“Bin” There, Shouldn’t Have Done That: When Medical Records End Up in the Wrong Bin
“Medical records found in Regina recycling bin” reads a CBC News headline from March 2011, where former Commissioner Dickson and members of our office were seen climbing into a paper recycling bin in Regina after personal health information was found inside. This case was, and still is, “the largest breach involving personal health information since The Health Information Protection Act (HIPA) was proclaimed on September 1, 2003” as stated by former Commissioner Dickson. Still, in October 2024, medical records were found blowing in the wind through an alley in Regina (Investigation Report 251-2024, 004-2025 – Elphinstone Medical Clinic).
While our office has only issued seven investigation reports involving personal health information being found in dumpsters or recycling bins[1], we have received at least 15 proactively reported breaches involving the same issue. This is likely only the tip of the iceberg in terms of the volume of personal health information that isn’t disposed of in a secure manner.
Saskatchewan is not alone in this problem of improper disposal of personal health information. In November of 2024, the Ontario Information and Privacy Commissioner (ON IPC) issued PHIPA Decision 266 and classified it as a “case of note” on its website, where personal health information was found in a recycling bin, and developed key takeaways from this case. Further, a study conducted in Ontario in 2018 that assessed the presence of personal health information through a recycling audit of five hospitals in the Toronto area, found that all five hospitals had established policies for disposal of personal health information including secure shredding bins. Of the nearly 2700 documents found, 31% were classified as medium sensitivity (personal health information including diagnosis), and 39% were classified as high sensitivity (personal health information including a description of the patient’s medical condition). Of the types of documentation improperly discarded, clinical notes, summaries, and medical reports were the most frequent type of information (31%).
Many other jurisdictions across Canada have seen similar incidents of improper disposal of personal health information some having made the news. Some examples of similar incidents are listed below.
- CBC News, British Columbia
- Edmonton Journal, Alberta
- Manitoba Ombudsman
- CBC News, Nova Scotia
- CTV News, Prince Edward Island
- CNC News & CTV News, Ontario
As demonstrated, the issue of personal health information being improperly disposed of for a variety of reasons poses a challenge within Saskatchewan and across Canada. Trustees must ensure the security of records in their custody or control through the records entire lifecycle, including the destruction phase. When they fail, the result is a privacy breach.
A privacy breach may occur if the trustee’s employees do not securely dispose of personal health information, but in some cases, particularly seen in the Elphinstone Medical Clinic case (Investigation Report 251-2024, 004-2025), can occur when its cleaning company caused the breach instead. Section 2(1)(a)(i) of the The Health Information Protection Regulations, 2023 (HIPA Regulations) defines an employee as “an individual who is employed by a trustee, including an individual retained under a contract to perform services for the trustee, but does not include a health professional who is retained under a contract.” It is also necessary for the trustee to establish if the party fits the definition of information management service provider as requires both parties to enter into a written agreement. In either case, the responsibility for these privacy breaches remains with the trustee as PART III of HIPA outlines the duty of a trustee to protect personal health information, and sections 16 and 17 are particularly relevant in these scenarios regarding duty to protect and retention and destruction policies when it comes to personal health information.
Section 5 of HIPA Regulations was added in 2023. This section places the onus on a trustee to ensure that the trustee provides orientation on HIPA to its employees and sign a pledge of confidentiality. Section 6 of HIPA Regulations is also new and requires trustees to have a written policy concerning the retention and destruction of personal health information.
For more guidance on this topic, below is a list of resources which have been authored by our office or by other individuals or organizations which may be beneficial:
- The Health Information Protection Regulations, 2023 Questions and Answers (OIPC)
- Blog: Closing a Practice (OIPC)
- Avoiding Abandoned Health Records: Guidance for Health Information Custodians Changing Practice (Ontario Information and Privacy Commissioner)
- Podcast: Lessons in health privacy: key takeaways from 2024 beginning at [31:41] (Ontario Information and Privacy Commissioner)
[1] See Investigation Report 251-2024, 004-2025 (Elphinstone Medical Clinic), Investigation Report 158-2022 (Metis Addictions Council), Investigation Report 154-2022 (Dr. Malhotra), Investigation Report 107-2015 (Spruce Manor Special Care Home), Investigation Report H-2013-003 (Dr. Monea), Investigation Report H-2013-002 (Regina Qu’Appelle Regional Health Authority), Investigation Report H-2011-001 (Dr. Ooi).