Recently, the Government of Ontario announced its intent to strengthen the rules protecting patient privacy. If passed, these amendments to the Personal Health Information Protection Act (PHIPA) would include:
- Mandatory reporting of privacy breaches to the Privacy Commissioner and potentially the regulatory colleges;
- Allow individuals to more easily prosecute offences under PHIPA by removing the 6 month limitation period following an alleged privacy breach;
- Increasing institutional fines for offences from $250,000 to $500,000;
- Increasing individual fines for offences from $50,000 to $100,000; and
- Clarifying how and when healthcare providers may collect, use and disclose personal health information contained in electronic health records.
Changes to PHIPA were originally introduced in May 2013, as part of Bill 78, although the Bill did not pass before the Legislature dissolved that same month. The new round of legislation also intends to re-introduce protections to the Ontario electronic health record—a system of health records that spans the province and is shared between healthcare providers—and other personal health information. Among other things, these protections include privacy and security rules, as well as rules for how patients may control or mask their personal information contained in the electronic health record. Protecting individuals’ privacy in Canada is a patchwork of federal and provincial legislation affecting the federal and provincial public sectors, as well as private and health sectors.
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), controls how businesses and healthcare providers may collect, use and disclose individuals’ personal information. The Provinces, including Ontario, also have legislation specifically addressing privacy in the collecting, using and disclosing of health-related information.