PHIPA DECISION 230

Complaint HI23-00019

Syed Nasir Ahmed (also known as Nash Ahmed), Woburn Medical Dental Centre Inc., 2699064 Ontario Inc., Apex Properties Inc. (carrying on business as Apex Property Management), Apex Financial Corp. (carrying on business as Apex Property Management), Houselink and Mainstay Community Housing, 1583728 Ontario Inc. (carrying on business as XYZ Storage), 1255894 Ontario Limited (carrying on business as All Canadian Self-Storage), Kevin Lee, Anthony L. Forgione, John Parchenko

November 21, 2023

Summary: In this decision, the adjudicator finds that Woburn Medical Dental Centre Inc. is the health information custodian of the records of personal health information alleged to have been abandoned. The adjudicator orders the custodian and its agent to retrieve and secure the records. The adjudicator also finds that the use and/or disclosure of the records by certain respondents is governed by section 49(1) of the Act and that some of these respondents have contravened section 49(1) of the Act by withholding some of the records from the custodian. The adjudicator orders these respondents to return these records to the custodian when the custodian attends to retrieve them. The adjudicator makes other orders against some of the respondents necessary to preserve and secure the records until the custodian has retrieved them.

Statutes Considered: Personal Health Information Protection Act, 2004 , S.O. 2004, c. 3, sections 2 , 3(1) , 4 , 7 , 12(1) , 13(1) , 17 , 29 , 49 , and 61 .

Decisions Considered: PHIPA Decisions 221 and 49.

OVERVIEW:

[1] This decision follows an interim order (PHIPA Decision 221) that was issued to preserve and secure records of personal health information.[1] As further described in PHIPA Decision 221, the Information and Privacy Commissioner of Ontario (IPC) commenced a review under section 58(1)  of the Personal Health Information Protection Act, 2004 (the Act) about a report of abandoned records of personal health information. In this decision, I make findings and issue an order disposing of the issues in this matter.

Initial report of alleged abandoned records

[2] On June 2, 2023, a representative of Apex Property Management[2] (APM) contacted the IPC to report alleged abandoned records of personal health information (the records) at 4129 Lawrence Avenue West (the property). The report indicated that Woburn Medical Dental Centre Inc. (Woburn) had operated a medical clinic at the property, that Syed Nasir Ahmed was the owner of Woburn, that the property had been sold and that Mr. Ahmed had failed to retrieve and deal with the records. A representative of APM also explained that it had moved approximately 300 boxes of the records to a storage facility that was later identified as XYZ Storage.[3]

[3] I will refer to the records located at the XYZ Storage facility as the “XYZ Records.” It later became known that some of the records remained at the property. The remaining records are referred to below as the “Houselink Records.”

IPC’s response to the report and the Notice of Review

[4] After the report of alleged abandoned records, the IPC had discussions with the representatives of APM and with Mr. Ahmed to gather information. On July 21, 2023, the IPC commenced a review[4] under the Act with respect to suspected abandoned records of personal health information at the property. A Notice of Review was issued to Woburn and Mr. Ahmed. Mr. Ahmed provided a written response. In his written response, Mr. Ahmed stated, among other things, that he is the director of Woburn and that he is doing “whatever needed to be done” to protect the records. He explained that he had been restricted from accessing the property by a person named Kevin Lee and by APM.

[5] In the weeks following July 21, 2023, the IPC had several conversations with Mr. Ahmed requesting that he contact APM or XYZ Storage to retrieve and secure the records. Mr. Ahmed's efforts were unsuccessful. He advised that while he had contacted XYZ Storage, XYZ Storage informed him that it would not release the records unless it was paid for the outstanding fees owed by APM to store the XYZ Records. Mr. Ahmed stated that he was unable to pay the amounts requested by XYZ Storage to release the XYZ Records to him.

Threat to destroy XYZ Records, PHIPA Decision 221 and the Amended Notice of Review

[6] Initially, after it made the report of alleged abandoned records to the IPC, APM was cooperative. However, circumstances changed on August 21 and 22, 2023, when Anthony L. Forgione, a representative of APM, stated that APM would be directing XYZ Storage to destroy the XYZ Records and falsely stated that the IPC had instructed him to destroy the records at issue. The IPC immediately advised APM that APM is not to provide any such instructions to XYZ Storage.[5]

[7] On August 22, 2023, APM advised the IPC as follows:

I have provided you with sufficient time to resolve this, your inability to do so is not our issue. If you would like to meet and take carriage of the locker we can be there tomorrow, otherwise we will have a mobile destruction unit onsite tomorrow at 3pm to shred the documents.

