Bill C-119 provides for enhanced protection of personal health information, the electronic health record, and new penalties and enforcement provisions.
By: J. Fraser Mann & Elisabeth Symons
Bill C-119 to provide for amendments to the Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A
I.1 — Proposed Amendments to Ontario Legislation to Protect Personal Health Information
1. — Enhanced Protection of PHI
Bill C-119 sets out a number of amendments to PHIPA to clarify the obligations of health information custodians ("custodians") and the rights of health care recipients. These amendments include the following:
(a) Section 2 of PHIPA will be revised to change the meaning of "use", to include the "viewing", and not just the handling or other dealings with PHI.
(b) A new subsection 11.1 will be added to PHIPA to require a custodian to take reasonable steps to ensure that PHI is not collected without lawful authority.
(c) Bill 119 provides that notice must be provided to an affected individual upon
any unauthorized use or disclosure of PHI, and not just upon any loss, theft or unauthorized access to PHI. This change will mean that notice will be required when any PHI is viewed by an unauthorized person. The notice to the individual must also indicate that the individual has the right to make a complaint to the Information and Privacy Commissioner.
(d) Subsection 12(3) of PHIPA will be revised to provide that in the
circumstances in which an individual is required to be notified of any breach affecting his or her PHI, the Commissioner must also be notified if certain conditions which are to be prescribed by regulation are met.
(e) Bill 119 provides for additional obligations to be met by an agent that is used by a custodian to collect, use or disclose PHI. Specifically, an agent must comply with any conditions or restrictions that are imposed by the custodian, and other obligations that may be imposed by regulation. The custodian will remain responsible for any dealings with PHI carried out by its agent, whether or not the agent acts in accordance with the applicable conditions, restrictions or regulatory requirements. In addition, the agent must notify the custodian at the first reasonable opportunity if any PHI for which they are responsible is stolen or lost, or is used or disclosed without authority.
(f) A new Section 17.1 is added to PHIPA to require a custodian to notify the
College of a regulated health professional, if a health care practitioner who is a member of that College, and who is employed by, granted privileges by or affiliated with the custodian, is subject to any disclinary proceedings with respect to his or her employment, privileges or affiliation for reasons related to any actual or suspected unauthorized dealing with PHI.
2. — Electronic Health Record
The second major part of the amendments to PHIPA proposed as part of Bill 119 relate to the adoption of the electronic health record. These provisions set out the regime applicable to the organization(s) that will be designated by regulation as being responsible for establishing and maintaining the electronic systems to be used as the central depository for PHI of Ontario residents.
Among the requirements set out as part of this regime are the following:
• The prescribed organization(s) must comply with all requirements to be set out in the applicable regulation in developing and maintaining the electronic health record;
• The organization(s) must comply with any specific requirements set out in any directives issued by the Ministry; such directives must take into account any recommendations made by an advisory committee to be established under the legislation and those made by the Information and Privacy Commissioner;
• A custodian may not collect PHI by means of the electronic health record except for purposes of providing health care to an individual; or for purposes of eliminating or reducing a significant risk of harm to an individual or group, and the custodian believes in the latter case that the information is necessary for that purpose;
• A custodian may also collect, use and disclose certain data elements for the purpose of identifying an individual, in order to collect PHI that is available by means of the electronic health record;
• The prescribed organization(s) must comply with any directive (or an amended directive) that an individual is permitted to provide, that withholds or withdraws the individual's consent to the collection, use or disclosure of his or her PHI by means of the electronic health record;
• A custodian is permitted, in certain limited circumstances, to disclose PHI despite the contents of a consent directive provided by the individual; these circumstances include: (i) disclosure to another custodian that obtains the consent of the applicable individual; or (ii) disclosure to another custodian that believes on reasonable grounds that the information is necessary for the purpose of reducing or eliminating a significant risk of serious bodily harm to the affected individual, or to another individual or group, and the consent of the affected individual cannot reasonably be obtained in a timely manner;
• The prescribed organization(s) are required to audit, log and monitor any access notify a custodian where a consent directive is overridden as permitted by the Act; the custodian, in turn, must notify the affected individual and the Information and Privacy Commissioner;
• The prescribed organization(s) may use PHI (in spite of a consent directive) to provide alerts to custodians about harmful drug interactions as long as the information that is the subject of the directive is not provided; and
• The Ministry may collect PHI by means of the electronic health record for purposes of funding, planning and delivering health services funded by the Government of Ontario, and may use PHI for purposes of detecting, monitoring or preventing fraud or the inappropriate receipt of payments. The Ministry may also use this information for purposes of conducting audits, and may disclose information, when required by law, for purposes of a legal proceeding or to a law enforcement body for investigation purposes. These functions are to be carried out by a unit of the Ministry to be prescribed by regulation. The prescribed unit must establish practices and procedures to protect the PHI, which are to be approved by the Information and Privacy Commissioner every three years.
View the complete Newsletter below