Introduction
More than two decades after the implementation of privacy laws like Saskatchewan's Health Information Protection Act ("HIPA"), basic errors persist. In a recent case, medical records were found blowing on a Regina city street—an unsettling echo of a major privacy breach in Toronto from 20 years ago. The case serves as a reminder that legislative protections alone do not ensure strict compliance. Consistent and dedicated attention and training is required.
The Case of Elphinstone Medical Clinic (Regina, SK)
In the case from Saskatchewan (here), an employee of a contracted cleaning company failed to recognize bins labeled for shredding and placed patients' medical records in an outdoor recycling bin behind a Medical Clinic (the "Clinic"). From there, the Saskatchewan wind took over.
The breach was discovered when individuals in a local Facebook group shared that personal health information had been found scattered behind and around the Clinic. These documents were traced back to two psychiatrists.
Two members of the public collected documents and submitted them to the Office of the Information and Privacy Commissioner ("OIPC"). The Commissioner found that a serious privacy breach had occurred and that the Clinic's response fell short of expectations. The commissioner stated that "...[ the psychiatrists] did not adequately identify the root cause of the privacy breach, and that the root cause of the privacy breach was a lack of sufficient administrative and physical safeguards..."1
A Familiar Pattern
The case is uncannily similar to a 2005 Ontario case (here) where patient records were found blowing around streets in Toronto. The records had been mistakenly collected from an x-ray and ultrasound clinic (the "Toronto Clinic"), bypassed secure shredding, and were sold to a film company as scrap paper and used at a downtown Toronto film set.
The Ontario Commissioner found that the Toronto Clinic failed to ensure that the personal health information within its custody was disposed of in a secure manner and failed to take reasonable steps to ensure that the personal health information in its control was protected against loss and unauthorized use or disclosure. In her discussion of the case, the Commissioner emphasized that:
"To guarantee the protection of personal health information, the information must be physically destroyed in an irreversible manner prior to being disposed of, sold or recycled. To ensure that information is properly disposed of, recognized standards and practices for the physical destruction of information must be followed....Let there be no mistake – recycling does not equal secure disposal."2
Advice that, although 20 years old, was unfortunately ignored in the recent Saskatchewan case. This highlights the need for ongoing training—not just as a one-time requirement, but as an ongoing commitment to privacy and an understanding of everyone's role in protecting personal information.
Recommendations: A Return to Privacy Fundamentals
Helpfully, the OIPC (Saskatchewan) provided several recommendations in its report that apply broadly to all healthcare providers:
- Contractor Confidentiality: Require signed confidentiality agreements with all contractors and the contractors' employees and ensure that all those involved complete privacy training.
- Secure Disposal Process: Replace open recycling bins with locked bins or secure storage for paper records awaiting destruction.
- Verification and Audit Trails: Implement a
formal verification document when scanning and uploading paper
records to the Electronic Medical Record system. This should
include:
- A record description
- Name and signature of the verifying staff member
- Method and date of destruction
- Confirmation that destruction was witnessed
- Updated Privacy Policies: Ensure privacy policies are kept up to date and amended to reflect any new procedures. Ensure that all policies are understood and applied consistently.
The report also provided a list of questions to consider when responding to a privacy breach:
- Can your organization create or make changes to policies and procedures relevant to this privacy breach?
- Are additional safeguards needed?
- Is additional training needed?
- Should a practice be stopped?
Conclusion
Since the early 2000s, Ontario, Saskatchewan and other provinces have had privacy legislation in place to protect health information. Since then, there have been advances in digital health, stronger enforcement regimes, and greater public awareness. Yet, as this case shows, breaches can still occur when day-to-day practices fall short. Every person involved in custody or control of personal health information must understand their role in protecting it. That includes physicians, administrative staff, IT providers, and yes, even custodial staff.
Footnotes
1 Dr. Chukwuemeka Odenigbo and Dr. Nebeolisa Ezeasor (Elphinstone Medical Clinic) (Re), 2025 CanLII 27445 (SK IPC) at para 74.
2 HO-001, Health Information and Privacy Decision, October 2005, at page 17.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
