What health care organizations need to know about recent changes to Ontario’s health privacy law
If you’ve been focused on COVID-19 response and transitioning to virtual care over the last few months, you may have missed that there have been some big changes to Ontario’s health privacy law, the Personal Health Information Protection Act.
What did you miss??
Here’s a recap of Bill 188, Bill 138, and two sets of proposed amendments to PHIPA’s regulation … (Click here for a free table of all of the Bill 138 and Bill 188 amendments.)
Warning – do not read this if you don’t like details. This is going to be SUPER BORING to people who are not responsible for privacy and keeping up with the details of changes in law. I’ll do a more general post soon about how to communicate these changes to your team. DO NOT SHARE THIS WITH YOUR TEAM. (If you do – they will never read anything else you send them ever ever ever again)
Schedule 6 to Bill 188 – Economic and Fiscal Update Act, 2020, which was introduced and received royal assent at the end of March (which means much of it is already applies to you), makes the following notable changes to PHIPA:
- New powers for the IPC – The Information and Privacy Commissioner of Ontario (IPC) now has the power to impose administrative monetary penalties (or AMPs) for non-compliance with PHIPA or its regulations. This is a new power. The IPC is the first Privacy Commissioner in Canada to have this power – none of the other provincial commissioners or the federal commissioner are able to impose penalties. Although PHIPA has had offence and fine provisions, in order for a HIC to face fines, a potential offence under PHIPA has to be referred to the Crown for prosecution, the prosecution has to result in a conviction, and then a fine could be imposed. Fines for offences under PHIPA are extremely rare. So now, the IPC has a new tool in its toolbox and can directly impose monetary penalties for non-compliance with PHIPA. Regulations (not yet made) can prescribe amounts for AMPs and/or provide that amounts be based on the type of contravention, the contravention history of the person required to pay, or on whether the person is or is not a natural person.
- Increased fines for offences – The potential maximum penalty for offences under PHIPA are doubled to $200,000 for a natural person and $1,000,000 if the offender is not a natural person, and the Act now provides for the possibility of imprisonment in the case of a natural person.
- Electronic audit logs (note: the new electronic audit log provisions are not yet in force) – Health information custodians (HICs) that use electronic medical records (EMRs) or other electronic patient/client databases will be required to maintain electronic audit logs of certain kinds of activities by all users. Electronic audit logs must include for every instance in which a record or part of a record of personal health information (PHI) that is accessible by electronic means is viewed, handled, modified or otherwise dealt with,
- the type of information that was viewed, handled, modified or otherwise dealt with;
- the date and time on which the information was viewed, handled, modified or otherwise dealt with;
- the identity of all persons who viewed, handled, modified or otherwise dealt with the personal health information;
- the identity of the individual to whom the personal health information relates; and
- any other information that may be prescribed.
ACTION STEP: This is an issue to discuss with your EMR or client database provider to ensure that they have or are developing this functionality. If their product does not or will not have this capability, you will need to consider alternatives to ensure that you are complying with this requirement.
You will be required to audit and monitor the electronic audit log in accordance with regulations (not yet been published), which may specify the frequency of audits and/or monitoring. And you will be required to provide the IPC with a copy of your electronic audit log if asked.
- Consumer electronic service providers (also not yet in force) – There will be new rules governing consumer electronic service providers (eg. health and wellness apps and other consumer facing offerings that track and store physician reports, prescriptions, and/or other health related information, either collected from HICs or directly from the consumer). Regulations may be made governing the services provided by consumer electronic service providers, including their collection, use and disclosure of PHI, the use of those services by HICs as well as by individuals and the rights of those individuals with regard to the services. These new provisions expand the application of PHIPA to draw additional – mainly private sector – entities under its rules.
Bill 188 also introduced an assortment of other changes to be aware of:
- A HIC that is providing health care to a person, can collect, use, or disclose the person’s health number, with the person’s consent, for certain verification and linking purposes, even if not providing a provincially funded health resource.
- A HIC that has collected a health number for purposes related to the provision of a provincially funded health resource to a person may use the health number for the purpose of accurately identifying the person’s records of PHI, verifying their identity or linking their records of PHI.
- Disclosures of PHI to the Chief Medical Officer of Health, a medical officer of health, or a similar public health authority in another province or territory of Canada or other jurisdiction, for purposes related to the Immunization of School Pupils Act are permitted.
- The right to access a record of PHI includes the right to access it in an electronic format that meets the prescribed requirements (not yet made), subject to any restrictions, additional requirements or exceptions that may be prescribed (also not yet made). This right of access to records in an electronic format will be one to discuss with your EMR or client database provider and one to watch for the regulatory requirements.
- The IPC can inspect records of PHI without consent if there are reasonable grounds to suspect that the records have been abandoned.
- Justices can make production orders requiring persons (other than a person under investigation for an offence) to produce certain documents or data if satisfied that an offence under PHIPA has been or is being committed and that the document or data will provide evidence respecting the offence or suspected offence.