[8] XYZ Storage advised the IPC that it had not received payment of outstanding storage fees from APM and threatened to vacate the storage locker by holding a contents auction, initially on August 21, 2023. After discussions with IPC staff, XYZ Storage agreed not to auction the contents on August 21, 2023. On August 22, 2023, XYZ Storage advised the IPC that while it would not sell, auction or destroy the XYZ Records, there was nothing stopping APM from paying the outstanding balance and retrieving the storage unit contents (i.e., the records of personal health information), for the purpose of destroying them.

[9] On August 22, 2023, I issued PHIPA Decision 221, which contains an interim order made to ensure that the XYZ Records are retained in a secure manner and are protected against theft, loss, and unauthorized use or disclosure and are protected against unauthorized copying, modification or disposal, during the IPC’s review of this matter.

[10] At the same time that I issued PHIPA Decision 221, I issued an Amended Notice of Review, in which I invited Mr. Ahmed, Woburn and several new respondents to provide representations.

[11] APM, Mr. Forgione, John Parchenko (the director, President and Secretary of Apex Financial Corp.), XYZ Storage and Mr. Lee were added as respondents in the Amended Notice of Review in consideration of the additional information received regarding events surrounding the alleged abandonment of the XYZ Records.

[12] The current owner of the property, Houselink and Mainstay Community Housing (Houselink), was also added as a respondent in the Amended Notice of Review because the IPC was advised that when Houselink took possession of the property, there were additional suspected records of personal health information located there. I will refer to these records as the “Houselink Records.” On August 24, 2023, the IPC was advised by Houselink that the Houselink Records were moved to its head office where they are being retained in a secure manner.

[13] On August 23, 2023, representatives of XYZ Storage acknowledged the order contained in PHIPA Decision 221 and stated XYZ Storage’s intention to cooperate with the IPC. On August 23, 24 and 30, 2023, XYZ Storage inquired further, advising that it is owed certain amounts of money for storage unit rental fees and that it could not and would not release the records to Woburn or Mr. Ahmed without APM’s authorization.

[14] Houselink acknowledged receipt of PHIPA Decision 221 and stated its intention to cooperate with the IPC.

[15] On August 30, 2023, Mr. Ahmed, on behalf of Woburn, advised the IPC again that it understood Woburn’s obligations as a health information custodian. Mr. Ahmed also provided a written response to the Amended Notice of Review on behalf of Woburn.

[16] None of APM, Mr. Lee, Mr. Forgione or Mr. Parchenko acknowledged or responded to PHIPA Decision 221 or to the Amended Notice of Review.

Supplementary Notice of Review

[17] On September 7, 2023, the IPC issued a Supplementary Notice of Review to the named respondents.[6] At this time, I also shared Woburn’s responses to date with the other named respondents.

[18] I received representations from XYZ Storage, Houselink, Mr. Ahmed and Mr. Lee. I did not receive any response from APM, Mr. Forgione or Mr. Parchenko.

Invitation to reply

[19] On October 19, 2023, after clarifying some of the information provided by Houselink and issuing an interim decision to share Mr. Lee’s representations with the other respondents,[7] I shared the representations received with each of the other respondents, including those who had not participated to date. I invited all of the named respondents to reply to the representations received. At this stage, I also asked Mr. Lee and Mr. Ahmed specific additional questions intended to clarify some of the information received. I also re-invited APM to provide a response to all of the issues in the review.

[20] Only Mr. Ahmed provided an additional response.

Invitation to make representations on potential findings and orders

[21] On November 7, 2023, I informed all respondents about potential findings and orders that the IPC may make in consideration of the representations received in the review. At that time, I invited all respondents to make any further representations.

[22] Mr. Ahmed indicated that he would not be filing further representations. XYZ Storage provided a brief response that I will describe further below. No other respondents provided any further representations about the potential findings and orders.

