, a person or organization outside the covered entity’s workforce that provides services involving health information for the covered entity or on its behalf). If a covered entity discloses health information to a business associate or allows the business associate to create or receive such information on its behalf, the covered entity must (with certain exceptions) obtain “satisfactory assurance that the business associate will appropriately safeguard the information.” The covered entity must document these assurances “through a written contract or other written agreement or arrangement” with the business associate.

On June 1, 2005, new Federal Trade Commission regulations came into effect in the United States. The regulations stem from the Fair and Accurate Credit Transactions Act and outline the duties of persons and companies when disposing of consumer credit reports and information derived from those reports. The regulations require “reasonable” disposal measures so that personal information is rendered permanently destroyed. Examples of reasonable measures given

1 EC, European Parliament and Council Directive 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] O.J. L. 281/10.

2 45 C.F.R. Parts 160 and 164 (December 28, 2000, revised October 1, 2004). See sections 160.102(a), 160.103, 164.502(e), 164.504(e), 164.530(c)(1).

are burning, pulverizing or shredding such information, and destroying or erasing electronic media containing such information. The introduction of these rules means that the practice of simply discarding personally identifiable information into the trash is no longer just a careless business practice – it is now against the law.

Several states in the United States also have specific requirements for the destruction of records containing personal information, including when businesses retain disposal companies to dispose of records on their behalf. In Georgia, for example, a business cannot “discard” (throw away, get rid of or eliminate) a record containing a customer’s personal information unless it first shreds the record, erases the personal information in the record, makes the personal information unreadable, or takes steps to ensure that no unauthorized person will have access to the personal information between the time the record is sold or transferred to a record-destruction business and the time the record is destroyed. 3 In Texas, when a business disposes of a business record containing a customer’s personally identifying information, it is required (with some exceptions) to make the information “unreadable or undecipherable” by shredding or erasing it, or by some other means. The business may contract with a third party “engaged in the business of disposing of records” to fulfill this obligation. 4 Under the provisions of a recent New Jersey law (most of which is not yet in force), businesses and public entities are required to “destroy, or arrange for the destruction of,” customer records within their custody or control that contain personal information and which they are no longer retaining. They must do so “by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or non-reconstructable through generally available means.” 5 Given the circumstances of this case, the discussion in this Order regarding the destruction of records has been specific to paper records. However, it is equally important to note that the same principles are applicable to personal health information in electronic form. This means that health information custodians who are disposing of electronic records must ensure that those records are permanently destroyed or erased in an irreversible manner that ensures that the information cannot be reconstructed in any way.

3 SB 475, An Act to amend various provisions of the O.C.G.A. as they relate to identity fraud and the collection and dissemination of personal identifying and financial information on individuals and businesses so as to protect such information, 2002 Leg., Ga., 2002 (signed 2 May 2002). See section 8.

4 HB 698, An Act relating to the disposal of certain business records that contain personal identifying information; providing a civil penalty, 79th (R) Leg., Tex., 2005 (signed 18 June 2005). See sections 2 and 3.

5 A4001, Identity Theft Prevention Act, 211th Leg., N.J., 2005 (approved 22 September 2005, P.L.2005, c.226). See sections 10 and 11.

Representations of the Parties On October 14, 2005, the owner of the Paper Disposal Company wrote to the IPC to provide representations. The Paper Disposal Company was very co-operative and committed to adopting the following practices immediately (which were said to be in place with many of their existing customers), in order to avoid any future misunderstandings:

1) all health information clients will be required to sign a receipt each time that documents are picked up for destruction;

2) any loose documents picked up for shredding will be deposited into a designated container in the truck;

3) after material has been destroyed, a certificate of destruction will be issued to the client;

4) written service agreements will be issued to any clients that do not already have one in place;

5) any sub-agent that paper is delivered to for recycling purposes (with the full knowledge of the client) will provide a written agreement stating that the sub-agent will not use the paper for any purpose other than recycling.

