January 28, 2025 (revised January 30, 2025)

The following information is important for custodians who may transfer their patients to
another custodian, retire, leave the territory, or otherwise cease their operations.

Each custodian is responsible for ensuring their compliance with the Health Information
Privacy and Management Act (HIPMA), including their information practices for the
personal health information (PHI) in their custody and control. This includes the secure
storage and protection of their patients’ PHI, as well as providing access to it upon request.

Transferring patients and succession planning

Section 23(1) outlines the Continuing Duties of Custodians. The duties imposed under the
HIPMA apply to custodians until the custodian transfers custody and control of the PHI to a
“successor” of the custodian in accordance with section 60.

Section 60 outlines the obligations for disclosing PHI to a “successor custodian” which
include an agreement to relinquish the custody and control of PHI and making reasonable
efforts to give notice to individuals before transferring their PHI to the successor.

Section 30 of the HIPMA General Regulation outlines that a custodian must not charge
fees for transferring an individuals personal health information to another custodian.

There is no provision in HIPMA that obligates a custodian to transfer their patient records to
a successor custodian either after practice closure, or at any other time prior to destroying
the records in accordance with their records retention policy.

A custodian’s obligations under the HIPMA only cease if/when they have transferred their
patients to a successor custodian in accordance with section 60, or the records are
securely destroyed in accordance with the custodian’s records retention policy.

If a custodian has not transferred their patient records to a successor custodian, then they
remain responsible for complying with the HIPMA, even if they have closed their practice.

It is important to note that successor custodians must meet the definition of a “custodian”
under the HIPMA, that is to say, they must be health care providers as defined by the Act.
Agents, administrative staff, information managers, etc. do not meet the definition of a
custodian under the HIPMA and therefore cannot be appointed as a successor custodian.

Section 3 of the HIPMA speaks to becoming a deemed custodian and only applies in very
specific situations.
 

Our HIPMA guide for small custodians provides more detailed information on the
obligations of custodians under the HIPMA.

For further questions, you can contact the Information and Privacy Commissioner’s
office.

(867) 667-8468 or 1-800-661-0408 ext. 8468 (toll-free in Yukon)
info [at] yukonombudsman.ca (info[at]yukonombudsman[dot]ca)
yukonombudsman.ca
 

Disclaimer
The purpose of this document is to inform and support custodians and public bodies in
meeting their privacy and security obligations under HIPMA and ATIPPA.
This document is not intended as, nor is it a substitute for, legal advice or other advice
about how to secure or protect PHI or PI that may be at risk of breach as a result of the
information security development.

This document is not binding on the Yukon's Information and Privacy Commissioner.