[23] However, for the first time since the issuance of PHIPA Decision 221, Mr. Forgione (of APM) contacted the IPC. He indicated that he would be filing representations; however, as of the date of this decision neither he nor APM has done so.

DISCUSSION AND DECISION:

The relationships between the respondents prior to the IPC’s involvement

[24] During the review of this matter, the IPC received information and copies of records from respondents who provided representations to the IPC. Certain respondents also made other statements when communicating with the IPC, and the IPC conducted its own corporate searches. Based on this information, the nature of the relationships between the respondents prior to the report of abandoned health records to the IPC is set out below.

[25] Mr. Ahmed advised that he is the director of Woburn. A corporate search was conducted on July 12, 2023, and Mr. Ahmed was listed as a director of Woburn. Mr. Ahmed referred to Woburn and himself as "we" and has responded on behalf of Woburn throughout this review.

[26] Mr. Ahmed stated that Woburn operated a medical clinic at the property for many years, and that Woburn leased the property for this purpose from 2699064 Ontario Inc. (2699064) pursuant to a lease agreement that according to Mr. Ahmed was set to expire in July 2025 (the 2699064 lease).

[27] Mr. Lee advised that Mr. Ahmed is the owner of 2699064. A corporate search conducted on August 16, 2023, listed Mr. Ahmed as a director, President and Secretary of 2699064.

[28] Mr. Lee stated that he is the mortgagee of 2699064 in respect of the property. According to a “statutory declaration of solicitor pertaining to the property”[8] (the statutory declaration), in December 2019 Mr. Lee loaned 2699064 money and a charge/mortgage was registered on the title of the property (the mortgage).[9] According to Mr. Ahmed, Mr. Lee, and the statutory declaration, the property was once owned by 2699064.[10]

[29] At some point thereafter, 2699064 defaulted on the mortgage, which led to the power of sale.

[30] According to Mr. Ahmed, Houselink, Mr. Lee, and the terms of a July 2022 Agreement of Purchase and Sale between Houselink and Mr. Lee, the property was sold to Houselink pursuant to a power of sale (a creditor relief action provided for in the Mortgages Act).

[31] The sale of the property from Mr. Lee to Houselink closed on or around May 23, 2023 (the close date).

[32] Mr. Ahmed stated that he was aware of the power of sale and was in the process of winding down Woburn’s operations at the property. Mr. Ahmed also stated that as of May 2023, he was working to retrieve from the property records related to the operations of Woburn. Mr. Ahmed stated that he believed that Woburn had additional time to access the property pursuant to the 2699064 lease for the purpose of securing the records.

[33] Mr. Lee stated that Woburn was in default of the 2699064 lease. Houselink, as the purchaser of the property, advised that it understood that the 2699064 lease had been terminated.

[34] Mr. Lee provided email correspondence indicating that Mr. Ahmed was provided with notice and an opportunity to retrieve the medical records related to the operations of Woburn from the property prior to Houselink taking possession of the property.

[35] Mr. Ahmed stated that, in and around May 2023, Mr. Lee restricted Woburn from accessing the property, including to retrieve and secure the medical records.

[36] Mr. Ahmed stated that, in and around May 2023, Anthony Forgione and Apex Property Management[11] (APM) began to communicate with Mr. Ahmed about Woburn’s access to the property and the records. Mr. Ahmed understood APM to be acting on behalf of Mr. Lee because its representatives (i.e., Mr. Forgione) entered, and controlled access to, the property and continued to restrict his access to it, like Mr. Lee had done before.

[37] Houselink stated that when it obtained possession of the property from Mr. Lee, it was Mr. Forgione of APM who provided Houselink with the keys to the property.

[38] When Mr. Forgione (on behalf of APM) contacted the IPC to make the report that commenced this review (described above) he told the IPC that the operator of the clinic (Woburn) had failed to retrieve records from the property and that the records were removed from the property and moved to a storage facility operated by XYZ Storage.

[39] On May 16, 2023, APM entered into a self storage agreement with XYZ Storage (the storage agreement). The storage agreement is signed by Mr. Forgione, on behalf of APM.

