Should You Shred Medical Records? A Comprehensive Guide
March 01, 2025
Imagine this: A Toronto-based medical clinic is fined thousands of dollars after patient records are found in an unlocked recycling bin outside their office. Names, addresses, medical histories—everything exposed to the public. The clinic’s reputation is ruined, patients lose trust, and legal action follows.
This isn’t just a hypothetical scenario. Medical records contain some of the most sensitive personal information, and improper disposal can lead to identity theft, medical fraud, and severe penalties under Canadian privacy laws.
So, should you shred medical records? The answer is a resounding yes—but there’s more to it than simply tossing papers into a shredder. In this guide, we’ll break down why shredding medical records is crucial, what Canadian laws require, best practices for secure disposal, and how Toronto businesses can stay compliant.
1. The Legal Requirements for Shredding Medical Records in Canada
In Canada, medical records are protected under federal and provincial laws, making secure disposal a legal obligation, not just a best practice.
Federal Privacy Laws
At the national level, medical records fall under The Personal Information Protection and Electronic Documents Act (PIPEDA). This law requires organizations, including healthcare providers, to securely dispose of personal data when it’s no longer needed. Failure to do so can result in hefty fines and legal consequences.
Ontario-Specific Regulations
In Ontario, healthcare providers must comply with the Personal Health Information Protection Act (PHIPA), which governs how personal health information (PHI) is collected, used, stored, and destroyed. Under PHIPA, medical records must be securely disposed of in a manner that prevents unauthorized access, such as shredding or secure destruction.
The College of Physicians and Surgeons of Ontario (CPSO) also mandates that patient records be retained for at least 10 years from the last entry date before they can be destroyed. If the patient was under 18 at their last visit, records must be kept until they turn 28 years old.
2. The Risks of Not Shredding Medical Records
Failing to properly dispose of medical records doesn’t just put patient privacy at risk—it can also result in severe financial and legal consequences for businesses.
Financial and Legal Penalties
A privacy breach involving improperly discarded medical records can lead to fines of up to $100,000 per violation under PHIPA. In some cases, businesses may also face civil lawsuits from affected patients.
For example, in 2018, an Ontario medical office was fined after an investigation revealed patient files dumped in an unsecured recycling bin. The clinic was forced to pay a settlement and implement strict privacy measures.
Identity Theft and Medical Fraud
Stolen medical records are a goldmine for identity thieves. Fraudsters can use this information to:
- Open fraudulent credit accounts
- Commit insurance fraud
- Obtain prescription drugs illegally
Unlike credit card fraud, which is often detected quickly, medical identity theft can go unnoticed for years, making it extremely dangerous.
3. Best Practices for Securely Shredding Medical Records
To stay compliant and protect sensitive data, follow these best practices for medical record destruction:
Use a Professional Shredding Service
While office shredders might seem sufficient, they aren’t always secure or efficient, especially for large volumes of documents. A professional shredding service ensures:
- Complete document destruction with cross-cut shredding
- Compliance with PHIPA and PIPEDA
- Secure chain of custody with locked bins and tracking
- Certificate of Destruction as proof of compliance
Choose On-Site or Off-Site Shredding
Toronto businesses can choose between on-site shredding, where a mobile shredding truck comes to your location, or off-site shredding, where documents are securely transported to a shredding facility.
On-site shredding offers real-time security, while off-site shredding is a cost-effective option for businesses handling large amounts of records.
Implement a Document Retention Policy
To avoid unnecessary storage of old records, create a document retention policy that outlines:
- How long records are kept (minimum 10 years in Ontario)
- When and how records should be destroyed
- Who is responsible for overseeing the destruction
This ensures that records are disposed of properly and on schedule.
4. What About Digital Medical Records?
With many clinics transitioning to Electronic Medical Records (EMRs), digital data disposal is just as important as paper shredding. Simply deleting files or formatting a hard drive isn’t enough—data must be permanently destroyed to ensure it can’t be recovered.
How to Properly Dispose of Digital Medical Records
- Hard Drive Shredding: Physically destroy old hard drives to prevent data recovery.
- Data Wiping Software: Use certified software to overwrite and erase digital records.
- Secure Cloud Deletion: Work with IT professionals to ensure cloud-stored patient data is permanently removed.
Just like paper documents, digital records must be retained for at least 10 years before being securely deleted.
5. Choosing the Right Shredding Service in Toronto
If you’re looking for a reliable shredding service in Toronto, consider the following factors:
1. Compliance with Privacy Laws
Make sure the shredding company follows PIPEDA, PHIPA, and CPSO guidelines. A reputable provider will offer a Certificate of Destruction as proof of compliance.
2. Secure Chain of Custody
Look for a company that provides locked bins for document storage, secure transportation, and detailed tracking of your records from pickup to destruction.
3. Eco-Friendly Disposal
Choose a provider that recycles shredded paper to reduce environmental impact while maintaining security. Many shredding companies partner with recycling facilities to ensure sustainability.
4. Flexible Service Options
Whether you need a one-time purge of old medical records or scheduled shredding for ongoing compliance, select a provider that fits your needs.
Final Thoughts: Protecting Patient Privacy Starts With Proper Shredding
Shredding medical records isn’t just about following regulations—it’s about protecting patient trust, preventing identity theft, and avoiding costly legal consequences.
In Toronto, healthcare providers, clinics, and businesses handling medical records must comply with PHIPA and PIPEDA, ensuring sensitive documents are securely destroyed. Whether you choose on-site shredding for immediate security or off-site shredding for cost efficiency, professional shredding services provide peace of mind and legal compliance.
Don’t leave patient data vulnerable. Schedule a shredding service with Papersavers today and ensure your medical records are disposed of safely and legally.