The Legalities of Protecting Patient Records

Thursday, February 17, 2022 12:36 pm, Posted by Absolute Destruction

Everyone has patient records, some dating back from before birth. Because it is so common, people take it for granted. But there is a lot of identifiable health information, so health records need proper disposal.

Hospitals have been criticized before for sending old medical records of patients out for recycling instead of using shredding companies in Toronto. Anyone can get information about patients without making an access request.

If unauthorized people access medical records because of improper disposal, it could lead to potential privacy liabilities. Below are the legalities of protecting patient records.

Legislation Concerning Patient Records in Canada

The personal health information contained in patients' medical records deserves protection from unauthorized access. Under Canadian law, institutions and health professionals who fail to keep their patients' faith may be legally liable.

The following laws protect the integrity of sensitive and identifiable personal information, including patient records. At the same time, these Ontario laws provide legal ways for their disclosure for acceptable reasons, including proper ways to do document shredding in Burlington.

Personal Health Information Protection Act

The Personal Health Information Protection Act of 2004 or PHIPA sets out the rules that apply to all health information custodians in Ontario for collecting, using, and disclosing identifiable health information. The act must take reasonable steps to protect that information from loss, theft, and unauthorized use. In case of a breach, the custodian must inform the affected individuals of that fact.

An affected individual may choose to lodge a complaint with the Information and Privacy Commissioner, an appointee under the Freedom of Information and Protection of Privacy Act. If it results in a conviction, the offending party may be liable to pay up to $10,000 in damages for mental anguish to the affected person.

Privacy Act

The Privacy Act encompasses health and medical records held by the Ontario government. Information includes details of medical treatment received by patients paid for under the Ontario Health Insurance Plan, the province's healthcare plan. Anyone can make an access request with the Ministry of Health and Long-Term Care under limited circumstances. These include:

  • The patient consents
  • The court orders it
  • The government passes a law such as in case of infectious diseases


The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law for privacy protections in private-sector organizations and setting out the rules for the way businesses handle personal health information. Under limited circumstances, this could apply to personal health information.

Institutions and organizations regulated under PIPEDA must get the concerned party's consent before collecting, using, or disclosing their personal data.

Provincial Legislation

Aside from Ontario, other provinces have laws to protect patient records in the private or public sector, similar to PIPEDA. You can find links to them below:

Protecting Patient Records

Health care institutions such as dental offices can protect patient information, and a health information custodian actually has a legal duty to protect them from unauthorized use. Aside from avoiding liability, these public and private institutions should put specific policies to guide physician obligations to safeguard patient privacy.


Physicians and other healthcare professionals can only collect a patient's information to benefit them and may share it for that purpose alone to maintain that trust. A health information custodian should be able to say, "I prioritize the personal health information of our patients."


A health care custodian owes patients a duty of confidentiality of that information from both an ethical and legal basis. This duty is fundamental to the patient-physician relationship for sustaining the therapeutic nature of the connection.


A fundamental right of each patient is to expect their health information custodian to obtain informed consent when they share patient information for any reason, such as a correction request. Informed consent requires that the patient has all the information that a reasonable person would want to know before providing consent.

Physician as data steward

While a physician and any other personal health information custodian have control over patient records and medical information as data stewards, they do not own it. The patient has the right to access their medical records at any time and control over their disclosure of your personal health information.

Pro Tip “Research about the different policies surrounding patient records to avoid possible legal troubles.”

Safeguard Your Patient Records

Personal privacy laws in Canada and specific provinces spell out the responsibilities of private institutions and public health services for securing a patient's information and health records. To avoid loss of trust and legal liability, you should only disclose the appropriate amount of information dictated by law. That includes ensuring any patient records for disposal are appropriately handled.

Take the first step in protecting patient records with the help of Absolute Destruction. Contact us today and learn more about our services.

FAQs on the Legalities of Protecting Patient Records

Can you sue a doctor for breaching patient confidentiality?

There is no tort law for breaching patient confidentiality in Canada. But a patient in Ontario can lodge a complaint with the Information and Privacy Commissioner, an appointee under the Freedom of Information and Protection of Privacy Act. If the Commissioner deems there has been actual harm to the patient from the breach, the doctor may be liable for damages up to $10,000.

An individual found to be in violation of PHIPA may be fined up to $200,000 plus a year in prison. An institution may be liable for up to $1,000,000.

How do I keep my medical records private?

You can keep your medical records confidential by directing your physician or healthcare professional to keep them so.

  • Before you sign anything, check the fine print to ensure there are no clauses that will allow the custodian to disclose any information.
  • Ask for a copy of your patient records so you can see what they contain.
  • If you believe there has been any breach in the privacy of your medical records, lodge a complaint to the appropriate authorities based on your province.

When can a doctor break confidentiality in Canada?

A doctor can break confidentiality in Canada in the following circumstances:

  • They are required by law
  • They obtained informed consent from the patient
  • A court orders it

© 2021 Absolute Destruction. All Rights Reserved.