[40] While there are disagreements among the respondents about the validity of the 2699064 lease and the amount of time that Mr. Ahmed had to retrieve the records from the property prior to the close date, there are no major inconsistencies about the above-described circumstances among the respondents that require resolution to make the findings and orders below.

The records are records of personal health information

[41] As a preliminary matter and for the reasons that follow, I find that the records are records of personal health information.[12] As explained in several prior IPC decisions, “personal health information” is to be given a broad interpretation.[13]

[42] I find that the services provided by Woburn related to the providing of “health care” to individuals by health professionals on behalf of Woburn and that the records pertain to those services. I also find that the information contained within the records relates to individuals’ physical or mental health, the identity of persons as providers of health care to them and their health numbers. I formed these conclusions based on the following information provided in the review.

[43] Mr. Ahmed has described the records as “charts” of individuals who were patients of Woburn. He has referred to them as “medical records.” He has also repeatedly stated to the IPC and to the respondent Mr. Lee (in correspondence sent or received prior to the IPC’s involvement) his awareness of the special obligations under the Act to deal with the records of personal health information.

[44] Mr. Ahmed’s statements are consistent with other statements and information provided by other respondents in the review. In its initial contact with the IPC, APM explained that the records belonged to Woburn, a now non-operational medical clinic. Houselink has also confirmed its understanding that Woburn operated a medical clinic. Lastly, Mr. Lee provided a copy of an email sent by Mr. Ahmed in which he identifies a health care practitioner with patients at the clinic and in which he refers to “patient files.”

Who is the “health information custodian” in respect of the records?

[45] For the reasons that follow, I find that Woburn is the “health information custodian” of the records under paragraph 1 of section 3(1) of the Act. Section 3(1)1 of the Act defines “health information custodian” as follows:

"health information custodian", subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person's or organization's powers or duties or the work described in the paragraph, if any:

1. A health care practitioner or a person who operates a group practice of health care practitioners.[14]

[46] Woburn has consistently claimed to be the health information custodian of the personal health information it collected and maintained as a medical clinic, which included the personal health information in the records. None of the other respondents claim to be the health information custodian for the records and do not dispute that Woburn is the health information custodian for the personal health information in the custody or control of the medical clinic operated by Woburn, and therefore of the records.

[47] Woburn stated to the IPC that the records were collected during the operation of a medical clinic that operated at the property since 1971. I find this statement credible because Mr. Ahmed, on behalf of Woburn, has expressed an awareness of the record-keeping obligations in the Act for health information custodians and because of the other respondents’ understandings of the business of Woburn.

[48] “Health care practitioner” and “health care” are defined in the Act. Applying the definitions, I find that Woburn is a person “who has custody or control of personal health information as a result of or in connection with performing” Woburn’s powers or duties or the work described in paragraph 1 of section 3(1): “a person who operates a group practice of health care practitioners.” I therefore find that Woburn is the health information custodian.

[49] During the review, Woburn was asked to identify if there are any other health information custodians, including whether section 3(7) of Ontario Regulation 329/04 applies in this matter.[15] Mr. Ahmed maintained that he is the health information custodian with custody or control over the records.

Who is the “agent of the health information custodian” within the meaning of section 2 of the Act?

[50] I find that Mr. Ahmed is the agent of Woburn (as the health information custodian) within the meaning of section 2 of the Act.

[51] The term “agent” in relation to a health information custodian is defined in section 2 of PHIPA as follows:

“agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated[.]

[52] When an agent handles personal health information on behalf of a custodian, the agent must comply with the Act and do so in accordance with any conditions or restrictions imposed on the actions of its agents in respect of the personal health information.[16]

[53] Mr. Ahmed has been the sole representative of Woburn before the IPC during the review. According to copies of correspondence sent and received prior to the IPC’s involvement (and obtained during the review), Mr. Ahmed has been the constant and consistent representative of Woburn for the purposes of dealing with Mr. Lee and APM.

[54] I find that Mr. Ahmed has been acting with the authorization of Woburn and not for any other purpose other than the purposes of Woburn and that he is therefore the agent of the health information custodian. Mr. Ahmed is accordingly required to comply with the Act in respect of the records.

The other respondents

[55] I have considered whether any of the respondents other than Woburn and Mr. Ahmed (the other respondents) are the health information custodian or the agent of the health information custodian in respect of the records.

