Practitioners must dispose of health records properly

Toronto health lawyer Lonny Rosen says a recent case of patient files being strewn on a street highlights the importance of disposing of health information records in a secure manner.

“It’s a reminder that doctors, dentists, hospitals and other health information custodians must ensure they take appropriate steps to safeguard their records and that means disposing of them in a secure manner  – shredding them, for example,” he tells

“Custodians really have to take this seriously because any breach of privacy could result in an order by the (privacy) commissioner, even in a prosecution under the Personal Health Information Protection Act and in a lawsuit against the practitioner for breach of privacy.”

Rosen, partner at Rosen Sunshine LLP, notes that if they use an outside company to do that, it’s key to have a contract in place with that third party to confirm “that the records contain personal health information, the third party’s responsibility for securely disposing of the records and the manner in which the records will be destroyed.”

He makes the comments in relation to a Global News report that details how Ontario’s acting privacy commissioner is concerned after health records containing personal patient information were recently found scattered across a Toronto neighbourhood. One of the records is linked to a Toronto dentist. Rosen was interviewed by Global News for this report.

Dozens of papers with patient names, addresses, phone numbers and social insurance numbers were found near Leslie Street and Sheppard Avenue, not far from North York General Hospital, says the report. Hospital staff there have ruled out any connection to its patients, but information found in some of the documents reveal they may have come from more than one doctor’s office, says the broadcaster.

Ontario’s Privacy Commission says in the article that such a breach of privacy should never happen.

Rosen says there are a number of steps health information custodians can take to protect themselves and their patients. One, they have to put in place effective policies and procedures and all manner of safeguards to ensure that the health records they collect and use are kept securely. Two, they have to ensure they comply with their policies, through audits or reviews. Three, they have to conduct appropriate training for everyone in their office or facility who collects, uses, discloses or disposes of personal health information records so that they know what is required. For example, this would include ensuring that records are destroyed securely – for example, by shredding – such that there’s not a risk of records or copies of records being lost.

“The legislation has been in place now for 10 years, but unfortunately not all staff members of health information custodians (health practitioners and facilities that collect and use personal health information records) are aware of their obligations under privacy legislation. While health care professionals and senior staff and managers of facilities generally understand their obligations, those lessons are not always translated to the front-office folks who collect, use and transmit personal health information records and that’s when breaches occur,” he says.

Rosen says it’s important to note that if any custodian becomes aware that a patient’s personal health information records may have been lost, inappropriately viewed or disposed of, they have an obligation to contact every patient whose personal information has been accessed inappropriately or lost and to disclose that to them at the first reasonable opportunity.

“And they should also get legal advice and support in doing so,” he says. “There’s no obligation to notify the privacy commissioner but it’s often a good idea, particularly when a breach is widespread. The commissioner may offer support in the reporting process. At the same time, custodians should get their own advice first.”

To Read More Lonny Rosen Posts Click Here