I am pleased with this response and commend the Paper Disposal Company for taking immediate action. I am also gratified that the steps the company has committed to taking are consistent with industry practices, as noted above. The Company’s response is significant in view of the actions I intend to order be taken by the parties involved.

In its representations, the Toronto Clinic agreed that it should establish a written agreement with any disposal company used, and advised that they are in discussions and will have such documentation in place shortly.

Analysis of Sections 13(1), 17(1) and 17(2) In this case, my review found that there was no written agreement between the Toronto Clinic and the Paper Recycling Company, setting out their mutual understanding of how the records of personal health information were to be handled. This is contrary to the Toronto Clinic’s Privacy Policy which states that the Clinic uses a bonded contractor, who “must adhere to contractual privacy obligations.” Similarly, no record was maintained by the Toronto Clinic to confirm what personal health information was transferred to the Paper Disposal Company for shredding purposes. There was also no provision for the Toronto Clinic to obtain any confirmation that the shredding had actually been conducted.

The Toronto Clinic had formed its relationship with this agent on the basis of a verbal agree-ment. The Paper Disposal Company provides shredding services, retrieval of paper designated for recycling, and records management services to different types of businesses. The Paper Disposal Company was relatively “unknown” to the Toronto Clinic in that there had been no

previous relationship. While there was a mutual understanding that records from the Toronto and Richmond Hill Clinics were to be shredded (not recycled), this was not set out in writing, and contributed to the unauthorized disclosure that resulted. In my view, there should have been a written contractual agreement that clearly set out the responsibilities of the parties, ensured that any paper provided by the Toronto Clinic to the Paper Disposal Company was securely shredded and required confirmation that the records had been shredded by the Paper Disposal Company. This would have helped to ensure that the Toronto Clinic had met its obligation for secure disposal of the records set out in section 13(1), and that the Paper Disposal Company had disposed of the records in accordance with the limits imposed by the Toronto Clinic and the Act as required by section 17(2).

In the absence of such a written agreement, I find that the Toronto Clinic failed to ensure that the records of personal health information in its custody or control were disposed of in a secure manner as required by section 13(1). In addition, under section 17(1), the Toronto Clinic remained responsible for the secure disposal of the records by its agent, the Paper Disposal Com-pany. The absence of a written agreement between the Toronto Clinic and the Paper Disposal Company contributed to the unauthorized and insecure disposal of the records by the Paper Disposal Company. I therefore also find that the Toronto Clinic was not in compliance with its responsibilities under section 17(1) of the Act.

Further, I find that the Paper Disposal Company’s action in forwarding the records to a recycling facility instead of shredding them, while caused by a mistaken belief, was not in accordance with its responsibilities under section 17(2) of the Act. The Paper Disposal Company’s actions were not consistent with the obligations the Toronto and Richmond Hill Clinics imposed in their verbal agreements, which provided for all documents to be shredded. If there was any doubt on the part of the driver of the Paper Disposal Company as to whether the records in question were to be shredded or recycled, he should have checked with the staff of either the Richmond Hill or Toronto Clinics instead of assuming (incorrectly) that they need not be shredded. This could have been prevented had a written contract been in place specifying that records picked up from any of these clinics were to be securely shredded. To the extent that the Paper Disposal Company provides disposal services to other health information custodians, the company must have such a written agreement in place with those custodians as well. This will help to ensure compliance with section 17(2) of the Act.

In addition, in providing the personal health information records to a third party recycling company without adequate assurances that the records would be disposed of securely, the Paper Disposal Company did not comply with section 17(2). When an agent, such as the Paper Disposal Company, chooses to use a third party, or a sub-agent, to handle personal health information as part of the secure disposal process, the agent must have a written contractual agreement in place with the sub-agent to ensure that the requirements of the Act and the contractual agreement with the health information custodian are met. The agent must also provide notice to the health information custodian that a sub-agent will also be handling the personal health information.

SUMMARY OF FINDINGS: As set out above, I have found that the information in the records qualifies as personal health information, that the corporation that operates the Toronto Clinic is a health information custodian and that the Paper Disposal Company is an agent of the health information custodian as defined in the Act.