[56] As outlined above, only XYZ Storage, Mr. Lee and Houselink provided representations in the review. Each of these persons deny that they are the health information custodian or an agent of the health information custodian (within the meaning of section 2 of the Act). Although APM has not participated in the review, when it initially reported the potentially abandoned records to the IPC, it stated that Woburn (and not APM) was the health information custodian and did not take the position that it was the health information custodian of the records.

[57] None of the respondents intend to continue to use the records for the same purposes for which Woburn used them. None of the other respondents are health care practitioners. None of the other respondents operate (or operated) a medical clinic or any business that could reasonably be considered to provide health care. None of the other respondents could reasonably be considered to be a person operating a group practice of health care practitioners.

[58] With no evidence or argument to the contrary, I find that none of the other respondents are the health information custodian or the agent of the health information custodian.

Are any or all of the other respondents’ use and/or disclosure of the records governed by section 49(1) of the Act?

[59] A person who is not a “health information custodian” may still be subject to the Act’s rules in respect of personal health information that a custodian “discloses” to the person. These persons can generally be referred to as “recipients.”

[60] Section 7(1)(b)(ii) of the Act states:

7(1) Except if this Act or its regulations specifically provide otherwise, this Act applies to,

(b) the use or disclosure of personal health information, on or after the day this section comes into force, by,

(ii) a person who is not a health information custodian and to whom a health information custodian disclosed the information, even if the person received the information before that day[.]

[61] Section 49(1) of the Act sets out rules for recipients of personal health information from health information custodians. This section states:

49. (1) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a health information custodian and to whom a health information custodian discloses personal health information, shall not use or disclose the information for any purpose other than,

(a) the purpose for which the custodian was authorized to disclose the information under this Act; or

(b) the purpose of carrying out a statutory or legal duty.

[62] In addition, section 49(2) addresses the extent of any allowable use or disclosure of personal health information by recipients of personal health information from health information custodians. This section states:

(2) Subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a health information custodian, and to whom a health information custodian discloses personal health information, shall not use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, as the case may be, unless the use or disclosure is required by law.

[63] To determine whether any of the other respondents have duties under section 49, it is necessary to determine whether the records were “disclosed” each or any of them by the health information custodian. Section 2 of the Act defines the term "disclose" as follows:

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and "disclosure" has a corresponding meaning[.]

[64] On this point, I find helpful the analysis in previous IPC decisions that have considered the meaning of the term “disclose” in the Act in a situation involving section 49. PHIPA Decision 49 concerned an incident in which a patient covertly accessed the personal health information of other patients, without the knowledge or permission of the physician who had custody or control of that information. In PHIPA Decision 49, the adjudicator found that this access constituted a disclosure of the personal information at issue because of the fact that the information had been “made available” to the patient and therefore “disclosed” to the patient. The adjudicator reached this conclusion despite the evidence that the health information custodian had not intended nor was he aware of the disclosure.

[65] A number of IPC decisions have also considered situations in which an unauthorized actor gained access to ("snooped" in) the personal health information of other individuals held in a custodian's information systems.[17] In these cases, the IPC has found that the act of releasing or making available the information at issue to an unauthorized actor qualifies as a "disclosure" within the meaning of the Act, irrespective of whether there was any intention on the part of the disclosing party to share that information.

[66] I agree with the reasoning in PHIPA Decisions 49, 102 and 110. In my view, in certain circumstances, the approach taken in these decisions is consistent with one of the overall purposes and objectives of the Act to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care.[18]

[67] The sale of the property led to the records being left at the property, without Woburn being able to access them. As a result of the records being left at the property, some of the XYZ Records were “made available” by Woburn to Mr. Lee and those acting on Mr. Lee’s behalf. In relation to the XYZ Records, those acting on Mr. Lee’s behalf are APM, Mr. Forgione and XYZ Storage. I will refer to these parties as the “Recipients of the XYZ Records.”

[68] Also, as the result of the records being left at the property, the Houselink Records were “made available” to Mr. Lee and those acting on his behalf, and to Houselink (and its agents). In relation to the Houselink Records, those acting on Mr. Lee’s behalf are APM and Mr. Forgione. I will refer to these parties as the “Recipients of the Houselink Records.”