- Regulations may be made governing the de-identification of PHI and the collection, use and disclosure of de-identified information.
Bill 138 – Plan to Build Ontario Together Act, 2019 received Royal Assent on December 10, 2019 but includes amendments to PHIPA in Schedule 30, which are not yet in force. The amendments to PHIPA include:
- Using PHI that has been de-identified to identify an individual will be prohibited, subject to certain exceptions (eg. if you are the HIC who de-identified data, you may use your de-identified information to identify an individual).
- The IPC will have a new power to order the return or transfer of records of PHI that were improperly collected, used or disclosed (instead of just the power to order disposal).
- Regulations may be made in relation to the role of Ontario Health, including under what circumstances it may collect, use and disclose PHI, the conditions that apply to the collection, use and disclosure of PHI by it and disclosures of PHI that may be made by a HIC or other person to it.
- Regulations may be made for Ontario Health Teams’ collection, use and disclosure of PHI:
- under what circumstances an Ontario Health Team may collect, use and disclose PHI,
- conditions that apply to the collection, use and disclosure of PHI by an Ontario Health Team, and
- disclosures of PHI that may be made by a HIC or other person to an Ontario Health Team.
- Regulations may be made providing for and governing powers, functions and responsibilities of Ontario Health for the purposes of PHIPA and its regulations.
- Regulations may be made setting out requirements for custodians when selecting and using electronic means to collect, use, modify, disclose, retain or dispose of PHI, including the process for setting, monitoring and enforcing such requirements.
Proposed amendments to PHIPA Regulation
In May 2020, the government posted for consultation two sets of proposed amendments to PHIPA’s Regulation:
- The first, posted on May 23, relates to “interoperability specifications” for digital health assets – Digital health interoperability – proposed amendments to O. Reg. 329/04. These proposed amendments were posted together with: Regulatory notice and full text and Digital Health Information Exchange Policy (dated April 20, 2020 and marked “Draft for Discussion”; the policy may be effective October 1, 2020).
The proposed amendments would require Ontario Health to establish (and make publicly available) “interoperability specifications” for “digital health assets” (eg. EMRs, client databases — “any product or service that uses electronic means to collect, use, modify, disclose, retain or dispose of PHI”). The specifications are aimed at trying to ensure that patients and health care providers can access and exchange electronic data. Interoperability specifications set by Ontario Health must specify which HICs need to comply, describe the types of digital health assets to which it applies, specify the date on which it becomes effective, and specify the circumstances if any when a HIC may be exempted.
A HIC, in turn, would be required to ensure that every digital health asset that it selects, develops or uses complies with every applicable interoperability specification, as it may be amended from time to time, within the time period set out in the specification.
Ontario Health is to establish a certification process so that a list of digital health assets that are compliant with specifications may be published.
HICs will be required to provide Ontario Health with reports upon request, and to cooperate and assist the Agency to support compliance monitoring.
Enforcement in relation to the interoperability specifications would occur by means of Ontario Health making a complaint to the IPC, and providing to the IPC any reports or information collected in the process of compliance monitoring.
- The second set of amendments to the PHIPA regulation, posted on May 26, enables the electronic health record part of PHIPA to come into force – Amendment of Regulation O. Reg. 329/04 (General) under the Personal Health Information Protection Act, 2004 (PHIPA) to Enable Proclamation of Part V.1 of PHIPA – Appendix 1 Draft Regulation.
You’ll recall that PHIPA was updated in 2016 through Bill 119, which made several changes to the Act that have been in force and introduced new provisions for the provincial health record that are still not yet in force — a whole new “Part V.1” – Electronic Health Record, ss. 55.1 through 55.13. This is what will eventually allow Ontario to have a shared electronic record that links all health records for residents of Ontario. We have been waiting for this!!
These proposed amendments to the PHIPA Regulation would allow Part V.1 to be proclaimed by:
- Naming Ontario Health as the prescribed organization under Part V.1 of PHIPA.
- Establishing prescribed data elements for the unique identification of individuals for collecting their information by means of the EHR.
- Clarifying that HICs collecting from the EHR are required to notify the IPC under any circumstances where they would be required to notify the IPC if the collection were for a use or disclosure outlined in s. 6.3 of the Regulation [on loss, theft, etc. of information], and to do so at the earliest opportunity.
- Setting out requirements for consent directives under the EHR.
And, PHI collected from the EHR without authority is to be included in HIC’s annual report to the IPC.
In addition, these proposed amendments introduce a new rule that notice to the IPC of a breach is to be done at the first reasonable opportunity. Currently, the timing of notification to the IPC is not specified.
The consultation periods for the regulatory amendments have now closed but neither set of amendments is in effect – I’ll keep you posted and let you know when any regulatory amendments are in effect.
Want the changes to PHIPA broken down and colour-coded about what’s already in effect and what is yet to come? I got your back. Here you go, click here.
WHOA! That was a long post. But, hopefully it will help you get caught up on the changes in one post!
Privacy Officer training: My next class starts September 22nd. Join now! Early bird pricing is ending soon!