Full marks to the Information and Privacy Commissioner for the fast investigation and report related to sensitive medical records being used as props on a Toronto movie set (see: The Canadian Privacy Law Blog: Incident: Medical records blowing in the wind in Toronto). She has issued the first order under the Personal Health Information Protection Act.

From the Commisioner's website:

IPC - Medical records found scattered across Toronto streets: Commissioner Cavoukian issues first Order under new law

NEWS RELEASE : October 31, 2005

TORONTO – An investigation into how personal health records ended up being strewn across the streets of downtown Toronto on October 1 as a backdrop for a film production has resulted in a ruling by Information and Privacy Commissioner Ann Cavoukian that both a Toronto X-ray/ultrasound clinic and a paper disposal company had breached Ontario’s Personal Health Information Protection Act (PHIPA).

The Commissioner, who was appalled at learning of this breach, went to the scene herself shortly after being advised of the records being scattered on the streets. “The Order I released today – the first under the new Act – should be carefully reviewed by every health information custodian and paper disposal company in Ontario. Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated.”

In her Order, Commissioner Cavoukian said that the personal health records were collected by a paper disposal company that engaged in both shredding and recycling activities. A portion of the personal health records picked up from the clinic were mistakenly believed to be intended for recycling. The records were subcontracted to another recycling company, which later sold them – intact – to the film company for use on its set.

The Commissioner found that:

• the Toronto clinic failed to take all reasonable steps to secure the personal health information in its custody or control;
• the clinic failed to ensure that the personal health information was disposed of in a secure manner; and
• the clinic failed to comply with section 17(1) of PHIPA, which requires it to be responsible for the proper handling of personal health information by itself and its agents. Commissioner Cavoukian said that, in the above context, a written contractual agreement would be required setting out the agent’s duty to securely shred the materials and require the agent to provide a written attestation confirming that shredding has been completed.

The Commissioner also found that:

• the paper disposal company’s action in forwarding the records to a recycling facility instead of shredding them, while caused by a mistaken belief that the records were intended for recycling, contravened the Act.

Commissioner Cavoukian ordered the clinic to review its information practices to ensure that the location of all personal health information within its custody or control is documented, and that this personal health information is adequately secured.

The Commissioner ordered the clinic to put into place a written contractual agreement with any agent it retains to dispose of personal health information. The agreement must set out the obligation for secure disposal and requires the agent to provide written confirmation once secure disposal has been carried out.

“Secure disposal,” the Commissioner said in her Order, “must consist of permanently destroying paper records by irreversible shredding or pulverizing, thus making them unreadable. Further, steps must be taken to ensure that no unauthorized person will have access to the personal health information between the time the records leave the health information custodian’s custody until their actual destruction.”

Similarly, the paper disposal company, which fell under PHIPA because it functioned as an agent, having been given personal health information directly by a health information custodian, was ordered by the Commissioner to put into place a written agreement that includes the requirement for the disposal company to engage in secure shredding and provide an attestation confirming destruction of records.

Among other requirements, the Commissioner also ordered the paper disposal company to put procedures into place that will prevent paper designated for shredding from being mixed together with paper that is intended to be disposed of via recycling.

This Order will establish the practice to be followed by all health information custodians and their agents in Ontario, with respect to the Commissioner’s expectations for the secure disposal of health information records under Ontario’s new Health Information Privacy law.

The Commissioner’s Order, HO-001 is available on the IPC website.

Some media coverage, as well:

Clinic, paper firm broke privacy rules

October 31, 2005

TORONTO -- Ontario's privacy commissioner has found a clinic and a paper-disposal company broke privacy rules after personal health records were strewn on a downtown movie set.

Ann Cavoukian says the health records were collected by a company that engaged in both shredding and recycling.

The company mistakenly believed that the records picked up from the X-ray and ultrasound clinic were meant to be recycled.

As a result, it subcontracted the paper to another recycling company, which later sold it to a film company for use on its set.

The health records then ended up being strewn across the streets of downtown Toronto on Oct. 1 as a backdrop for a film production.

Cavoukian says she was appalled at the breach of Ontario's Personal Health Information Protection Act.

'Everyone handling personal health records has to realize that the storage and destruction of such sensitive information has to be carried out in the most secure manner so that mistakes such as this are virtually eliminated,'' Cavoukian said.

The Toronto clinic, which she did not identify, failed to take all reasonable steps to secure the information and ensure it was disposed of securely.

The paper-disposal company also breached the act by sending the records for recycling instead of shredding them.

She also ordered both facilities to put measures in place to preclude a recurrence. "

Labels: health information, information breaches, ontario, phipa