[69] I conclude that APM and Mr. Forgione were acting on behalf of Mr. Lee on the basis of the undisputed circumstances outlined above at paragraphs 24 to 39. Specifically, Mr. Lee sold the property to Houselink. Mr. Lee, with the assistance of APM, then restricted Woburn from accessing the property while the records remained within it and it provided Houselink, the new owner, with access to the property.

[70] I conclude that XYZ Storage was acting on behalf of Mr. Lee on the basis of the undisputed circumstances outlined above at paragraphs 24 to 39, namely that XYZ Storage entered into the storage contract with APM in relation to the XYZ Records, which records originated at the property.

[71] Although there was no intention on the part of Woburn to disclose the records to the Recipients of the XYZ Records or the Recipients of the Houselink Records, it is my view that the circumstances that led to the current situation, namely Woburn not retrieving the records from the property following the sale, led to the disclosure of the records of personal health information to persons that are not health information custodians, and as such any use or disclosure of the records is governed by section 49 of the Act.

[72] I make this finding acknowledging that the obligations arising under section 49 are high and that it may not be appropriate to hold a person who through no fault of their own comes into possession of records of personal health information. I have weighed this consideration, in particular, in light of the actions of Houselink, who has not impeded Woburn from retrieving the Houselink Records. Section 49(1) limits the ability of any person who is not a health information custodian and receives personal health information from a health information custodian to use or disclose the information.

[73] To summarize, based on my review of the particular circumstances that resulted in this review, I am satisfied that Woburn disclosed personal health information to the Recipients of the XYZ Records and the Recipients of the Houselink Records, who are not health information custodians, within the meaning of section 49(1) of the Act.

[74] Section 29 of the Act provides that a health information custodian shall not collect use or disclose personal health information about an individual unless:

1. it has the individual’s consent under this Act and the collection, use or disclosure, as the case may be, to the best of the custodian’s knowledge, is necessary for a lawful purpose; or
2. the collection, use or disclosure, as the case may be, is permitted or required by this Act.

[75] There is no evidence or information before me to suggest that this disclosure of personal health information by Woburn was authorized under the Act. In particular, there is no evidence or suggestion that Woburn had obtained consent to disclose this personal health information to the Recipients of the XYZ Records or the Recipients of the Houselink Records, nor that this disclosure would otherwise be authorized under the Act without consent. As such, I find that this disclosure was not authorized for any purpose under the Act.

XYZ Records

[76] Section 2 of the Act defines the term “use” as follows:

"use", in relation to personal health information in the custody or under the control of a health information custodian or a person, means to view, handle or otherwise deal with the information, subject to subsection 6 (1),3 but does not include to disclose the information, and "use", as a noun, has a corresponding meaning.

[77] As set out above, “use” includes any “dealing with information.”[19] I find that the ongoing retention and withholding of the XYZ Records from Woburn by XYZ Storage, APM Mr. Forgione and Mr. Lee, is a "use" of the XYZ Records.

[78] Woburn has not stated in its representations nor have any of the Recipients of the XYZ Records taken the position that Woburn has authorized any use of the XYZ Records, including their retention and withholding from Woburn. This ongoing use of the XYZ Records constitutes a contravention of section 49(1) of the Act.

[79] As set out above, “disclose” includes “to make the information available or to release it to another health information custodian or to another person”. Any disclosure of the XYZ Records for a purpose for which the custodian was not authorized to disclose the information under the Act or not for the purpose of carrying out a statutory or legal duty would be a contravention of section 49(1) of the Act.

[80] As I have set out above, Woburn as the custodian, was not authorized to disclose the records under section 29 of the Act to any of the respondents. In addition, none of the respondents have taken the position that Woburn had any such authorization, that any such authorization was provided by Woburn or that there is any applicable statutory or legal duty, within the meaning of section 49(1)(a) or (b) of the Act.

[81] In its representations, XYZ Storage pointed to the storage agreement entered into with APM as the basis for its refusal to provide Woburn access to the XYZ Records. The storage agreement does not include or name Woburn. XYZ Storage has explained that it is willing to grant access to Woburn and/or Mr. Ahmed if its storage fees are paid and it receives authorization from APM. Any payment issues that XYZ Storage has cannot be resolved by the IPC.

