The Liberal government in Ontario has introduced significant new amendments to its health privacy legislation, the Personal Health Information Protection Act (PHIPA).
While there are many important aspects to the new legislation, one key aspect involves significant new responsibilities imposed on “prescribed organizations” or “PO”s in the proposed amendments to PHIPA. Sections 55.1 and 55.12 of the proposed amendments appear to contemplate a process by which Lieutenant Governor in Council may regulate the organizations responsible for “creating or maintaining [an] electronic health record”. A definition in s. 55.1(1) suggests that this means to:
- administer, create, integrate, manage, maintain or service an electronic health record (a “record”)
- conduct data quality assurance activities on PHI provided to a PO; and
- conduct analyses of PHI in the record in order to provide alerts and reminders to health information custodians for their use in providing health care to individuals.
In as plain language as we can muster, a PO must comply with the following 19 obligations:
- Take reasonable steps to limit the PHI it receives to that which is reasonably necessary for the purpose of creating or maintaining the record.
- Forbid employees or agents from viewing, handling or dealing with the PHI received for the purpose of creating or maintaining the record, unless they agree to comply with the restrictions applying to the organization.
- Make available:
a plain language description of the record, including a general description of the administrative, technical and physical safeguards in place to:
- protect against theft, loss and unauthorized collection, use or disclosure of PHI,
- protect the record against unauthorized copying, modification or disposal, and
- protect the integrity, security and confidentiality of the PHI
- any directives, guidelines and policies that apply to the PHI unless they reveal a trade secret or confidential information.
Keep a detailed electronic log of all instances where all or part of the PHI is:
- viewed, handled or otherwise dealt with; or
- transferred to the custodian.
- Keep a detailed electronic log of all instances where a consent directive is made, withdrawn or modified.
- Keep a detailed electronic log of all disclosures.
- Audit and monitor the electronic logs required under points 4-6.
- Be prepared to provide to the Information and Privacy Commissioner the logs kept under points 4-6.
- Be prepared to provide to the custodian the electronic logs kept under points 4-6.
Perform, for each system that retrieves, processes or integrates PHI in the record, an assessment with respect to,
- threats, vulnerabilities and risks to the security and integrity of the PHI, and
- how each system that retrieves, processes or integrates PHI may affect the privacy of the individuals to whom the information relates.
- Notify the custodian at the first reasonable opportunity if the PHI is stolen, lost or accessed by unauthorized persons.
- (to custodians) a written copy of the results of the risk assessment carried out under point 10;
- (to the public) a summary of the results of the risk assessment.
- Ensure that agents agree to comply with all obligations assumed by the organization.
Have in place and comply with practices and procedures,
- protecting the privacy of the individuals whose records are kept;
- approved by the Information and Privacy Commissioner every three years.
Notify the Information and Privacy Commissioner, in writing, immediately after becoming aware that PHI:
- has been viewed, handled or dealt with by the organization or its agent, other than in accordance with PHIPA or its regulations, or
- has been made available or released by the organization or its agent other than in accordance with PHIPA or its regulations.
- Submit to the Information and Privacy Commissioner, at least annually, a report logging all disclosures.
- Comply with the regulations governing consent directives.
- Have in place and comply with practices and procedures approved by the Minister for responding to or facilitating a response to an individual’s PHI access request.
- Comply with the regulations to PHIPA.
The PO must also be able to:
- track an individual’s withholding or withdrawal of all or part of his or her consent to the collection, use and disclosure of his or her PHI; and
- provide the Minister with PHI in a record.
The Minister of Health and Long-Term Care is also able to issue directives to organizations following consultation with the Information and Privacy Commissioner and a specialized advisory committee. The consultation period runs for 30 days unless urgent circumstances are present, in which case the consultation may be abridged to five business days.
These proposed amendments go significantly beyond what is required of persons who provide personal health information services to custodians under ss. 6 to 6.2 of the General Regulation to PHIPA. That regulation creates three high-level duties for an “agent” of a health information custodian, seven more detailed requirements for a “health information network provider” or “HINP”, and eight more detailed requirements for eHealth Ontario. A new checklist for custodians and providers will become increasingly necessary if the new regime is put into place.