I find that the Toronto Clinic failed to take reasonable steps to ensure that the personal health information in its custody or control is protected against theft, loss and unauthorized use or disclosure as required by section 12(1) of the Act.

I find that the Toronto Clinic failed to ensure that the personal health information within its custody or control was disposed of in a secure manner as required by section 13(1) of the Act.

I find that the Toronto Clinic failed to comply with the requirements of section 17(1) of the Act which requires it to be responsible for the proper handling of personal health information by it and its agents. In my view, this obligation in the context of this company’s relationship requires a written contractual agreement setting out the agent’s duty to securely shred the materials and requires the agent to provide an attestation confirming the fact that shredding has been completed.

Finally, I find that the Paper Disposal Company’s action in forwarding the records to a recycling facility instead of shredding them, while caused by a mistaken belief, was not in accordance with section 17(2) of the Act.

ORDER: 1. I order the Toronto Clinic to review its information practices to ensure that records of personal health information in its custody or control are securely stored and protected against theft, loss and unauthorized use or disclosure. The Toronto Clinic shall make any necessary changes to its information practices as a result of the review.

2. I further order the Toronto Clinic to put into place a written contractual agreement with any agent it retains to dispose of personal health information records. The agreement must set out the obligation for secure disposal and require the agent to provide written confirmation through an attestation once secure disposal has been conducted. Secure disposal must consist of permanently destroying paper records by irreversible shredding or pulverizing, thus making them unreadable. Further, steps must be taken to ensure that no unauthorized person will have access to the personal health information between the time the records leave the health information custodian’s custody until their actual destruction.

3. I order the Paper Disposal Company to put into place a written contractual agreement with any health information custodian for whom it will shred personal health information that includes the obligation for it to shred securely and irreversibly. I further order the Paper Disposal Company to provide an attestation confirming destruction of personal health information containing the time, date and location of the destruction, as well as the name and signature of the operator who performed the shredding.

4. I order the Paper Disposal Company to ensure that any handling of personal health information by a third party company be documented in a written contractual agreement that binds the third party to the requirements of the Act and its contractual agreement with the health information custodian.

5. I further order the Paper Disposal Company to put into place procedures that prevent paper records containing personal health information, designated for shred-ding, from being mixed together with paper that is being disposed of through the recycling process.

6. In order to verify compliance with Order provisions 1 and 2, I require the Toronto Clinic to provide me with confirmation that it has reviewed its information prac-tices, and a copy of the written contractual agreement with the agent it retains to dispose of personal health information, on or before December 31, 2005.

7. In order to verify compliance with Order provisions 3, 4 and 5, I require the Paper Disposal Company to provide me with a copy of the written agreements and procedures it establishes, on or before December 31, 2005.

POSTSCRIPT When the Personal Health Information Protection Act came into effect on November 1, 2004, health information professionals became subject to new rules governing their information management practices. This engendered some uncertainty and anxiety among these professionals, the vast majority of whom were motivated to comply with the new rules to the best of their ability. As the individual responsible for overseeing compliance with the new Act, I wanted to alleviate these concerns.

I have always believed that publicly identifying the organization or individual that is subject to an Order, whether involving access to information or relating to information management practices, serves a key public interest. As such, Orders issued by my office pursuant to our public sector responsibilities have always identified the institution involved. I believe that a similar public service will be served by identifying health information custodians who are subject to Orders under the Act. However, prior to the Act coming into effect, I made the decision that a one-year period of grace regarding the identification of custodians in an Order was appropriate. This would allow sufficient time for custodians to learn their obligations under the Act and “put their house in order” without concern for any potential embarrassment of being identified in an Order. Recall that this Act came into effect shortly after being introduced and that the learning curve required could be characterized as “steep.” For these reasons, the parties in this Order, my first under this Act, have remained anonymous. However, as of November 1, 2005, Orders of my office issued pursuant to the Act will identify the relevant health information custodian and any other parties with responsibilities under the Act.

October 31, 2005 Ann Cavoukian, Ph.D. Commissioner

You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.

Do not display this message anymore