[82] As explained above, I informed all of the respondents about potential findings I may make in consideration of the representations received and provided them an opportunity to make further representations. In response, XYZ Storage indicated that it would “need confirmation of when Woburn or Mr. Ahmed will pick the XYZ Records.” I have taken this into consideration in drafting the order provisions below.

[83] Section 61(1)(e) of the Act permits the IPC to:

(e) make an order directing any person whose activities the Commissioner reviewed to return, transfer or dispose of records of personal health information that the Commissioner determines the person collected, used or disclosed in contravention of this Act, its regulations, or an agreement entered into under this Act but only if the return, transfer or disposal of the records is not reasonably expected to adversely affect the provision of health care to an individual.

[84] Having found that the Recipients of the XYZ Records have contravened section 49(1) and not having information before me to suggest that the return of the XYZ Records could reasonably be expected to adversely affect the provision of health care to any individual, I will, under section 61(1)(e), be ordering the Recipients of the XYZ Records to return the XYZ Records to Woburn when he appears to retrieve and secure them.

[85] Section 61(1)(c) of the Act also permits the IPC to:

(c) make an order directing any person whose activities the Commissioner reviewed to perform a duty imposed by this Act or its regulations;

[86] To ensure that the only action to be taken with respect to the XYZ Records is pursuant to the order made under section 61(1)(e), I will also make an order under section 61(1)(c) that the Recipients of the XYZ Records, as persons who have duties and restrictions under section 49(1) of the Act, limit any use and/or disclosure of the XYZ Records to only those necessary to comply with the order made under section 61(1)(e), namely the return of the XYZ Records to Woburn upon Woburn’s appearance to retrieve and secure them.

Houselink Records

[87] I find that the ongoing retention of the Houselink Records by Houselink and/or Mr. Lee is a “use” of the Houselink Records. Unlike the XYZ Records, Houselink is prepared to allow Woburn to retrieve and secure the Houselink Records and has not withheld the Houselink Records from Woburn.

[88] Any disclosure or use of the Houselink Records for a purpose for which the custodian was not authorized to disclose the information under the Act, or not for the purpose of carrying out a statutory or legal duty, would be a contravention of section 49(1) of the Act.

Did Woburn take reasonable steps to protect personal health information in its custody or control?

[89] The Act requires health information custodians to protect personal health information in their custody or control, including against unauthorized use or disclosure. Section 12(1) of the Act states:

A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

[90] A related obligation is the duty to have in place and to comply with information practices that address, among other things, administrative, technical and physical safeguards and practices in relation to personal health information (sections 10(1) and (2), and section 2 of the Act).

[91] The Act also requires health information custodians to ensure that records of personal health information are retained, transferred and disposed of in a secure manner. Section 13 states:

Handling of records

13 (1) A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any.

Retention of records subject to a request

(2) Despite subsection (1), a health information custodian that has custody or control of personal health information that is the subject of a request for access under section 53 shall retain the information for as long as necessary to allow the individual to exhaust any recourse under this Act that he or she may have with respect to the request.

[92] As described in PHIPA Decision 50, sections 12(1) and 13(1) of the Act impose significant obligations on health information custodians to protect personal health information in their custody or control.

[93] As I have set out above, Woburn (as the custodian) was not authorized to disclose the records under section 29 of the Act to any of the respondents. Since the sale of the property, Mr. Ahmed on behalf of Woburn has attempted to secure and retain the XYZ Records but has been unsuccessful for the reasons described above. Also, he has not, despite opportunity, secured and retained the Houselink Records.

[94] These failures constitute a contravention of Woburn’s obligations under sections 12 and 13 of the Act.

[95] Specifically, pursuant to section 12(1) of the Act, Woburn has failed to:

take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

[96] Pursuant to section 13(1) of the Act, Woburn’s actions have also resulted in a failure to:

ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any.

[97] Woburn states that it is aware of its obligations as a health information custodian in relation to the records. It states that it intends to deal with the records in accordance with its obligations under the Act. It states that its only impediment is the loss of access to the XYZ Records precipitated by the sale of the property and that when this is rectified, it will be able to secure all of the records.

