Notification to affected individuals and regulators will be required in the event of unauthorized use or disclosure of personal health information under amendments to Ontario’s health information legislation.

The Ontario legislature passed Bill 119[1] in May, which amended the Personal Health Information Protection Act, 2004, c 3, Sched. A (“PHIPA”) and repealed and replaced the Quality of Care Information Protection Act, 2004, SO 2004, c 3. PHIPA governs the collection, use and disclosure of personal health information by health information custodians, such as doctors and hospitals. The Information and Privacy Commissioner for Ontario (“Privacy Commissioner”) oversees PHIPA and had been advocating for amendments to PHIPA to regulate electronic health records (“EHRs”) and the creation of shared provincial electronic health record system.

Among the amendments to PHIPA is a revised definition of a “use” with respect to personal health information. Under the new definition, use means “to view, handle or otherwise deal with the information”. This change aims to prevent snooping into the health records of individuals.

The amendments also create a positive obligation for health information custodians to protect against the unauthorized collection of personal health information. The new section 11.1 states: “A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority.”

Notification requirements

Significantly, similar to new federal privacy laws governing the private sector, Ontario’s new amendments include data breach notification requirements, whereby health information custodians must notify affected individuals if personal health information about an individual in its custody or control is used or disclosed without authority. The health information custodian must also notify the Privacy Commissioner.

Health information custodians are further required to give notice to a College of a regulated health profession when an employee, agent or member of the College, is terminated, suspended, or subject to disciplinary action resulting from the unauthorized collection, use, disclosure, retention or disposal of personal health information.

Clarification of agent obligations

Under PHIPA, health information custodians may use agents, such as hospital employees and third-party service providers, to collect, use, or disclose personal health information on their behalf. A new amendment clarifies that an agent’s permission to do so may be subject to conditions or restrictions imposed by the health information custodian or a prescribed requirement and that any collection, use, or disclosure by an agent must be in accordance with law.

Electronic health record governance

A major part of the amendments contemplate a governance framework for a shared provincial electronic health records for which there is no single health information custodian. Section 55 of the Act now states that the “prescribed organization has the power and the duty to develop and maintain the electronic health record.” The prescribed organization will manage and integrate personal health information and oversee the EHR, including monitoring and logging access. Under the PHIPA General Regulation, eHealth Ontario is a prescribed organization that maintains a provincial electronic health record.

The new EHR part also provides for “consent directives” which individuals may submit to the prescribed organization to withhold consent to the collection, use and disclosure of personal health information by means of the EHR. Consent directives may be overridden in certain circumstances, such as a significant risk of serious bodily harm, but health information custodians must be notified in such circumstances.

Penalties for offences double

Finally, penalties for offences under the Act have doubled with the new amendments, increasing to $100,000 from $50,000 for individuals and to $500,000 from $250,000 for organizations. There is no longer a limitations period for prosecution under the Act. Formerly, prosecutions must have been commenced within six months of when the alleged offence occurred.

QCIPA repealed and replaced

The second legislative change brought by Bill 119 is the repealing and replacement of QCIPA, which governs “quality of care information” gathered by a permitted committee.

QCIPA generally prohibits the disclosure of “quality of care information.” However, the purpose of the Act is to permit confidential discussions among health facilities to learn from incidents and improve health care systems. A person may disclose any information to a quality of care committee for the purposes of carrying out quality of care functions. However, no more personal health information may be disclosed than is reasonably necessary.

This type of information is excluded from provincial access and privacy laws. When Bill 119 was before the legislature, the Privacy Commissioner submitted that it was concerned the new legislation would result in the disclosure of less information to individuals and their representatives. Under the previous version of QCIPA, quality of care information did not include “facts contained in a record of an incident involving the provision of health care to an individual […]”. This exclusion has been narrowed to only exclude facts in relation to a critical incident. “Critical incident” means “any unintended event that occurs when a patient receives health care from a health facility that, (a) results in death, or serious disability, injury or harm to the patient, and (b) does not result primarily from the patient’s underlying medical condition or from a known risk inherent in providing the health care.”

As such, only facts related to critical incidents can be disclosed otherwise information considered quality of care information is not disclosable.

Like PHIPA, unauthorized use or disclosure of quality of care information is an offence under QCIPA.