The Ministry of Health and Long-Term Care has announced in a news release that it intends to introduce amendments to the Personal Health Information Protection Act (PHIPA) to strengthen PHIPA and protect patient privacy. We have confirmed that the intent is to reintroduce the prior Electronic Personal Health Information Protection Act (EPHIPA), which died due to the 2014 provincial election, with some minor changes.
The amendments are expected to, among other things, strengthen the process to prosecute offences under PHIPA by removing the requirement that prosecutions be commenced within six months of the alleged privacy breach and increase accountability and transparency by requiring mandatory reporting of privacy breaches to the Information and Privacy Commissioner and, in certain cases, to relevant regulatory colleges. The amendments would also double the fines for offences under PHIPA from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for corporations.
As previously reported here, other proposed amendments to PHIPA as originally presented in EPHIPA would include changes that would require health care providers accessing shared electronic health records (EHRs) to:
- take reasonable steps to limit the personal health information they receive;
- ensure employees and third parties comply with privacy obligations;
- make available to the public and health information custodians (HICs) a description of the EHR and safeguards to protect the EHR as well as any applicable directives, guidelines and policies;
- maintain an electronic record of all instances in which the personal health information in the EHR is viewed, handled or dealt with; and
- audit and monitor EHRs; perform assessments on risks to the security of personal health information in the EHR and make the assessments available to the HIC and the public.