[98] As I understand Woburn’s position, the most pressing concern was the retrieval of the majority of the records – the XYZ Records. Woburn states that when it retrieves the XYZ Records, it will then retrieve the Houselink Records.

[99] Because Woburn permitted an unauthorized disclosure of the records and failed to meet its obligations under sections 12 and 13(1), I find it necessary to impose an order on Woburn to ensure that it takes the actions necessary to retrieve and secure the records.

[100] Section 61(1)(c) of the Act permits the IPC to:

(c) make an order directing any person whose activities the Commissioner reviewed to perform a duty imposed by this Act or its regulations;

[101] Having established that Woburn is the health information custodian with responsibilities under section 12 and 13 of the Act, I will make an order under section 61(1)(c) that the Woburn comply with the duties set out in sections 12 and 13 by retrieving and securing the XYZ Records and the Houselink Records.

[102] Also, section 61(1)(h) of the Act permits the IPC to:

(h) make an order directing any person who is an agent of a health information custodian, whose activities the Commissioner reviewed and that an order made under any of clauses (a) to (g) directs to take any action or to refrain from taking any action, to take the action or to refrain from taking the action if the Commissioner considers that it is necessary to make the order against the agent to ensure that the custodian will comply with the order made against the custodian; or

[103] In these circumstances, to assist and ensure that Woburn will comply with the orders made against it, I find it necessary to make an order against Mr. Ahmed as an agent of the health information custodian. To ensure and assist Woburn to comply with the order I make under section 61(1)(c), I will also order Mr. Ahmed to retrieve and secure the XYZ Records and the Houselink Records for the purposes of securing them for Woburn to comply with its duties in sections 12 and 13 of the Act.

ORDER

For the reasons set out above, I order as follows:

1. Under section 61(1)(c) of the Act, that, on or before December 7, 2023, Woburn Medical Dental Centre Inc. shall retrieve the XYZ Records and secure them pursuant to sections 12(1) and 13(1) of the Act.
2. Under section 61(1)(c) of the Act, that Woburn Medical Dental Centre Inc. shall provide 1583728 Ontario Inc. (carrying on business as XYZ Storage) with 48 hours written notice of its attendance to retrieve and secure the XYZ Records.
3. Under section 61(1)(e) of the Act, that 1583728 Ontario Inc. (carrying on business as XYZ Storage), 1255894 Ontario Limited (carrying on business as All Canadian Self-Storage), Apex Properties Inc. (carrying on business as Apex Property Management), Apex Financial Corp. (carrying on business as Apex Property Management), Kevin Lee and Anthony L. Forgione, including their employees and agents, shall return the XYZ Records to Woburn Medical Dental Centre Inc. when Woburn Medical Dental Centre Inc. appears to retrieve the XYZ Records.
4. Under section 61(1)(c) of the Act, that 1583728 Ontario Inc. (carrying on business as XYZ Storage), 1255894 Ontario Limited (carrying on business as All Canadian Self-Storage), Apex Properties Inc. (carrying on business as Apex Property Management), Apex Financial Corp. (carrying on business as Apex Property Management), Kevin Lee and Anthony L. Forgione, including their employees and agents, shall not use, dispose, destroy or disclose the XYZ Records other than to comply with order provision 3 of this Order.
5. Under section 61(c) of the Act, that, on or before December 7, 2023, Woburn Medical Dental Centre Inc. shall retrieve the Houselink Records and secure them pursuant to sections 12(1) and 13(1) of the Act.
6. Under section 61(c) of the Act, that Woburn Medical Dental Centre Inc. shall provide Houselink and Mainstay Community Housing with 48 hours written notice of its attendance to retrieve and secure the Houselink Records.
7. Under section 61(h) of the Act, that Syed Nasir Ahmed (also known as Nash Ahmed), as the agent of the health information custodian, Woburn Medical Dental Centre Inc., shall retrieve and secure the XYZ Records and the Houselink Records and provide the required written notice as referenced in order provisions 1, 2, 5 and 6 of this Order, in order to ensure that Woburn Medical Dental Centre Inc. complies with this Order.
8. For greater clarity, nothing in this Order shall be interpreted to interfere with the regulatory activities of a College under the Regulated Heath Professions Act, 1991.

Original signed by:		November 21, 2023
Valerie Jepson
Adjudicator