Are health information custodians still responsible for personal health information stored by a third-party vendor?

Yes. Under PHIPA, health information custodians remain responsible for safeguarding personal health information even when records are stored off-site or managed by a third-party service provider.

Why are vendor contracts alone not enough for PHIPA compliance?

Vendor contracts alone are not enough because outsourcing does not reduce a health information custodian’s legal obligations under PHIPA. Custodians must assess risks, address environmental threats, monitor vendor safeguards, and maintain strong internal governance.

What should health information custodians do when records are lost or destroyed?

Health information custodians should investigate the incident, determine what records were affected, notify impacted individuals at the first reasonable opportunity, and advise them of their right to file a complaint with the Information and Privacy Commissioner of Ontario.

Why Vendor Contracts Are Not Enough: What Health Information Custodians Should Know

BlogDiscipline

Mar 23

Written By Sari Feferman

A recent decision from the Information and Privacy Commissioner of Ontario (IPC) reminds us that health information custodians (HICs) are responsible and accountable for properly destroying records of personal health information (PHI), even if the records are stored off-site by a service provider contracted for that purpose.

The Case

In A Medical Centre (Re), 2026 CanLII 3338 (ON IPC), a medical centre took over a prior medical practice and inherited responsibility for the previous medical centre’s paper patient charts, which were stored at a third-party storage facility. When a patient requested access to their records, the medical centre made the request from the storage facility and was advised that the files requested were securely destroyed after being damaged in a flood on-site.

The medical centre determined that the requested records no longer existed and advised the patient of this. The IPC received a complaint that the medical centre failed to respond to a request for access to paper medical charts held originally by the medical practice.

The IPC was concerned about whether the medical centre implemented reasonable security practices to protect those records of PHI against loss, and investigated the matter. Notably, the IPC characterized the flood and subsequent destruction of the records as a loss of PHI (and not destruction).[1]

The IPC was also concerned about the medical centre’s notification to affected patients about the loss of their records. While the medical centre informed those who were impacted by the loss, and recognized its failures and attempted to improve its information practices and safeguards, the medical centre did not notify those individuals of their right to file a complaint with the IPC.[2] The IPC also found that the contract the medical centre had with the storage provider did not address environmental risks (such as flood damage), which made the arrangement inadequate to discharge the HICs obligations to safeguard the records.

Key Lessons for Health Information Custodians

This decision reinforces that HICs are fully responsible for records of PHI even when stored by third‑party vendors or agents of the HIC. PHIPA is clear that outsourcing, or contracting third parties, does not reduce the HIC’s legal responsibility under PHIPA. When storing records off-site, HICs are still expected to take the following steps:

Conduct privacy and security assessments before outsourcing record storage and identify and mitigate potential privacy and security risks;
Ensure contracting arrangements are in place that adequately address environmental risks, including flood damage (with third-party service providers).
Implement ongoing monitoring and compliance mechanisms, such as annual check-ins with vendors, requesting updated security information and confirming established safeguards remain in place;
Maintain an internal record inventory so the HIC knows what is stored off site and can more easily respond to access requests;
Creating a standard notification protocol and ensuring patients are promptly notified of any lost or destroyed records and advised of their right to complain to the IPC.

Conclusion

As more clinics and HICs rely on external storage, scanning services, cloud platforms, disposal companies and hybrid record‑management systems, this decision emphasizes HICs are required to treat vendor relationships as extensions of their own privacy infrastructure and therefore, must take reasonable steps to safeguard PHI. Compliance with PHIPA requires proactive governance, not passive reliance on third‑party contractors.

[1] Section 12(1) of PHIPA states that health information custodians have obligations to take reasonable steps to ensure that personal health information is protected against theft, loss, and unauthorized use or disclosure.

[2] Section 12(2) of PHIPA states that if personal heath information is stolen or lost or used or disclosed without authority, the individual must be notified at the first reasonable opportunity and the notice to the individual must include a statement that the individual is entitled to make a complaint to the IPC.

Sari Feferman

Why Vendor Contracts Are Not Enough: What Health Information Custodians Should Know

The Case

Key Lessons for Health Information Custodians

Conclusion

Contact

Address

Follow

Why Vendor Contracts Are Not Enough: What Health Information Custodians Should Know

The Case

Key Lessons for Health Information Custodians

Conclusion

Lonny Rosen, Elyse Sunshine, and Emma Gardiner Recognized in 2026 Lexpert Directory

Contact

Address

Follow